Sunday 05 July 2026 02:30:28 GMT+02:00

Netcrook

HomeManifesto
News
Techcrook
Geocrook
WikicrookTeamAppContact
EnglishItalianoArabic

WIKICROOK

Dependency-chain abuse

An attack pattern where trusted third-party packages become the delivery path for malicious code.

Dependency-chain abuse is an attack pattern where a trusted third-party package, library, or update path is used as the delivery route for malicious code. Instead of breaking into a system directly, the attacker targets the software supply chain: a developer installs a lookalike package, an upstream dependency is compromised, or a build tool pulls in tainted code automatically.

This matters because dependency ecosystems are built on trust and automation. Package installs may run scripts, execute build steps, or expose secrets on developer laptops and CI hosts. In real attacks, dependency-chain abuse can be used to steal SSH keys, cloud tokens, browser data, or wallet material. Defenses include pinning versions, verifying package provenance, reviewing dependency changes, limiting install-time scripts, and keeping secrets out of build environments. The core risk is simple: if a trusted dependency becomes hostile, it can inherit the privileges of the systems that install it.

← WIKICROOK index