Skip to main content

Free 30-min security demo  — We'll scan your real code and show live findings, no commitment Book Now

Offensive360
Academy Supply Chain Attacks
Advanced · 25 min

Supply Chain Attacks

Study SolarWinds, XZ Utils, and build tool compromises to understand SLSA framework and build provenance.

1 Real-World Supply Chain Attack Patterns

Supply chain attacks compromise software at the build or distribution stage rather than attacking the end target directly. They are among the most impactful attacks because one compromise affects thousands of downstream users.

SolarWinds (2020):

  • Attackers compromised the SolarWinds Orion build pipeline
  • Malicious code was injected into the official signed update package
  • 18,000+ organizations installed the backdoored software
  • Victims included US government agencies, security firms

XZ Utils backdoor (2024):

  • Attacker "Jia Tan" spent 2 years gaining trust as a project maintainer
  • Injected a sophisticated backdoor into the XZ compression library
  • Targeted SSH authentication in systemd-linked sshd
  • Detected by chance before widespread deployment

Build tool compromises:

  • Codecov bash uploader modified (April 2021) — exfiltrated CI environment variables
  • event-stream npm package: maintainership transferred, malicious code added

2 SLSA Framework and Build Provenance

The SLSA (Supply-chain Levels for Software Artifacts) framework defines security levels for build integrity and provenance.

SLSA Levels:

  • Level 1: Provenance exists (build process documented)
  • Level 2: Provenance is authenticated (signed by build system)
  • Level 3: Provenance non-falsifiable (build service generates provenance, not the build script)
  • Level 4: Reproducible builds (two independent builds produce identical artifacts)

Generate SLSA provenance with GitHub Actions:

jobs:
  build:
    permissions:
      id-token: write  # For OIDC signing
      contents: read
      attestations: write
    steps:
      - uses: actions/checkout@v4
      - run: npm ci && npm run build
      - uses: actions/attest-build-provenance@v1
        with:
          subject-path: dist/
          # Generates signed SLSA provenance attestation

Defense checklist:

  • Use pinned action SHAs (not tags) in CI workflows
  • Implement code review requirements — no single maintainer can push
  • Generate and publish SLSA provenance for releases
  • Use reproducible builds where possible
  • Monitor dependency maintainer changes (OpenSSF Scorecard)
  • Perform regular audits of CI/CD pipeline access

Knowledge Check

0/3 correct
Q1

What made the SolarWinds attack particularly devastating?

Q2

What is build provenance in the context of SLSA?

Q3

How would SLSA Level 3 provenance have helped detect or prevent the SolarWinds attack?

Code Exercise

Pin CI Action to SHA Hash

The workflow uses mutable tag references for GitHub Actions. Pin them to specific SHA hashes to prevent supply chain attacks via compromised action tags.

yaml