0PricingLogin
Cyber Security Academy · Lesson

Supply Chain Threats

How dependencies become attack vectors.

What Is a Supply Chain Attack

A software supply chain attack compromises an organization not by breaching it directly, but by corrupting something it trusts and consumes: a library, a build tool, a container base image, or an update server.

Because modern software is assembled from hundreds of third-party components, a single poisoned link is inherited by every downstream consumer. The attacker invests once and reaches many victims.

  • Trust inversion — the security boundary moves outside your own code
  • Transitive blast radius — one bad package flows to thousands of builds

The Dependency Iceberg

When you add one direct dependency, you often pull in dozens of transitive ones you never chose. A typical Node or Python app declares a handful of packages but resolves to hundreds.

List the full resolved tree, not just the manifest, to see what you actually ship:

# npm: full resolved dependency tree
npm ls --all

# Python: pinned transitive closure
pip freeze

# count transitive nodes
npm ls --all --parseable | wc -l

All lessons in this course

  1. Supply Chain Threats
  2. Software Bill of Materials (SBOM)
  3. Dependency and Artifact Signing
  4. Securing CI/CD Pipelines
← Back to Cyber Security Academy