IntermediateSupply Chain Security

Vet open source package maintainer changes before accepting dependency updates

The EventStream npm backdoor was introduced after a malicious actor successfully requested — and received — maintainer rights to a popular package from its overworked original author. The XZ Utils backdoor took two years of patient contribution before the attacker achieved the commit access needed. Review who maintains the packages you depend on. Monitor for ownership changes in critical dependencies (Snyk, Socket.dev, and Deps.dev track these). Be especially cautious about packages that recently changed maintainers or had a sudden increase in contributions. The XZ Utils attack involved manufactured community pressure to push the original maintainer into granting access.

Tags

open sourcemaintainer vettingXZ UtilsEventStreamdependency governance

More in Supply Chain Security

All guides
intermediatefeatured

Pin dependencies to exact versions with hash verification in all production lockfiles

npm install without a lockfile, or pip install without hash verification, installs "latest" — which could be a malicious package that was uploaded minutes ago. The PyPI typosquatting campaigns uploaded hundreds of packages with names nearly identical to popular libraries. Dependency pinning (exact version numbers) prevents automatic upgrades to compromised versions. Hash verification (SHA-256 hashes of each package in the lockfile) ensures the package you install is byte-for-byte identical to what you tested. Use npm ci (instead of npm install) in CI/CD, which enforces lockfile integrity. Use pip install --require-hashes for Python.

See: PyPI TyposquattingSupply Chain Security
intermediate

Pin GitHub Actions to specific commit SHAs, never to floating version tags

GitHub Actions version tags (uses: actions/checkout@v4) are mutable — the action maintainer can change what v4 points to at any time, or have their account compromised. The tj-actions breach demonstrated this: a compromised action was immediately applied to all 23,000 repositories using it via floating tag. Pin actions to the specific commit SHA that you have reviewed (uses: actions/checkout@abc123def456). The full SHA is immutable — it cannot be changed retroactively. Use a tool like Dependabot or Renovate to open pull requests when pinned SHA versions need updating, giving you review control.

See: GitHub Actions tj-actions BreachSupply Chain Security
advanced

Treat your build environment as production — harden it with the same controls

The CCleaner backdoor, the 3CX supply chain attack, and the ASUS ShadowHammer operation all shared the same root cause: attackers compromised the build server or developer machine that compiled the final software. The build environment is where your trusted code signing happens, where clean source becomes signed binaries. Harden build servers: restrict access to the minimum set of people, use ephemeral build environments that are destroyed after each build, require MFA for all access, enable audit logging, and isolate build networks from general corporate networks. A compromise of your build environment is a compromise of every piece of software you ship.

See: CCleaner BackdoorSupply Chain Security