Supply Chain Compromise

Adversaries may modify or manipulate the upstream software supply chain, inserting malicious components without directly attacking the final environment. This can involve compromising code repositories, build servers, or package distribution systems so that legitimate software updates come bundled with a hidden payload. As a result, users unknowingly install and deploy trojanized binaries or libraries that automatically grant attackers initial access.

In a cloud setting, supply chain attacks are especially dangerous: container images, serverless functions, and auto-scaling microservices frequently pull fresh builds from remote repositories. Once a supply chain is compromised, new deployments effectively reintroduce the attacker's code. Organizations frequently discover these breaches well after large-scale propagation, making remediation substantially more difficult and time-consuming.

Detection

ID	Data Source	Detection
DS0021	Code Repository	Alert on force-pushes or branch deletions in protected branches and commits signed by unknown GPG keys.
DS0050	Package Registry	Detect package versions published outside business hours or by new tokens, with SHA mismatch against CI build artifacts.
DS0015	Application Log	Compare build-system logs to manifest lockfiles, raise alerts when dependency trees differ from reproducible build expectations.
DS0030	Cloud Service Metadata	Monitor CI/CD IAM role usage for unusual regions/IPs or API calls outside build windows.

Mitigations

ID	Mitigation	Description
M1045	Code Signing	Enforce provenance attestations and verify in-package signatures during deploy.
M1051	Update Software	Automate dependency tracking (SBOM) and alert on unpinned or transitive-version drift.
M1027	Patch Management	Apply emergency rebuild and redeploy procedures when upstream repos are compromised.
M1013	Application Developer Guidance	Adopt dual-maintainer review and mandatory CI checks for every upstream dependency change.
MA0010	Runtime Malicious Package Execution Prevention	TODO