A supply-chain vulnerability is a flaw in shared software, libraries, build tools, or automation that can be inherited by many downstream projects. Because modern development reuses packages, CI/CD pipelines, and third-party actions, one weak component can expose a large number of applications, even when their own code is well written.
This matters in cyber security because attackers often target the trusted parts of the chain instead of each victim directly. Common examples include compromised dependencies, unsafe build scripts, poisoned update channels, and workflow automation that executes untrusted input with excessive permissions. Defenders reduce this risk by using least privilege, pinning versions, verifying signatures, isolating build jobs, and reviewing any system that turns external events, such as repository comments or pull requests, into executable actions.



