TechnologyUK NCSC

Software supply chain attacks: check your dependencies

Widely used platforms and ecosystems enable developers to develop, collaborate, and reuse software at a global scale. This allows teams to build software faster and reuse widely trusted components that are secure, reliable, and maintainable. But these ecosystems also create an increasingly complex set of dependencies. A single application may rely on a large number of third-party packages – including libraries, frameworks, snippets, software development kits, and others. Some of these will be less trustworthy than others.

As an example, Node.js, Rust, and Python are unusually exposed as they have minimal standard libraries. This increases the use of third-party dependencies, the delegation of basic functionalities, and results in a heavy reliance on external registries.

Moreover, many of these components are retrieved automatically through continuous integration and continuous delivery (CI/CD) pipelines, often without human intervention.

It is this combination of automation, trust, and scale that means that malicious code introduced into a single package can spread rapidly across many organizations and services before detection.

Source: UK NCSC (Cyber) (4 June 2026)

Related Articles

Back to top button