supply-chain attack
termsecuritygovernance & risk
Compromising software by attacking something it depends on, rather than the target directly.
Instead of breaching you, an attacker poisons a library, build tool, or update you trust, and rides it in, as the left-pad fright and several real incidents showed how far dependencies reach. Defences include verifying provenance and pinning what you rely on.
Also known as: supply-chain attack, software supply chain, dependency attack