Supply Chain Attacks

The cluster centers on discussions of supply chain attacks in package managers like npm, crates.io, and PyPI, highlighting risks from untrusted third-party dependencies, malicious updates, and the need for auditing tools.

➡️ Stable 0.8x Security

3,694

Comments

Years Active

Top Authors

#7691

Topic ID

Activity Over Time

2011

2012

2013

2014

2015

2016

2017

2018

125

2019

200

2020

206

2021

484

2022

622

2023

457

2024

473

2025

856

2026

Top Contributors

ashishbijlani (47) lrvick (47) feross (25) marcus_holmes (25) woodruffw (20)

Keywords

e.g JS CI adnanthekhan.com SSH CD IDE PR docker.com node.js supply chain npm chain supply dependencies attacks package packages security attack

Sample Comments

hoppp • Sep 21, 2025 • View on HN

It can have supply chain attacks like npm... That high quality library system is also a liability.

lsaferite • Sep 27, 2025 • View on HN

The npm supply chain attacks (or any similar ones) are essentially the same issue described in the article. You can't trust 3rd-party provided code implicitly. Even if the code is initially fine it's subject to change in later revisions. This issue goes all the way down the stack. Obviously, with a large user base the likelihood of quick detection goes up, but the issue never goes away.

Alive-in-2025 • Apr 7, 2025 • View on HN

Yes. The crucial issue to me is the increasing frequency of attacks where some piece of open source gets an update - leading to endless hidden supply chain attacks.I don't see anything that is going to block this from getting worse and worse. It became a pretty common issue that I first heard about with npm or node.js and their variants, maybe because people update software so much there and have lots of dependencies. I don't see a solution. A single program can have huge numbers of

tompazourek • Nov 4, 2021 • View on HN

npm audit reports known vulnerabilities, but I think it doesn't help against supply chain attacks, or does it?

goodpoint • Apr 15, 2022 • View on HN

> It doesn't just download random things.That's exactly what it does. The developer is not really expected to thoroughly review the codebase of every dependency.Just like javascript, all sort of supply chain attacks are made possible.A single malicious library can sneak into large ecosystems easily.

charlotte-fyi • Mar 9, 2025 • View on HN

Why would I take anything away beyond the specific scope of the vulnerability to supply chain issues that NPM had? Cargo offers a variety of tools for auditing and managing dependencies that specifically mitigate supply chain issues. If your only suggestion is to not use dependencies at all, that's an extreme opinion.

ChrisArchitect • Dec 18, 2025 • View on HN

Related:We pwned X, Vercel, Cursor, and Discord through a supply-chain attackhttps://news.ycombinator.com/item?id=46317098

marcus_holmes • Dec 24, 2021 • View on HN

This is part of what's broken. If your users aren't examining your code, then they're vulnerable to supply-chain attacks from it.

ashishbijlani • Aug 12, 2022 • View on HN

Plug: I've been building tooling to easily audit third-party open-source dependencies for supply chain attacks. Packj [1] analyzes Python/NPM/Rubygems packages for several risky code and attributes such as Network/File permissions, expired email domains, etc. Auditing hundreds of direct/transitive dependencies manually is impractical, but Packj can quickly point out if a package accesses sensitive files (e.g., SSH keys), spawns shell, exfiltrates data, is abandoned, lack

flurdy • Feb 11, 2021 • View on HN

Mostly to avoid a situation like this https://www.bleepingcomputer.com/news/security/researcher-ha...(This week's hack using npm, gems etc to trick non-java build tools to not use internal repos but the hacker's compromised packages instead)