IBM's 2025 Cost of a Data Breach report found that supply-chain breaches — attacks through compromised third-party software, libraries, or services — cost an average of $4.91M and take 267 days to contain. That is the longest containment time of any attack vector.
Sonatype's 2024 State of the Software Supply Chain report tracked a 156% year-over-year increase in supply-chain attacks on open-source packages. Over 245,000 malicious packages were published to npm, PyPI, and other registries in a single year. Synopsys found that 96% of commercial codebases contain open-source components, and 84% of those codebases had at least one known vulnerability.
Every application we build depends on open-source packages. A typical Node.js application has 1,000-2,000 transitive dependencies. A typical Python application has 100-500. Each one is a trust decision. Each one is a potential attack surface.
How Supply-Chain Attacks Work
Dependency confusion
An attacker publishes a malicious package with the same name as an internal company package to a public registry. The build system picks the public (malicious) version instead of the internal one. The malicious code runs during the build or in production.
Typosquatting
An attacker publishes lodahs (note the typo) next to the legitimate lodash on npm. A developer types the wrong name in npm install. The malicious package executes code that exfiltrates environment variables (which often contain API keys, database credentials, and secrets).
Compromised maintainer
An attacker gains access to a legitimate package maintainer's account and publishes a malicious update. Every downstream application that runs npm update or pip install --upgrade pulls the compromised version. The event-stream attack in 2018 and the ua-parser-js attack in 2021 followed this pattern.
Malicious dependencies
A legitimate-looking package with a plausible name and README is published. It includes a backdoor that activates after a delay or only in production environments (not during testing). 245,000 packages of this type were published in 2024 alone (Sonatype).
What We Do About It
Automated scanning in every pipeline
Every CI/CD pipeline we build includes dependency vulnerability scanning. npm audit for Node.js projects. pip-audit or Snyk for Python. GitHub Dependabot for automated PR creation when vulnerabilities are published.
When we built the current eltexsoft.com, we ran npm audit as part of the security hardening. Found 9 moderate vulnerabilities in transitive dependencies of @astrojs/check and @sanity/cli. Traced each one. Confirmed they were dev-time-only (not present in the production build). Documented the decision. That is the process: scan, trace, decide, document.
Lock files are non-negotiable
package-lock.json (Node.js), Pipfile.lock (Python), composer.lock (PHP) are committed to version control. Always. The lock file pins exact versions of every dependency, including transitive ones. Without the lock file, npm install can pull a different version of a package than what was tested. With the lock file, builds are reproducible and any change in dependencies is visible in the diff.
Minimal dependency philosophy
Every dependency is a liability. Before adding a package, we ask: does this save enough development time to justify the ongoing maintenance, upgrade, and security risk? A package that saves 2 hours of coding but adds a 50KB dependency tree with 30 transitive packages is not worth it for trivial functionality.
This does not mean we write everything from scratch. It means we are deliberate about what we import. A cryptography library: use the standard one, do not roll your own. A utility function that left-pads a string: write the 3 lines yourself.
Regular transitive dependency audits
Direct dependencies are visible. Transitive dependencies (the dependencies of your dependencies) are not. A typical node_modules folder contains packages the developer has never heard of. Some of those packages are maintained by a single person. Some have not been updated in 2 years.
Quarterly, we audit the full dependency tree of production applications. Which packages have no recent updates? Which have a single maintainer? Which have known vulnerabilities at any severity? The answers inform decisions about whether to replace, pin, or vendor specific dependencies.
The 267-Day Problem
Supply-chain breaches take 267 days to contain because the compromised code is trusted. It came in through the normal dependency update process. It runs with the same permissions as the application. It often does not trigger security alerts because it is not doing anything obviously malicious — it might exfiltrate data slowly, establish a persistent backdoor, or wait for a trigger condition.
Detection requires: monitoring outbound network connections for unexpected destinations, tracking dependency changes against an approved baseline, and behavioral analysis that identifies when a package does something it has never done before.
Most organizations do none of this. 84% of commercial codebases have known vulnerabilities in their open-source components (Synopsys). The attack surface is enormous and the monitoring is minimal.
The Engineering Standard
We do not claim to be a security company. We are a software development company that builds with security awareness. Dependency management is part of that awareness.
Every project gets: lock files committed from day one, automated scanning in CI/CD, quarterly dependency audits for production applications, minimal dependency philosophy in architecture decisions, and documentation of every accepted risk.
PropertyRate, HeyTutor, MyFlyRight — each of these has been maintained for years with continuous dependency management. No supply-chain incidents. Not because we are lucky. Because the practices are consistent.
$4.91M is the average cost. 267 days is the average containment time. Those numbers are the cost of not managing dependencies. The cost of managing them is approximately zero — it is just engineering discipline.
Last updated February 16, 2025
Older
The Compliance Burden Is Compounding Faster Than Teams Can Absorb Newer
Shadow AI Adds $670K to Your Next Data Breach
Top comments (0)