What is a software supply-chain attack and how do you defend against it?

A supply-chain attack targets a trusted third-party component — an open-source package, a CI/CD pipeline, a build tool, or a CDN-hosted script — to compromise every downstream consumer without attacking them directly. Rather than breaking into your systems, the attacker poisons something you already trust.

Real examples: the SolarWinds attack (2020) — a build-system compromise distributed malicious updates to 18,000+ organisations; the event-stream npm package — a popular library's maintainer transferred ownership and the new owner added a hidden bitcoin-stealing payload.

Defenses: lock dependency versions with checksums (lock files + Subresource Integrity for CDN scripts); use Dependabot/Renovate with a human review gate; scan for known-malicious packages (Sonatype OSS Index, OpenSSF); pin CI action SHAs (not tag names, which can be moved); generate and verify SBOMs (Software Bills of Materials) so you know exactly what's in your build; and adopt SLSA provenance for critical artifacts to verify they were built from untampered source.