← Back to all posts

Finding the balance between minimizing risks for supply-chain attacks and common vulnerabilities and exposures (CVE)

Recent incidents show that dodging supply-chain attack bullets is not trivial. Two months ago (March '26), a popular open-source security scanner with 35k stars on github was compromised and temporarily turned into a credential and secret stealer. Everyone who used the affected GitHub Action or Docker image potentially had their secrets leaked.

In the following days, various other services and packages (especially in the npm universe) were hijacked and anyone pulling new versions of these dependencies via tools like Renovate or Dependabot and running automated tests had been potentially at risk to have also leaked their credentials. More context is given in, e.g., [1] and I am wondering if this cascade of incidents already ends here.

When managing dependencies, we are forced to balance two extremes:

  1. Extreme 1: Update immediately. You get security patches and bug fixes instantly, but you become highly vulnerable to fresh supply chain attacks (malicious packages pushed to registries).
  2. Extreme 2: Never update. You dodge the supply chain attacks, but, setting maintainability aspects aside, leave your software wide open to publicly known CVEs, which anyone can exploit with minimal effort.

Relying solely on alerts for CVEs is essentially firefighting. It is patching holes after they are publicly known.

I do not claim to be a security expert.

My proposed strategy would be:

  1. Implement an X day cooldown: delay dependency updates by 7 days (gut-feeling) sweet spot. It gives the community time to discover and remove supply chain attacks, while still capturing security fixes before they become widely exploited CVEs. Additionally you keep your software up-to-date, easing maintainability.
  2. Treat public CVEs as emergencies.
  3. Bucket your credentials: Split credentials into isolated buckets, used for development, production, staging, tools like dependabot, etc.
  4. Regularly re-audit your software’s dependencies: Is everything still properly maintained and comes from a trustful source?

There is no silver bullet, but balancing speed with a built-in cooldown period makes a massive difference.

Best, Gregor

[1] https://www.sans.org/blog/when-security-scanner-became-weapon-inside-teampcp-supply-chain-campaign