Ever since the Web development ecosystem evolved to the current paradigm of code reuse, companies have placed themselves too close to the abyss. Web supply chain attacks are a real security threat – and one which the enterprise is vastly unprepared for.
The security threats of relying on third-party code are mostly known within the scope of Magecart attacks – which consist of attackers injecting malicious code in third-party scripts to skim credit card details of E-Commerce shoppers. While Magecart is still a growing threat and deserves consideration on its own, too little attention is paid to a very different type of third-party code: npm packages.
Too many dependencies, too large an attack surface
NPM itself tells us that the average web app today contains over enterprise brink global supply chain attack security