on supply chain attacks | ozair.dev

supply chain attack: a way to execute malicious code on many computers by sneaking in the bad code into a highly used open source library.

reflecting on the recently viral supply chain attack of LiteLLM, a few others this week?, and xz, i think this method of attack will be an even more utilized into 2026 beyond. there is more software being submitted into Github and the surface area of code is increasing.

what might change:

1. blind & careless software upgrades are risky. no more npm update && git push. engineers will spend more time auditing each upgrade for security & a safe code supply chain. good time to be a security engineer.

2. the older the software is, the safer it might be. a lot of software was spared this week because the malicious code only was available for 2 hours and people hadn't had time to update. the older the code has been stamped for release, the safer it might be. maybe this looks like [uv/npm] update --older-than=1wk flags?

are these examples of software viruses having a lifespan?