πŸ”— SOFTWARE SUPPLY CHAIN β€” Deep Dive: Dari npm install sampai State-Sponsored Backdoor

Di era 2026, hampir setiap aplikasi modern bergantung pada ratusan library pihak ketiga β€” satu pip install, satu npm i, satu go get, dan kamu sudah mengimpor kode dari puluhan maintainer yang tidak kamu kenal. Masalahnya: trust tidak bisa diskalakan. Supply chain attack bukan lagi teori β€” ini adalah vektor kompromi paling efektif yang digunakan APT, ransomware gangs, dan scammers. Dokumen ini membedah setiap lapisan supply chain security, dari dependency confusion sampai SLSA Level 4, dari SBOM sampai politik geopolitik backdoor.

Hubungan ke Vault

Ini adalah deep dive utama untuk topik Supply Chain. Terkait erat dengan Right (DevSecOps pipeline), eBPF Kernel Security (runtime verification), Threat Directory (profil threat actor), dan Web Hacking (dependency confusion dalam konteks web).


Daftar Isi


Mengapa Supply Chain? β€” Kenapa Ini Vektor Paling Berbahaya

ATTACK SURFACE TRADISIONAL:
  Aplikasi β†’ vulnerability di kode sendiri β†’ exploit β†’ kompromi

SUPPLY CHAIN ATTACK:
  Developer A publish library β†’ Library di-download 10.000 project
  β†’ Hanya 5% project yang audit dependency mereka
  β†’ Attacker compromise satu maintainer / inject backdoor
  β†’ Satu kompromi β†’ 10.000 korban

EFISIENSI ATTACKER:
  Satu backdoor di paket populer β†’ efek kaskade ke seluruh ekosistem
  Contoh: event-stream (npm) β€” 8M download/minggu, injected by social engineering
MetrikAngka
Rata-rata dependency per project (JS)1.200+
Rata-rata dependency per project (Python)250+
Package baru per hari (npm)1.700+
Package baru per hari (PyPI)500+
% developer yang audit dependency< 5%
Supply chain attack increase (2020β†’2026)5.000%+

Layer 0 β€” Attack Surface: Titik Masuk Supply Chain

Setiap titik di alur software development adalah vektor supply chain attack:

DEVELOPER        β†’ REPOSITORY     β†’ BUILD β†’ REGISTRY β†’ DEPLOY β†’ RUNTIME
β”‚                β”‚                β”‚       β”‚          β”‚        β”‚
β”œβ”€ Credential    β”œβ”€ Branch push   β”‚       β”œβ”€ Maliciousβ”‚       β”œβ”€ Runtime dep
β”‚  compromise   β”œβ”€ PR injection   β”‚       β”‚  upload   β”‚        β”‚  loading
β”œβ”€ Social        β”œβ”€ Git config    β”‚       β”œβ”€ Registry β”œβ”€ CD    β”œβ”€ Update
β”‚  engineering  β”‚  poisoning     β”‚       β”‚  takeover β”‚  hijackβ”‚  poisoning
β”œβ”€ MFA bypass   β”œβ”€ Webhook       β”‚       β”œβ”€ Name     β”‚        β”œβ”€ Config
β”œβ”€ Laptop theft  β”‚  hijacking    β”‚       β”‚  squattingβ”‚        β”‚  injection
                β”‚                β”‚       β”‚           β”‚        β”‚
                └── CI/CD β”€β”€β”€β”€β”€β”€β”€β”˜       β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜        └─────────
                      ↑
                Build cache poisoning
                Dependency confusion (internal)
                Test dependency injection

Klasifikasi Berdasarkan Entry Point

LayerEntry PointContoh KasusTingkat Kesulitan Attacker
0Developer machinenpm token dicuri, GPG signing key bocor🟒 Rendahβ€”Sedang
1Dependency resolutionDependency confusion, typosquatting🟒 Rendah
2Package contentBackdoor di source code library🟑 Sedang
3Build pipelineCI/CD script injection, cache poisoning🟑 Sedangβ€”Tinggi
4Package registryRegistry takeover, CDN cache poisoningπŸ”΄ Tinggiβ€”Sangat Tinggi
5Vendor/ManufacturerHardware backdoor, firmware implantπŸ”΄πŸ”΄ State-level

Layer 1 β€” Dependency Confusion & Typosquatting

Dependency Confusion

PRINSIP:
  Package manager (pip, npm, gem, etc.) menggunakan urutan prioritas
  untuk resolve nama package:
  1. Private registry / internal
  2. Public registry (PyPI, npmjs.com, rubygems.org)

JIKA NAMA PAKET SAMA, PUBLIC BISA MENANG:
  - npm: public registry default
  - pip: --extra-index-url bisa di-prioritaskan
  - Attacker upload 'internal-sdk' ke PyPI β†’ developer install dari public

EKSPLOITASI REAL:
  1. Attacker cari nama package internal perusahaan
     (dari leak, GitHub, Stack Overflow, job posting)
  2. Upload package dengan nama SAMA ke public registry
  3. Developer menjalankan `pip install` atau `npm install`
  4. Package manager mendownload dari public karena konfigurasi salah
  5. Kode attacker tereksekusi saat install (pre/post-install script)

Contoh Nyata: Uber Dependency Confusion (2022)

ATTACK:
  Researcher mengecek package.json library internal Uber
  β†’ Upload 22 package dengan nama yang sama ke npm
  β†’ npm install mendownload package milik researcher
  β†’ Code execution di build server Uber

ROOT CAUSE:
  - npm registry scope (@uber/) tidak dikonfigurasi otentikasi
  - Package internal ter-expose di package.json (public repo)
  - npm install mix: campur public + private tanpa validasi
// Contoh vulnerable package.json
{
  "dependencies": {
    "express": "^4.18.0",
    "@internal/auth-sdk": "^1.0.0", // ← Nama bocor
    "@internal/crypto-utils": "^2.0.0" // ← Attacker upload ke public
  }
}

Typosquatting

PRINSIP:
  Attacker upload package dengan nama MIRIP dengan paket terkenal:
  - Typo umum: requets (vs requests), urlib3 (vs urllib3)
  - Homoglyph: Ρƒoutube-dl (Cyrillic 'Ρƒ' vs 'y'), 'o' vs 'ΠΎ'
  - Prefix/suffix:  requests-sdk, flask-extended
  - Domain mimic:  pip-install-flask

EKSEKUSI SAAT INSTALL:
  Python (setup.py): pre-install script
  npm: preinstall / postinstall hook
  Ruby gem: extconf.rb
  Rust crate: build.rs

Typosquatting Incident Tracker

EkosistemPaket PalsuTargetDownloadTahun
PyPIurlib3urllib310.000+2022
npmcrossenvcross-env50.000+2021
npmelectron-native-notifyTelegram phishing100.000+2023
PyPIrequests-httpxCredential theft5.000+2024
RubyGemstyphoeus (homoglyph)typhoeus asli3.000+2023

Mitigasi Layer 1

# 1. PIN VERSI β€” jangan floating range
# ❌ Bad:
"express": "^4.x"
# βœ… Good:
"express": "4.18.2"
 
# 2. LOCKFILE β€” wajib di-commit
npm: package-lock.json
pip: requirements.txt + pip freeze > requirements.txt
go: go.sum
rust: Cargo.lock
 
# 3. PRIVATE REGISTRY ISOLATION
npm: --scope=@company --registry https://npm.internal.company.com
pip: --index-url https://pypi.internal.company.com/ --extra-index-url ...
 
# 4. VERIFY INTEGRITY
npm: npm audit + npm ci (gunakan lockfile)
pip: pip install --require-hashes

Layer 2 β€” Compromised Package (Backdoor di Sumber)

PRINSIP:
  Paket populer yang SUDAH legitimate tiba-tiba mengandung backdoor
  karena:
  - Maintainer di-social engineering
  - Akun maintainer di-hack
  - Sertifikat signing dicuri
  - Dependency chain (backdoor di sub-dependency)

EKSEKUSI:
  - Pre/post install script
  - Runtime code execution
  - Prototype pollution (JS)
  - Deserialization attack
  - Hidden code di test file / contoh kode

Chains of Trust Problem

Paket A (kamu install)
  └── Paket B (dependensi A)
       └── Paket C (dependensi B) ← backdoor ada DI SINI
            └── Paket D
                 └── Paket E
                      └── Paket F (tidak maintain sejak 2019)

Kamu tidak pernah lihat Paket Cβ€”F, mereka deep dependencies.
Satu backdoor di leaf package β†’ compromise semua parent.

Incident Besar

IncidentEkosistemDampakMetodeTahun
event-streamnpm8MSocial engineering β€” attacker jadi maintainer2018
colors.js + faker.jsnpmRibuan project brokenMaintainer sengaja corrupt library2022
SolarWinds OrionJava/.NET18.000 organisasi, US GovBuild pipeline compromise, signed trojan2020
Codecov Bash UploaderCI/CD30.000+ customerDocker image credential leakage2021
3CX Desktop AppElectron600.000+ organisasiSupply chain di library trading (Caddy)2023
XZ Utils (liblzma)C/LinuxSSH backdoor (near-miss CVE-2024-3094)2 tahun social engineering maintainer2024

XZ Utils β€” Paling Berbahaya yang Pernah Nyaris Terjadi

TIMELINE (2022–2024):
  2022-01: Github user "JiaT75" submit patch β€” memperbaiki bug
  2022-04: Menjadi co-maintainer setelah aktif bertahun-tahun
  2023-07: Inject backdoor di test file (bukan source code utama)
  2024-02: Backdoor aktif β€” modifikasi sshd (OpenSSH) via LD_PRELOAD
  2024-03: Terdeteksi oleh Andres Freund (Microsoft) β€” latency SSH

KRUSIAL:
  - 2 tahun infiltrasi
  - Backdoor di file .m4 (autoconf) β€” tidak di-review
  - Hampir masuk ke major distro (Debian, Fedora)
  - Jika berhasil: backdoor SSH global

LESSONS:
  - Review MAINTAINER sama penting dengan review CODE
  - Build artifact bisa berbeda dengan source code
  - Bus factor: 1 maintainer untuk library critical = risiko besar

Mitigasi Layer 2

# 1. VULNERABILITY SCANNER β€” jangan skip
npm audit; pip-audit; cargo audit; grype .; trivy fs .
safety check -r requirements.txt
 
# 2. SCA (Software Composition Analysis)
#   Otomatis: Snyk, Dependabot, Renovate, Sonatype Nexus IQ
#   Deteksi: CVE, license risk, malware pattern
 
# 3. VENDOR REVIEW (untuk library kritis)
#   - Peer-reviewed source
#   - Maintainer reputation
#   - Update frequency
#   - OpenSSF Scorecard
 
# 4. ZERO TRUST DEPENDENCY
#   - Minimalize dependency (YAGNI untuk library juga!)
#   - Prefer stdlib / official SDK
#   - Audit sub-dependency chain

Layer 3 β€” Build Pipeline & CI/CD Poisoning

PRINSIP:
  Serangan bukan di kode library, tapi di PIPELINE yang build kode:
  - Ganti script CI/CD (action, workflow)
  - Poison build cache
  - Compromise runner / agent
  - Inject artifact AFTER build (sebelum signing)

TAHAPAN EKSPLOITASI BUILD PIPELINE:
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”     β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”     β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚  Developer Push  │────→│  CI/CD Runner    │────→│  Artifact        β”‚
β”‚                  β”‚     β”‚                  β”‚     β”‚  (binary/package)β”‚
β”‚  code            β”‚     β”‚  checkout        β”‚     β”‚                  β”‚
β”‚  action          β”‚     β”‚  install dep     β”‚     β”‚  signature: βœ“    β”‚
β”‚  workflow        β”‚     β”‚  build           β”‚     β”‚  hash: SHA-256   β”‚
β”‚                  β”‚     β”‚  test            β”‚     β”‚                  β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜     β”‚  sign            β”‚     β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
                         β”‚  publish         β”‚              ↑
                         β”‚                  β”‚       SERANGAN DISINI:
                         β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜       - Inject setelah build
                              ↑                     - Replace artifact
                         SERANGAN DISINI:             - Tapi signature tetap valid
                         - Ganti action
                         - Poison cache
                         - Rogue runner

Contoh Nyata

Attack VectorContohDampak
GitHub Action poisoningtj-actions/changed-files compromised (2025)23.000+ repo terpapar credential leak
Docker build cache poisoningGunakan base image maliciousSetiap build ulang mengandung backdoor
Runner compromiseAccess CI/CD agent β†’ inject scriptCode execution di pipeline
Artefact replacementGanti binary after build, before signSigned malware
Pipeline-as-code hijackPR β†’ edit .github/workflows/Eksekusi arbitrary action

Mitigasi Layer 3

# 1. PIN ACTIONS KE COMMIT SHA (bukan tag/version)
# ❌ Bad:
uses: actions/checkout@v4
# βœ… Good:
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633
 
# 2. WORKFLOW PERMISSION β€” minimal privilege
permissions:
  contents: read  # hanya baca
  packages: read
 
# 3. SIGNED COMMITS + CI/CD VERIFIKASI
git commit -S  # GPG sign
git tag -s v1.0.0
 
# 4. BUILD REPRODUCIBILITY
#   Heretic builds: binary yang sama persis dari source yang sama
#   Verifikasi: diffoscope antara binary hasil build lokal vs CI
 
# 5. PROVENANCE GENERATION
#   Generate SLSA provenance di setiap build
#   Simpan ke Rekor (sigstore) untuk audit trail

Layer 4 β€” Package Registry Poisoning

PRINSIP:
  Menyerang REGISTRY tempat package di-hosting:
  - Registry takeover (npm.com, PyPI.com account squatting)
  - CDN cache poisoning (jsDelivr, UNPKG, cdnjs)
  - Mirror poisoning (registry.npmjs.org β†’ mirror palsu)
  - Man-in-the-middle pada koneksi registry

Registry Attack Vectors

AttackTargetDampak
Account takeoverNama organization yang sudah tidak aktifSemua user yang trust package ini
Registry squattingNama package yang sudah tidak di-maintainAuto-update β†’ backdoor
CDN PoisoningjsDelivr, UNPKG, cdnjsSemua site yang load dari CDN
Typosquat registry URLpypi-proxy.intenal.company.com vs pypi-proxy.internal.company.comInternal registry palsu
Dependency proxy poisoningArtifactory/Nexus proxy ke publicCache proxy bisa di-poison

Mitigasi Layer 4

# 1. MIRROR β€” verifikasi integrity
#   Gunakan registry official langsung (jangan mirror pihak ketiga)
npm config set registry https://registry.npmjs.org/
pip config set global.index-url https://pypi.org/simple/
 
# 2. SUBRESOURCE INTEGRITY (SRI) β€” untuk CDN
#   <script src="https://cdn.jsdelivr.net/npm/lodash@4.17.21/lodash.min.js"
#           integrity="sha384-..." crossorigin="anonymous">
 
# 3. PACKAGE SIGNING VERIFICATION
#   npm: npm audit signatures
#   Sigstore: cosign verify-blob ...

Layer 5 β€” Hardware & Firmware Supply Chain

INI LEVEL PALING TINGGI β€” state-sponsored:
  - CPU/TPM backdoor di level silikon
  - BMC/iLO/iDRAC firmware compromise
  - UEFI BIOS injection
  - Network equipment backdoor (router, switch)
  - USB controller firmware trojan

CONTOH:
  - Supermicro BMC backdoor (Bloomberg 2018 β€” controversial)
  - Cisco router backdoor di kode VPN
  - Huawei equipment 5G β€” trust dispute geopolitik
  - AMD/Intel PSP/ME β€” closed-source firmware

Keterkaitan dengan Hardware Hacking & RE di vault.


SLSA β€” Supply Chain Levels for Software Artifacts

FRAMEWORK DARI OpenSSF (Open Source Security Foundation):
  Level 0–4, mengukur seberapa TAHAN supply chain terhadap compromise.

SLSA Levels

LevelNamaPersyaratan UtamaProteksi Terhadap
L0No guaranteesDokumentasi buildTidak ada
L1Build provenanceProvenance otomatis (source + build)Retrospective audit
L2Signed provenanceProvenance di-token/sign oleh build platformTamper evidence
L3Hardened buildBuild isolated, reproducible, no user-controlled stepsTamper prevention
L4Two-person reviewL3 + setiap perubahan di-review oleh dua pihakInsider threat

SLSA Build Provenance (format in-toto attestation)

{
  "type": "https://in-toto.io/Statement/v1",
  "subject": [
    {
      "name": "app-linux-amd64",
      "digest": { "sha256": "abcd1234..." }
    }
  ],
  "predicateType": "https://slsa.dev/provenance/v1",
  "predicate": {
    "buildType": "https://github.com/actions/build/gha/v1",
    "builder": { "id": "https://github.com/org/repo/.github/workflows/build.yml" },
    "invocation": {
      "configSource": {
        "uri": "git+https://github.com/org/repo@refs/heads/main",
        "digest": { "sha1": "deadbeef..." }
      }
    },
    "materials": [
      {
        "uri": "git+https://github.com/org/repo",
        "digest": { "sha1": "cafebabe..." }
      }
    ]
  }
}

Implementasi SLSA

# Contoh GitHub Actions β€” SLSA Level 3
jobs:
  build:
    permissions:
      id-token: write
      contents: read
    steps:
      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633
      - name: Build
        run: make build
      - name: Generate provenance
        uses: slsa-framework/slsa-github-generator/actions/delegator@v2.1.0
        with:
          provenance: true
      - name: Upload artifact + provenance
        uses: actions/upload-artifact@v4
        with:
          path: |
            dist/
            *.attestation

SSDF β€” NIST Secure Software Development Framework

STANDAR RESMI US GOVERNMENT β€” SP 800-218:
  Response terhadap Executive Order 14028 (2021)
  Wajib untuk semua software yang dijual ke US Government.

4 PILLAR UTAMA:
  PO: Prepare Organization
  PS: Protect Software
  PW: Produce Well-Secured Software
  RV: Respond to Vulnerabilities

SSDF Practices (Ringkasan)

IDPracticeLevel
PO.1Define security requirementsOrganization
PO.2Implement risk managementOrganization
PO.3Implement secure software supply chainOrganization
PS.1Protect all forms of codeCode
PS.2Protect build pipelineBuild
PS.3Protect third-party componentsDependency
PW.1Design software to be secureDesign
PW.2Review design for securityDesign
PW.3Reuse secure codeCode
PW.4Identify and handle vulnerabilitiesCode
PW.5Verify software securityTest
PW.6Provide security headersDeploy
RV.1Receive and analyze reportsOperation
RV.2Respond to vulnerabilitiesOperation
RV.3Communicate resultsCommunication

SSDF vs SLSA

SSDF adalah apa yang harus dilakukan (framework kebijakan). SLSA adalah bagaimana membuktikan bahwa kamu sudah melakukannya (technical attestation). Keduanya komplementer.


SBOM β€” Software Bill of Materials

DEFINISI:
  Inventaris formal dari semua komponen yang menyusun software:
  - Library (nama, versi, supplier)
  - Lisensi
  - Dependency tree
  - Known vulnerabilities (CVE mapping)

FORMAT STANDAR:
  - SPDX (ISO/IEC 5962:2021) β€” yang paling banyak diadopsi
  - CycloneDX (OWASP) β€” lebih kaya fitur (untuk security-native)
  - SWID (ISO/IEC 19770-2:2015)

Contoh SBOM (CycloneDX Format)

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "version": 1,
  "metadata": {
    "timestamp": "2026-07-02T00:00:00Z",
    "tools": [
      {
        "vendor": "Anchore",
        "name": "Syft",
        "version": "1.0.0"
      }
    ],
    "component": {
      "name": "myapp",
      "version": "1.0.0",
      "type": "application"
    }
  },
  "components": [
    {
      "bom-ref": "pkg:pip/requests@2.31.0",
      "name": "requests",
      "version": "2.31.0",
      "purl": "pkg:pip/requests@2.31.0",
      "type": "library",
      "supplier": {
        "name": "Ken Reitz"
      },
      "licenses": [
        {
          "license": {
            "id": "Apache-2.0"
          }
        }
      ]
    }
  ]
}

SBOM Workflow

# Generate SBOM
syft packages myapp:latest -o cyclonedx-json > sbom.json
# Generate SBOM untuk filesystem
syft dir:/project -o spdx-json > sbom-spdx.json
 
# Cek vulnerability dari SBOM
grype sbom:sbom.json
# Atau langsung dari image
trivy image myapp:latest --format cyclonedx > sbom-trivy.json
 
# Verifikasi signature SBOM
cosign verify-blob --signature sbom.json.sig --key cosign.pub sbom.json

SBOM Mandatory Use Cases

2026 β€” SBOM SUDAH MANDATORY DI:
  - US Government (Executive Order 14028)
  - EU Cyber Resilience Act
  - Major cloud provider (AWS, GCP, Azure) β€” marketplace requirement
  - Startup akusisi due diligence
  - Insurance cyber security questionnaire

BEST PRACTICE:
  - Generate SBOM di setiap CI/CD build
  - Simpan SBOM sebagai artifact release
  - Sign SBOM signature (cosign)
  - Upload ke transparency log (Rekor)
  - Monitor SBOM diff antar versi

in-toto & Sigstore β€” Verified Supply Chain

in-toto

FRAMEWORK UNTUK VERIFIKASI INTEGRITAS SUPPLY CHAIN:
  - Layout: definisi step dan siapa yang berwenang
  - Link: metadata tiap step (dari mana, ke mana, hash)
  - Verification: cocokkan layout + link untuk autentikasi

STEP DALAM SUPPLY CHAIN (in-toto layout):
  source β†’ build β†’ test β†’ package β†’ sign β†’ publish
   ↓        ↓       ↓       ↓         ↓        ↓
  Fungsi:  Fungsi: Fungsi: Fungsi:   Fungsi:  Fungsi:
  checkout  compile  run     package  sign     upload
                      test

Sigstore

PROJECT OSS UNTUK CODE SIGNING + TRANSPARENCY:
  - Fulcio: Certificate Authority yang terintegrasi OIDC (GitHub/GitLab)
  - Rekor: Transparency log (tamper-proof, append-only)
  - Cosign: CLI untuk signing dan verification

ALUR SIGNING (TANPA MANAGE PRIVATE KEY!):
  1. Developer login ke GitHub
  2. Fulcio issue short-lived signing cert (via OIDC)
  3. Cosign sign artifact + cert
  4. Signing + cert di-log ke Rekor (permanent)
  5. Siapa pun bisa verify tanpa perlu public key (cukup trust Rekor)
# Sign container image
cosign sign ghcr.io/username/myapp:latest
# Verify
cosign verify ghcr.io/username/myapp:latest
 
# Sign SBOM
cosign attest --predicate sbom.json --type cyclonedx ghcr.io/username/myapp:latest
# Verify attestation
cosign verify-attestation --type cyclonedx ghcr.io/username/myapp:latest

Deteksi & Proteksi β€” Tooling

Scanner Supply Chain

ToolFungsiEkosistemSumber
TrivyUniversal scanner (image, fs, SBOM, repo)SemuaOpenSource
GrypeVulnerability scanner untuk SBOM/imagesSemuaOpenSource
SyftSBOM generationSemuaOpenSource
OpenSSF ScorecardHealth check repo GitHubGitHubOpenSource
Dependency CheckSCA untuk Java/.NET/PythonJava/.NET/PythonOWASP
SnykSCA + SAST + containerSemuaCommercial
Socket.devDeteksi malware/typessquatting di npm/PyPInpm, PyPICommercial
RenovateAuto update dependency + security PRSemuaOpenSource
DependabotAuto dependency update (GitHub native)GitHubFree
MurphySecPlatform SSCS dengan SBOM, CVE, licenseJava, Python, JS, GoCommercial

OpenSSF Scorecard β€” Cek Repositori Pihak Ketiga

# Cek repo sebelum memakainya sebagai dependency
scorecard --repo=github.com/org/repo
# Output: 0-10 untuk tiap metrik
# - CI-Tests, CII-Best-Practices, Code-Review,
# - Contributors, Dependency-Update-Tool,
# - Maintained, Pinned-Dependencies, SAST,
# - Security-Policy, Signed-Releases, Token-Permissions

Real-World Case Studies

SolarWinds Orion (2020) β€” Paling Masif

METODE:
  1. ATTACKER (APT β€” kemungkinan Cozy Bear / APT29) compromise
     SolarWinds build pipeline
  2. Inject trojan di Orion.dll (signature tetap valid)
  3. SolarWinds sign build dengan trusted certificate
  4. Update dikirim ke 18.000+ organisasi (US Gov, Fortune 500)
  5. Backdoor: "Sunburst" β€” stealth C2 via HTTP

DAMPAK:
  - US Treasury, Commerce, Energy, DHS, DOD
  - Microsoft, FireEye (detector jadi korban)
  - FireEye mendeteksi sendiri di infra mereka
  - Estimated cost: > $100M (belum termasuk kerugian downstream)

TIMELINE:
  September 2019: Attacker mulai kompromi
  February 2020: Backdoor inject di build pipeline
  March 2020: Release Orion 2020.2 di-sign dan distribusi
  December 2020: FireEye/publik mengumumkan
  Total: 9 bulan undetected

Codecov (2021) β€” Bash Uploader

METODE:
  1. Attacker compromise Codecov Docker image build
  2. Extract credential dari environment (CI/CD)
  3. Modify bash uploader (codecov/bash) β€” ekstrak env variable
  4. Setiap run CI/CD di customer β†’ credential dikirim ke attacker

DAMPAK:
  30.000+ customer terpapar
  Kehilangan: GitHub tokens, cloud keys, npm tokens

LESSON:
  - Third-party CI/CD tools punya akses ke credential kamu
  - Environment variable di CI = sangat sensitif
  - Minimalize permission di CI/CD secrets

XZ Utils / liblzma (2024) β€” Near-Miss Paling Berbahaya

- Backdoor di library kompresi yang digunakan oleh sshd (OpenSSH)
- Jika berhasil: remote SSH access tanpa autentikasi ke SEMUA server yang
  menggunakan systemd + OpenSSH
- Terdeteksi karena performance anomaly (latency SSH naik 500ms)
- Attacker spent 2 tahun maintain reputasi sebelum inject backdoor
- Backdoor di build artifact, bukan source code

3CX Desktop App (2023)

- VoIP app, Electron-based
- Installer yang di-sign legitimate
- Library trading (Caddy web server) compromised β†’ supply chain masuk
- Backdoor exfiltrate data + C2 beacon
- 600.000+ organisasi terpapar

Koneksi ke Vault

[[cicd-shiftleft-shiftright]]
  β†’ CI/CD Shift-Left (keamanan di awal pipeline) adalah strategi utama
    untuk mendeteksi supply chain issue SEBELUM dependency masuk

[[comprehensive-threat-directory]]
  β†’ Profil threat actor: APT29 (SolarWinds), Lazarus (3CX),
    UNC2565 (Codecov), JiaT75 (XZ)

[[ebpf-kernel-security]]
  β†’ eBPF untuk runtime verification: deteksi anomali behavior
    dependency di production (Falco, Tetragon)

[[architectural-flaw-detection]]
  β†’ Anti-pattern di dependency management:
    - Circular dependency
    - Unused import (dead weight)
    - Over-scoped dependency

[[web-hacking-exploitation]]
  β†’ Dependency confusion sebagai vektor serangan ke web app

[[it-domain-hierarchy]]
  β†’ Supply Chain Security sebagai sub-domain dari IT Security:
    Application Security β†’ SCA / SBOM / Dependency Mgmt
    Infrastructure Security β†’ Build / CICD Security
    Governance β†’ SSDF / SLSA / Regulatory

[[hardware-hacking-re]]
  β†’ Hardware supply chain β€” Layer 5 dari framework ini

Mapping ke Master Index

Supply chain security duduk di persimpangan antara:

DomainAspek Supply Chain
πŸ” Application SecuritySCA, dependency audit, SBOM
πŸ—οΈ DevOps/PlatformSLSA, build provenance, CI/CD hardening
πŸ›‘οΈ InfrastructureRegistry security, eBPF runtime verification
☁️ Cloud SecuritySigstore, Fulcio OIDC, Rekor transparency log
πŸ“‹ ComplianceSSDF, Cyber Resilience Act, EO 14028

Bottom Line

Supply chain security bukan tentang trust β€” trust akan selalu di-exploit. Ini tentang verification di setiap langkah: signed provenance untuk setiap build, SBOM di setiap release, dan kemampuan untuk audit seluruh dependency tree sampai leaf terakhir. Satu library yang tidak di-maintain di kedalaman tree adalah satu titik kegagalan yang menunggu untuk dieksploitasi.

Di era 2026, jika kamu tidak punya SBOM untuk aplikasi kamu β€” kamu tidak tahu apa yang berjalan di production kamu.