SLSA dip — It’s Build Time!
This article is part of a series about the security of the software supply chain. Each article will...
Zaid Al Hamami
After connecting with dozens of CISOs and CTOs, we've realized there’s a lot of diverging ideas around what software supply chain security even is. Even more so, the range of opinions around how to effectively protect against the unique and expanding kinds of risks is confusing to say the least. And while there are plenty of supply chain security standards around, and plenty of deeply technical supply chain security resources, there wasn't anything talking about it from a business risk level. So, we put together a resource for CISOs and CTOs that explores four categories of risks;
- The Developer
- 1st Party Code
- 3rd Party Code and
- The Development Infrastructure
Understanding Developer Risk
An often overlooked, but nonetheless critical part of your supply chain is the developer, and the machine & services they use to develop code. In some cases, the developer is an employee of the organization. In other cases, they're external, either contracted directly by the organizations or through an outsourced development shop.
Risk #1 - Developer account compromise targeted through phishing, social engineering, malware
Developers are now direct targets of cyber attacks: the Contagious Interview (PaloAlto Networks research) campaign labeled as such in 2023, continued to occur in 2024, and even in 2025 (SentinelOne research).
In these types of campaigns, attackers pose as interviewers looking to employ developers, the developers do an interview, and then will be asked to download a video conferencing app. In this scenario, the app contains malware. We have seen other variations of this, where the developer is expected to do some work on a sample software project. Unbeknownst to the developer, by working on that project, the developer ends up installing malware, which among other things, can steal credentials and tokens required to access their current employer’s source code.
Of course the developer can also be phished directly.
Their machine can be compromised through a variety of other means, among which is installing tools that contain malware (and we have seen many examples in open source and in closed source products as well). Infostealers will lead to the compromise of the session cookies for services such as GitHub.
Recently, malicious VSCode Extensions with millions of downloads were pulled from the marketplace due to them having malware. Machine Learning Models on HuggingFace were also found containing malware. These models are used directly by developers and data scientists.
Risk #2 - Insider Threat
Then there’s the insider threat factor; a developer (contractor or employed) with access to source, build, and potentially even runtime access may be malicious.In fact, in 2022 the FBI warned about North Korean state workers posing as other nationals, working in Russia, China, Southeast Asia, and Africa as remote workers to dozens of Fortune 100 companies.
A CISO recently told us that they hired people based on interview results in a different country, to do remote work, and learned later that other developers showed up to do the work.
Of course, your organization may have a more simple version of this - developers with access to source/IP may act with malicious intent for a variety of reasons (hacktivism, personal gain, etc). This happened in 2021 in the Crypto DeFi project SushiSwap, where a malicious commit by a contractor resulted in the theft of $3M from the chain for the personal benefit of the contractor. In another example, a developer working for Eaton corporation inserted malware into their production systems. In the event he was ever let go and his active directory account was terminated, the systems would lock up across the organization.
Protecting Your Software Factory
The reality is, your developers are not just contributors to risk; they are critical control points. Treating them as such—not just with technical safeguards but with trust, visibility, and education—may be one of your highest-leverage moves in reducing software supply chain exposure.
BUT, your developers aren't the only conduit of risk in your software factory. Grab a copy of "Securing The Software Factory" and continue cataloguing your software supply chain risks. Whether it’s guarding against highly-targeted phishing attacks on developers, mitigating insider threats, or ensuring the security of third-party tools and services, knowing the vulnerable points gives you a clearer line of sight into where to act—and why it matters to the business.
