Open-Source Software Supply Chain Attacks

Open-Source Software Supply Chain attacks are characterized by the injection of malicious code into the dependencies of software, in order to compromise the suppliers of a software component through Open-Source components.

The steep increase of such attacks has lead us to deeply inspect this problem, so to understand and model the attackers strategies.

Main Goal

The goal of our study is to enstablish a common terminology for the Open-Source Software Supply Chain attacks domain, as well as a unique source of information for both references and categorized examples.

Thus, our modelization aims to document and understand the common tactics, techinques and procedures (TTPs) pursued by attackers in the Open-Source Software Supply Chain domain.


The scenario of our interests consists in the typical Software Development LifeCycle (SDLC)

SDLC Diagram

Attack Tree

An attack tree consist of modeling an attack scenario with a tree representation.

At the root of the attack tree is depicted the attacker’s goal.

The children of a node in the tree is a specialisation of the parent-node’s goal into alternative techniques to achieve it.

Attack Tree Example

OSS Supply Chain Attacks Tree

In order to describe the common TTPs adopted by the attackers to conduct an Open-Source Software Supply Chain attack, we have leveraged the attack tree expressivity.

At the root you will find the main goal of conducting an Open-Source Software Supply Chain attack. Such attacks may happen at every stage of the Software Development Lifecycle (SDLC). Therefore, the child nodes aim to capture this concept and describe specific tactics to achieve the parent-node’s goal.

The creation of the taxonomy has been guided by real world examples.

Interact with the OSS Supply Chain Attacks Tree

We made our OSS Supply Chain Attacks Tree interactive, so you can decide what further inspect. It is possible to expand the nodes to explore the specific specialisation. If your unsure about the meaning of a node, you can inspect its information to have a clearer view: we have characterized it with a description, impact, references, real-world examples and the possible safeguards mapped to it.

Single-Click on a node to expand it


Double-Click on a node to display its info


OSS Supply Chain Attacks Tree lives in Technicolor

You may notice that some nodes have different colors with respect to the general blue ones. In fact, some attack strategies may occur in the same way, but in different contexts. Hence, we have grouped such recurring patterns using a different color.

Red nodes

Red nodes are related to the Compromission of an User Account

Compromise user

Green nodes

Green nodes are related to the Compromission of a System

Compromise system

Yellow nodes

Yellow nodes are related to Social Engineering attacks to actually become a Maintainer

SE maintainer

Dashed-Stroke Blue nodes

Dashed-Stroke Blue nodes are an actual recursion to the root node.


Ready to Play?

Come and discover the attacker’s mind when performing an Open Source Software Supply Chain attack.

Inspect the Tree