NCSC warns of rising risk from software supply chain attacks
The UK’s National Cyber Security Centre (NCSC) has warned that attackers are increasingly targeting open source software packages to distribute malware through the software supply chain. The agency sa...
The UK’s National Cyber Security Centre (NCSC) has warned that attackers are increasingly targeting open source software packages to distribute malware through the software supply chain. The agency says the scale and automation of modern development make these incidents harder to spot and potentially far more damaging.
Modern software projects often depend on many external libraries, frameworks, SDKs and small helper packages. That reliance can speed up development, but it also creates a large attack surface. In ecosystems such as Node.js, Rust and Python, where developers frequently rely on third-party components and package registries, a single compromised dependency can cascade across many products and services.
The NCSC says recent incidents affecting widely used package managers such as npm and PyPI show how attackers are abusing trusted development workflows. In some cases, malicious code has been introduced through developer accounts, package updates or automated build and deployment pipelines. Because these systems often install and run code with little or no manual review, harmful packages can spread quickly before defenders notice.
Methods seen in recent attacks
- Compromising maintainer accounts using stolen credentials or tokens
- Taking over abandoned packages or domains linked to package owners
- Using typosquatting to publish lookalike packages with deceptive names
- Injecting malicious scripts into installation or build processes
The agency also points out that developer devices are often less tightly managed than corporate endpoints, making them attractive targets for credential theft and initial access. Open publishing models can add further risk when registries do not consistently enforce protections such as multi-factor authentication.
To reduce exposure, the NCSC recommends that organisations map and review their dependencies, monitor for suspicious changes, and tighten controls around package installation and build automation. Security teams are also urged to check whether internal software may have incorporated a compromised package and to act quickly if signs of exposure are found.
While software ecosystems are introducing stronger safeguards, the NCSC says organisations still need to actively manage dependency risk to limit the impact of supply chain compromise.
