compromised supply chain¶

Description¶

Using a compromised supply chain occurs when an attacker exploits vulnerabilities or injects malicious components into third-party libraries, tools, or services integrated into an application. For example, the Polyfill.io supply chain attack (CVE-2022-39299) demonstrated how a compromised dependency could propagate malicious behavior, resulting in data theft or unauthorized access.

Remediation¶

1. Regularly audit third-party dependencies for known vulnerabilities or compromises.
2. Use package-locking mechanisms (e.g., lockfiles) to prevent unintended dependency changes.
3. Verify the source, integrity, and authenticity of dependencies using signature checks or hashes.
4. Monitor and address alerts from tools like Software Composition Analysis (SCA).
5. Implement runtime protections to detect unusual behavior from third-party components.
6. Replace compromised or suspicious components with vetted, secure alternatives.
7. Follow the principle of least privilege when granting permissions to third-party integrations.
8. Educate teams on secure supply chain practices.

Configuration¶

Identifier: configuration/compromised_supply_chain

Examples¶

Ignore this check¶

checks:
  configuration/compromised_supply_chain:
    skip: true

Score¶

• Escape Severity: high

Compliance¶

• OWASP: API9:2023
• OWASP LLM: LLM06:2023
• pci: 6.2
• gdpr: Article-32
• soc2: CC7
• psd2: Article-96
• iso27001: A.14.2
• nist: SP800-161
• fedramp: SA-12

Classification¶

• CWE: 829

Score¶

• CVSS_VECTOR: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
• CVSS_SCORE: 8.0

References¶

• https://fossa.com/blog/polyfill-supply-chain-attack-details-fixes/