Supply Chain Attack
A security attack that targets a dependency, vendor or component in the software supply chain rather than the target application directly.
In detail
A supply chain attack compromises a target by attacking a trusted upstream component: an npm package, a third-party library, a build tool plugin, a vendor SDK or a CI/CD system integration. The attacker publishes a malicious version of a package, hijacks a maintainer account or compromises a build system. Downstream applications that install or update the dependency then execute the attacker's code. Notable examples include the npm event-stream incident (2018) and the xz-utils backdoor (2024). The OWASP Top 10 for LLM Applications includes supply chain as a distinct risk category covering model weights, training data and tool libraries.
Why it matters for Australian business
Australian vibe-coded applications often install dozens of npm packages automatically as AI generators scaffold dependencies. Few builders check what those packages do or who maintains them. We include dependency scanning (using tools like npm audit, socket.dev and Snyk) in code audits and recommend pinning dependency versions and reviewing lock files as part of any production deployment. For AI applications the supply chain also includes model providers, embedding services and any tool the agent can call.