Linkedin Tag

Back to blog

Supply Chain Risk Doesn’t End At NPM

Thursday, May 30th, 2024

Updated July 19th, 2024
Carlo D'Agnolo's profile picture

Carlo D'Agnolo

Supply Chain attacks are a top of mind problem today. The number of these attacks in the US increased by 115% between 2022 and 2023, according to Statista. Tools like Socket and Coana detect harmful code in registries like NPM. But the supply chain risk doesn’t end there.


Some tools are 3rd party scripts that get fetched by the browser of the user. By only checking NPM (or another registry), you’re not protected from attacks through these scripts.

These scripts, used for marketing tracking, ads, captchas, and much more, are frequently implemented across entire sites for convenience. These scripts are powerful and can things like rewrite code, redirect users, exfiltrate data, and even mine crypto in your browser.

The delivery method of these scripts allows for dynamic behavior. Any user can get a different delivery each time, especially when a script has been compromised.

As more people adopt better dependency security approaches, dynamic scripts that get fetched browser-side are an increasingly interesting and substantial attack vector. This makes checking sources alone a risky game. The better approach, is checking the full code every time it gets delivered, which is what c/side does.

Furthermore, many of these scripts are not maintained by tech-centric companies. Tools may become neglected as companies dissolve or are acquired, leaving them susceptible to hijacks. Even reputable, widely-used services are not without their faults, as evidenced by cdnjs issues in 2021 or this person who bought expired police and social services domain in Belgium and got access to private info that way.

Finally, 95% of these scripts lack protections against DNS hijacks. Even the network you are on may impact the script you get.


What to do about all of this

Here’s what we recommend:

Use a tool like Socket (or alternatives) for supply chain risk on the registry and use c/side to monitor the behavior by 3rd party scripts browser-side. We check the full code of 3rd party sources, 100% of the time, before it get’s delivered to the browser of your user. Securing this side of the supply chain fully.

Lastly, you should protect your infrastructure against inbound attacks. For that use something like Cloudflare’s Web Application Firewall.

More niche things like form uploads and bot detection may require specialist tooling.

Use proactive monitoring tools like Hadrian or Cycognito to monitor the threat surface.