supply-chain attack

term

securitygovernance & risk

Compromising software by attacking something it depends on, rather than the target directly.

Instead of breaching you, an attacker poisons a library, build tool, or update you trust, and rides it in, as the left-pad fright and several real incidents showed how far dependencies reach. Defences include verifying provenance and pinning what you rely on.

Also known as: supply-chain attack, software supply chain, dependency attack

All glossary entries