NCSC Warns Of Rising Software Supply Chain Attacks Targeting Open-Source Packages

The UK’s National Cyber Security Centre (NCSC) is urging organizations to take a closer look at their software dependencies as supply chain attacks continue to rise. The agency highlights how attackers are increasingly exploiting trusted open‑source packages to spread malicious code across systems.

According to the NCSC, modern development relies heavily on third‑party and open‑source components. This creates complex dependency chains, where a single compromised package can impact many systems quickly. Automated processes (like CI/CD pipelines) and implicit trust in packages allow malicious code to spread rapidly without human review.

Additionally, incidents targeting ecosystems such as npm and PyPI demonstrate how attackers can infiltrate developer tools and distribute malware at scale. Attackers exploit several weaknesses in modern software development, including secure developer environments, complex and highly connected dependency networks, automated processes that install and run code without manual checks, and open publishing systems with limited verification.

Common attack methods used in these campaigns include hijacking legitimate maintainer accounts to inject malicious updates, taking control of abandoned or unmaintained packages, and publishing deceptive packages with similar names to trick developers (a tactic known as typosquatting). Moreover, attackers often reuse stolen credentials to expand their reach and compromise more packages through self‑propagation.

How to detect and prevent supply chain compromises?

To detect a potential compromise, organizations should take a proactive approach by regularly auditing their software dependencies and reviewing recent updates for anything unusual. Moreover, IT admins must monitor systems, networks, and development pipelines for suspicious activity, along with using dependency scanning tools to identify known vulnerabilities or malicious packages. They should also check for unauthorized access to developer accounts, tokens, or registries to detect early signs of an attack.

If a compromise is suspected, immediate steps should be taken to reduce risk. This includes pausing automatic updates that could introduce malicious code, manually reviewing new dependencies or version changes, and rotating any exposed credentials. It’s also important to enforce multi‑factor authentication for developer and registry accounts, as well as to rely on trusted or private package sources to further strengthen defenses against ongoing threats.

In the long term, organizations should focus on building stronger security practices within their development lifecycle. Moreover, maintaining a clear inventory of all dependencies, such as through a software bill of materials (SBOM), helps improve visibility and control. It’s also important to reduce unnecessary dependencies, manage updates carefully, secure development workflows and credentials, and follow established frameworks like the Software Security Code of Practice to minimize exposure and strengthen resilience against supply chain attacks.