With our increasing reliance on third-party software, our supply chain has become very complex and comes with a large number of risks that have led to many high-profile supply chain attacks. Different breaches have different causes and involve multiple steps to execute a supply chain attack. To secure our supply chain and ecosystem, we should adopt an adversarial mindset. In this research, we studied the npm ecosystem from the views of a data-driven attacker, focusing on how an attacker would use and assess the publicly available information to identify the weakest link in a software supply chain and then execute a large supply chain attack.

The Scorecard project auto-generates a “security score” for OSS projects with a list of security check metrics to verify baseline security standards and generate valuable information about OSS threats and risks. We evaluated the OpenSSF Scorecard security metrics in the npm and PyPI ecosystems to identify the security gaps and recommend practical automated security practices to practitioners.