AI Generated Content Disclaimer
Note: This summary is AI-generated and may contain inaccuracies, errors, or omissions. If you spot any issues, please contact the site owner for corrections. Errors or omissions are unintended.
This presentation at OWASP London (June 2025) poses the provocative question: “You secured your code dependencies — is that enough?” Anant Shrivastava, Chief Researcher at Cyfinoid Research, demonstrates that it is not, walking through the full breadth of the software supply chain beyond package managers and SBOMs. The talk covers historical context tracing supply chain trust issues to 1983, global regulatory responses, and a systematic tour of overlooked attack vectors including browser extensions, IDE marketplaces, AI coding agents, Homebrew impersonation, CI/CD systems, container images, dependency caching, bait-and-switch attacks, and rogue maintainers. It concludes with the ATOM framework for holistic supply chain security.
The talk opens by grounding supply chain security in historical and regulatory context. Ken Thompson’s 1983 Turing Award lecture described implanting a compiler backdoor that leaves no trace in source code, inspired by a 1974 MULTICS security evaluation — supply chain trust issues are decades old. ENISA identifies supply chain compromise as a peak threat through 2030. Governments worldwide are responding: the US Executive Order explicitly mentioning SBOM, Japan’s Economic Security Bill, the EU Cyber Resilience Act, UK regulations, and India’s CERT-In SBOM guidelines. This is not going anywhere.
The industry’s collective response, however, has been bare minimum compliance: “If the requirement is 80.0000, we will not do 80.0001.” Organizations are creating SBOMs because the checkbox requires it, but the quality gap between a good SBOM and a compliance-driven one is enormous.
Modern development has amplified the problem. DevOps automation enabled rapid build cycles (40–50 deployments per day), reducing the incentive to maintain dependencies. The statistic is stark: about 80% of code in typical applications consists of import statements — borrowing code from other projects. The npm ecosystem’s is-even and is-odd modules (where one depends on the other) illustrate the cascading dependency problem.
The core argument maps the full developer workflow to show that code dependencies are only one link in a much longer chain. Starting from the developer’s machine: Chrome extensions (33 identified malicious extensions with SSH agent, HTML5 filesystem, Web USB/Bluetooth access), AI coding agents running with full command-line access to curl, wget, brew, apt-get, and even sudo rm -rf, and credentials sitting in well-known paths (~/.aws/credentials, ~/.ssh/id_rsa). The talk demonstrates that what you see is not what you get — servers can serve different content based on user agent, so curl | bash installs may receive different code than what appears in a browser.
Visual Studio Code extensions present a particularly insidious vector: marketplace verification only confirms domain ownership, not extension security. The Open VSX marketplace serving 8M+ developers across Cursor, Windsurf, Google Cloud Shell Editor, and GitLab Web IDE had a CI vulnerability that could have enabled malicious updates to every listed extension. Homebrew impersonation via Google Ads directing users to a near-replica site (brewsh.org) captures admin passwords through a fake install script. Linux package manager hooks (APT pre/post-install, RPM spec scripts) execute arbitrary code during installation. Even opening a Postman collection or cloning a git repository with recursive submodules can trigger code execution.
AI coding agents represent an emerging and particularly concerning vector. Cursor and Copilot rulefiles can be weaponized via hidden Unicode whitespace characters to inject malicious instructions that are invisible to developers but interpreted by the AI agent — prompt injection through steganographic techniques.
CI/CD systems are addressed through the lens of “who watches the watchers?” — SolarWinds was a TeamCity attack. Container images on Docker Hub may have misleading titles, and AMI selection often comes down to size and star ratings rather than provenance. Dependency caching servers (Go module proxy) can be poisoned so that the official source hosts correct software while the cache layer serves malicious versions. Bait-and-switch attacks involve acquiring legitimate open-source projects (WordPress plugins with 300K+ installations) and introducing backdoors.
The defensive framework is captured in the ATOM acronym: Awareness (identify and categorize unknown risks across the full supply chain), Trust but verify (validate every dependency, tool, and service), Ongoing monitoring (continuous security checks for changes and anomalies), Measure and map (build observability to answer concrete questions like “how many systems have log4j.jar?” — IBM famously took 45 days to answer this).
The tooling ecosystem spans multiple categories: extensionauditor.com for Chrome extension organizational review, osquery for SQL-based querying of installed extensions and their permissions, Legitify and OpenSSF SCM Best Practices for GitHub/Actions governance, Zizmor for GitHub Actions security analysis, SafeDep Vet for policy-driven dependency vetting, the Overlay browser extension for aggregating health signals from Snyk Advisor/Debricked/Socket.dev/Deps.dev, and cloud auditing tools including ScoutSuite, Prowler, kube-hunter, kube-bench, Trivy, and Cosign. Established frameworks (SLSA, OWASP SCVS, NIST SSDF, pbom.dev) provide the structural foundation.
curl | bash attack surface is non-trivial — servers detecting user-agent strings can serve clean code to browsers while delivering malicious payloads to piped shell commands
