A03/Software Supply Chain Failures — OWASP Top 1000 / 11
A03
OWASP Top 10 · 2025
Software Supply Chain Failures
One compromised dependency, six layers deep. Your code is only as safe as what it imports.
// xz utils — 2024 — a two-year operation
In March 2024, a Microsoft engineer named Andres Freund noticed that SSH logins on his Debian machine were taking 500ms longer than usual. He traced the latency to xz Utils, a compression library he hadn't touched. What he found was a backdoor — planted by a contributor who had spent two years building trust in the project. The backdoor would have given attackers remote code execution on most Linux servers. It was days away from shipping in stable Debian and Ubuntu releases. CVE-2024-3094 received a CVSS score of 10.0 — the maximum.
Nov '21
Jia Tan starts contributing
'22–'23
Gains maintainer trust
Feb '24
Backdoor inserted
Mar '24
Pushed to distros
Mar 28
500ms latency noticed
Mar 29
CVE published
↑ click any event to see what happened ↑
// classify the attack
The backdoor passed code review. It had a valid commit history. The tests passed. What made it nearly undetectable?
🔒 Encrypted payload
The malicious code was encrypted so reviewers couldn't read it.
🔧 Build process injection
The backdoor lived in the build scripts, not the source code. git diff showed nothing.
🕳️ Zero-day exploit
It exploited a previously unknown vulnerability in SSH.
📦 Too small to audit
The library was too obscure for anyone to review.
// find the supply chain failure
A Node.js project's CI pipeline. One practice in this config makes the project vulnerable to supply chain attacks. Click the line.
ci.yml + package.json
// attack chain — the xz backdoor path
The backdoor reached SSH authentication through a chain of six links. Each one was a legitimate system component — the attacker just needed to compromise the first link.
Gate your pipeline. Verify everything.
vulnerable
secure
Supply chain security isn't one fix. It's a set of practices: audit in CI, lock dependencies, pin actions by commit hash, verify integrity. Important nuance: standard scanning (SCA, Dependabot) catches the vast majority of supply chain risk — known-vulnerable packages, the 95%. But xz-class attacks — patient, trusted-maintainer backdoors hidden in build artifacts — evade all standard tooling. xz was caught by luck, not by scanning. For the exotic 5%, you need additional defenses: minimize dependencies, scrutinize ownership changes, and invest in build reproducibility.
🎯 the one habit
Before adding a dependency, ask: do I need this? Run the audit in CI. Update regularly. The boring hygiene retires 95% of supply chain risk.
npm
Python
Go
package.json + ci.yml
click the dot
why this works
// knowledge check
1 / 3
A critical CVE has existed in a transitive dependency for 2 years. Your team never installed this package directly. Who is accountable for the risk?
A — The package author who wrote the vulnerable code
B — The registry (npm/PyPI) that hosts the package
C — You — you ship it, you own it, including transitives
// knowledge check
2 / 3
What is the key difference between npm install and npm ci?
A — npm ci is faster because it skips security checks
B — npm ci uses the lockfile exactly and fails if it doesn't match package.json
C — npm ci only installs production dependencies
// knowledge check
3 / 3
In 2025, OWASP replaced "Vulnerable and Outdated Components" with "Software Supply Chain Failures" and moved it to #3. What does the expanded scope now include beyond just CVEs in libraries?
A — Only npm and PyPI package vulnerabilities
B — Build system compromises, CI/CD pipeline integrity, distribution infrastructure, and dependency trust
C — Container image scanning and Kubernetes misconfigurations
// self-check complete
// the mental model
carry this into your next dependency update
You own every line of code in your dependency tree — including the ones you didn't write, didn't choose, and didn't audit.
A03 · Software Supply Chain Failures
Scope in 2025
New category · #1 in community survey · build + CI/CD + distribution
▶
A03 is new in 2025 — expanded from 2021's "Vulnerable and Outdated Components." 50% of community respondents voted it their #1 concern. Despite having only 5 mapped CWEs, it has the highest average weighted exploit and impact scores of any category. The scope now covers the entire supply chain: dependencies, build systems, CI/CD pipelines, and distribution infrastructure. Key incidents: xz Utils (2024), Bybit $1.5B theft (2025), Shai-Hulud npm worm (2025). A03 vs A08: A03 = consuming a compromised dependency (xz Utils). A08 = your own build/signing pipeline producing compromised output (3CX). The 3CX incident spans both — it started as A03 (a compromised upstream download) and became A08 (their own build servers producing malicious, validly-signed software).
First fix
Gate CI on npm audit --audit-level=high — fail the build
▶
The single most impactful change: add npm audit --audit-level=high (or pip-audit, go mod verify) to your CI pipeline and fail the build on high-severity findings. Everything else — Dependabot, SBOM, lockfile pinning — builds on top of that baseline. Without the CI gate, the rest is advisory.
Use npm ci instead of npm install in CI — it uses the lockfile exactly and fails if it doesn't match. Pin GitHub Actions to commit hashes, not mutable tags. Generate an SBOM for production deployments. Enable Dependabot or Renovate for automated update PRs. For critical projects, adopt SLSA provenance to create a verifiable link between binary and source.
// check your supply chain today
Five things you can verify right now. Most take under five minutes.
Run your audit tool
npm audit · pip-audit · go mod verify — what comes back?
CI audit gate
Does your pipeline fail the build on critical CVEs? Check right now.
Lockfile freshness
When was your lockfile last regenerated? Is it committed to the repo?
GitHub Actions pinning
Are your actions using commit hashes or mutable tags like @v3?
Dependency update process
Is Dependabot/Renovate enabled? Are the PRs being reviewed or ignored?