What is Supply Chain Attack?
Turkish: Tedarik Zinciri Saldırısı
A supply chain attack compromises a dependency, tool, build step, or vendor account to reach a target system indirectly.
What is a Supply Chain Attack?
A supply chain attack targets an organization through software, packages, development tools, CI/CD steps, or service providers it already trusts. Examples include taking over an open-source package account, publishing a malicious update, or adding code to a build process that leaks secrets.
This attack type is dangerous because dependencies are often updated automatically and treated as trusted input. npm, PyPI, Docker images, browser extensions, SaaS integrations, and third-party SDKs are all parts of the software supply chain.
Protection Approach
Defense does not come from one tool alone. Lockfiles, version pinning, signed packages, two-factor authentication, secret scanning, SBOMs, code review, and separation of production permissions should work together. Vulnerability scanning helps find known issues, but it may not catch newly added malicious behavior.
A core principle also emphasized by OWASP guidance is to inventory trusted components and make changes traceable. In critical systems, adding a new dependency should require review, and teams should regularly check package maintenance status and download sources.
Related Terms
Dependency management controls package versions, licenses, compatibility, and security updates across a software project.
OWASP (Open Web Application Security Project)OWASP is a nonprofit security organization that publishes resources like the OWASP Top 10 to improve web application security.
VulnerabilityA vulnerability is a weakness in software or infrastructure that can enable unauthorized access, data leakage, or outage.