dependency-supply-chain-security
Installation
SKILL.md
Dependency & Supply Chain Security
The Dependency Risk
Your application includes hundreds of npm packages. Each one is code written by someone else that runs in your application with full privileges.
The Statistics Are Sobering
According to Sonatype's 2024 State of the Software Supply Chain Report:
- 245,000 malicious packages published to npm (2023)
- 700% increase in supply chain attacks (vs 2022)
- Average application has 200+ dependencies
- Each dependency averages 5 transitive dependencies (dependencies of dependencies)
Real-World Supply Chain Attacks
event-stream Incident (2018): A popular npm package (2 million downloads/week) was hijacked. The attacker added code that stole cryptocurrency wallet keys. Thousands of applications were affected before discovery.