Supply Chain Security — Trivia & Interesting Facts¶
Surprising, historical, and little-known facts about software supply chain security.
The SolarWinds attack compromised 18,000 organizations through a single build pipeline¶
In December 2020, it was discovered that attackers (attributed to Russian intelligence) had compromised SolarWinds' Orion build system, injecting malware into a software update that was distributed to approximately 18,000 customers. Victims included the US Treasury, Department of Homeland Security, and numerous Fortune 500 companies. The malware (SUNBURST) was present in the build pipeline for months before detection. This single attack reshaped how the entire industry thinks about build security.
The event-stream npm package attack proved that maintainer handoff is a critical risk¶
In 2018, a new maintainer of the popular event-stream npm package (downloaded 2 million times per week) injected malicious code targeting the Copay Bitcoin wallet. The original maintainer had handed the package over to a stranger because he was burned out from maintaining it for free. This incident revealed that the open-source supply chain depends on unpaid maintainers who can transfer control of critical packages with no oversight.
The xz backdoor in 2024 was the most sophisticated supply chain attack ever discovered¶
In March 2024, Andres Freund (a Microsoft PostgreSQL developer) accidentally discovered a backdoor in the xz compression library. The attacker, "Jia Tan," had spent over 2 years building trust as a contributor, slowly gaining maintainer status, and then injecting a sophisticated backdoor targeting OpenSSH. The attack was discovered only because Freund noticed SSH logins were 500ms slower than expected and investigated. If not caught, it could have compromised nearly every Linux server on the internet.
Log4Shell (December 2021) affected an estimated 93% of enterprise cloud environments¶
CVE-2021-44228, discovered in Apache Log4j in December 2021, allowed remote code execution through a simple string in log messages. The vulnerability was so widespread that the Apache Software Foundation called it "the most critical vulnerability in the history of computing." Because Log4j is a transitive dependency in thousands of Java libraries, many organizations didn't even know they were running it. The remediation effort took months across the industry.
Sigstore was created to make software signing free and automatic¶
Sigstore, launched by Google, Red Hat, and Purdue University in 2021, provides free code signing and verification infrastructure. Before Sigstore, signing software releases required managing private keys — a burden that most open-source maintainers avoided. Sigstore uses keyless signing with identity-based certificates, making signing as easy as logging in with GitHub. npm, PyPI, and container registries are integrating Sigstore.
SLSA (Supply chain Levels for Software Artifacts) defines four levels of supply chain integrity¶
SLSA (pronounced "salsa"), created by Google in 2021, defines a framework of increasing supply chain security guarantees. Level 1 requires provenance documentation; Level 2 requires a hosted build platform; Level 3 requires a hardened build platform with source verification; Level 4 (the highest) requires two-person review and hermetic builds. Most organizations are between Level 0 (no security) and Level 1.
Dependency confusion attacks exploit how package managers resolve names¶
Alex Birsan's 2021 research demonstrated that creating public packages with the same name as private internal packages could trick package managers (npm, pip, RubyGems) into installing the malicious public version. He successfully compromised Apple, Microsoft, PayPal, and 30+ other companies using this technique. The attack worked because package managers defaulted to checking public registries before private ones.
The average commercial application contains 70-80% open-source code¶
Synopsys' annual Open Source Security and Risk Analysis (OSSRA) report consistently finds that 70-80%+ of commercial codebases consist of open-source components. This means the security of most commercial software depends on the security practices of unpaid volunteers maintaining thousands of upstream dependencies. The median commercial application contains over 500 open-source dependencies.
SBOMs (Software Bills of Materials) were mandated by US Executive Order in 2021¶
President Biden's May 2021 Executive Order on Improving the Nation's Cybersecurity mandated that software sold to the US federal government include a Software Bill of Materials (SBOM). SBOMs list every component (and version) in a software product, enabling buyers to assess their exposure to vulnerabilities. The standard formats are SPDX (Linux Foundation) and CycloneDX (OWASP).
Container base image vulnerabilities are the #1 source of known CVEs in production¶
Scanning container images reveals that the base image (Ubuntu, Alpine, Debian) typically contains the most known vulnerabilities — often 50-200 CVEs in a standard base image. Most of these are in libraries the application never uses, but scanners flag them anyway. This has driven the adoption of distroless images (Google), scratch-based builds, and minimal Alpine images to reduce the attack surface.
Reproducible builds prove that source code matches the binary¶
The Reproducible Builds project aims to ensure that compiling the same source code always produces bit-for-bit identical binaries. Without reproducible builds, you're trusting the build infrastructure — if the build server is compromised (as in SolarWinds), the binary can contain malware even if the source is clean. Debian, Arch Linux, and several other projects have made significant progress toward full reproducibility.