Supply Chain BlackHat USA

This comprehensive presentation at BlackHat USA 2025 argues that the software supply chain security conversation has been too narrowly focused on code dependencies, while the real attack surface spans browser extensions, IDE plugins, CI/CD pipelines, container images, AI coding agents, package managers, and even developer machines themselves. Anant Shrivastava traces supply chain trust issues back to Ken Thompson’s 1983 Turing Award lecture, walks through modern real-world attack case studies across multiple dependency chains, introduces the ATOM framework for systematic defense, and provides an extensive toolkit of open-source solutions for each attack vector.

Key Topics Covered

Historical Context and Persistence of the Problem:

• Ken Thompson’s 1983 lecture outlined how to implant a backdoor in a C compiler binary without leaving evidence in source code, based on a 1974 US military document on MULTICS security
• ENISA’s foresight report identifies supply chain compromise of software dependencies as a peak threat through 2030
• Governments worldwide have responded: US Executive Order, Japan’s economic security bill, EU’s NIS2 directive, UK guidelines, and India’s CERT-In SBoM guidelines

The Evolving Developer Supply Chain:

• The traditional chain: Chrome extensions → AI-driven VS Code extensions → GitHub → GitHub Actions → Docker → Kubernetes → EC2/AMI
• The current chain: autonomous AI agents with full command-line access → GitHub → GitHub Actions → Docker → Kubernetes → EC2/AMI
• Each link represents a trust boundary that can be compromised
• Dependabot data illustrates scale: ~2.45 million issues closed and ~120,000 new issues created in just five months

Beyond Code Dependencies — Other Attack Chains:

• Pluggable modules, plugins, extensions, theming, and customizations all represent third-party functionality injection points
• Production is hardened but development environments are not; smaller organizations within supply chains are easier targets
• Developer machines are high-value targets: they hold credentials, have network policy exceptions, admin access, and run powerful applications

Real-World Case Studies:

• Browser extensions: dozens of backdoored Chrome extensions on 2.6 million devices; malicious EditThisCookie clone stealing cookies
• IDE attacks: malicious VS Code extensions with millions of installs; Open VSX marketplace CI vulnerability could have allowed takeover of every extension for VS Code forks (Cursor, Windsurf, GitLab Web IDE)
• Homebrew impersonation: Google Ads driving traffic to a near-replica website serving a malicious install.sh
• Package managers: APT and RPM pre/post-install scripts as unexpected code execution vectors
• Notepad++ plugin hijacking and parasite website impersonation
• Cursor/AI IDE rule file injection via hidden whitespace characters
• CI/CD: global TeamCity exploitation enabling SolarWinds-style compromises; NSA/CISA guidance on defending CI/CD environments
• Container images: malicious containers on Docker Hub
• Bait-and-switch: WordPress plugins purchased and backdoored (300,000+ installations affected)
• Rogue maintainers: node-ipc (peacenotwar), colors.js/faker.js sabotage, npm malware civil war

The ATOM Framework:

• Awareness: Identify and move unknown risks into known risks
• Trust But Verify: Every dependency, tool, and service should be validated
• Ongoing Monitoring: Continuous security checks to detect changes and anomalies
• Measure & Map: Build capabilities to answer real questions (e.g., Chrome installations, GitHub workflow plugins)

Defensive Tooling Ecosystem:

• SBoM Play: client-side SBoM visualization and intelligence extraction
• 3PTracer: third-party connection discovery via DNS, client-side only
• Extension Auditor: Chrome extension security analysis
• osquery: endpoint visibility for querying installed extensions, permissions, and configurations
• GitHub/GitHub Actions security: signed commits, protected branches, forced reviews, legitify, OpenSSF SCM Best Practices, Allstar, zizmor
• Consumer vetting: SafeDep’s Vet for dependency vetting; Overlay browser extension for evaluating open-source packages across registries
• Cloud auditing: ScoutSuite, Prowler, kube-hunter, kube-bench, KubiScan, kubeaudit, Trivy, Cosign/Sigstore

Frameworks and Standards:

• SLSA (Supply-chain Levels for Software Artifacts) for build integrity
• OWASP SCVS (Software Component Verification Standard) and NIST SSDF for secure development practices
• pbom.dev as an open reference for software supply chain attacks

Shadow IT as a Supply Chain Risk:

• Non-technical staff using AI IDEs to build and deploy applications on personal cloud accounts creates unmonitored, unaudited supply chains within the organization

Actionable Takeaways

1. Expand your supply chain security scope beyond code dependencies to include browser extensions, IDE plugins, CI/CD actions, container images, package manager scripts, and AI coding tools.
2. Implement the ATOM framework: build Awareness of all dependency types, Trust But Verify every tool and service, establish Ongoing Monitoring for anomaly detection, and Measure & Map your full supply chain inventory.
3. Deploy endpoint visibility tooling (osquery, Extension Auditor) to inventory and audit browser extensions and IDE plugins across your developer fleet.
4. Harden GitHub and CI/CD pipelines: enforce signed commits, protected branches, pull request reviews, and use tools like zizmor and legitify to audit GitHub Actions workflows.
5. Use consumer vetting tools like SafeDep Vet and the Overlay browser extension to evaluate open-source packages before adoption.
6. Audit container supply chains with Trivy, Cosign, and Kubernetes security tools (kube-bench, kube-hunter, kubeaudit) to verify image provenance and configuration compliance.
7. Address Shadow IT risks by establishing policies and monitoring for unauthorized AI-driven development and deployment by non-engineering staff.