You don't need a vulnerability in your own code to get breached. In the modern web, every site loads scripts from CDNs, installs packages from npm, and embeds third-party widgets. Each dependency is a trust relationship — and attackers have learned that compromising one popular package is more efficient than targeting thousands of individual sites.
The Magecart Playbook
The most visible supply chain attacks on the web have been Magecart-style compromises. The pattern is deceptively simple: compromise a widely-used third-party script, inject a credit card skimmer, and harvest payment data from every site that loads it.
In the British Airways breach, attackers modified a single script served from BA's own infrastructure. The skimmer captured payment form data and sent it to a lookalike domain. 380,000 transactions were compromised over two weeks. The fine was $230 million.
npm Package Compromises
The npm ecosystem's strength — a vast library of reusable packages — is also its greatest vulnerability. Attack vectors include:
- Maintainer account hijacking: An attacker gains access to a maintainer's npm account and publishes a malicious version. The
event-streamincident targeted a specific cryptocurrency wallet and went undetected for weeks. - Typosquatting: Packages with names like
lodahsorcross-env2that hope for a mistypednpm install. - Install scripts: Malicious
postinstallscripts that execute duringnpm install, before anyone reviews the code. - Dependency confusion: Publishing a public package with the same name as a company's internal package, relying on misconfigured package managers to pull the public version.
CDN Compromise: The Nuclear Option
When a CDN serving JavaScript libraries is compromised, the blast radius is measured in millions of sites. A single tampered jQuery file on a popular CDN affects every site loading it. This is why Subresource Integrity (SRI) exists — but adoption remains below 5% across the web.
Without SRI, you're trusting that every CDN between your server and your users' browsers will serve exactly the file you intended, every time, forever. That's a bold trust assumption.
The Detection Problem
Supply chain attacks are designed to be invisible. The compromised code runs in the user's browser, not on your server. Your application logs show nothing. Your monitoring tools see normal traffic. The malicious payload is often obfuscated, activates only on specific pages (like checkout), and exfiltrates data to domains that look legitimate.
Traditional security testing — penetration tests, code reviews, vulnerability scanning — focuses on your code. Supply chain attacks compromise someone else's code that you happen to trust.
Real-World Impact
The consequences extend beyond data theft. In 2024, a compromised analytics script was used to redirect users of a government website to a cryptocurrency scam. The site's CSP was permissive enough to allow the redirect, and the analytics provider's reputation meant nobody questioned the script's presence.
In another case, a compromised font provider injected a cryptominer into their stylesheet, consuming CPU on millions of devices. The extra load was subtle enough to avoid detection for months.
The Trust Chain You Can't Avoid
Modern web development requires third-party code. The solution isn't isolation — it's verification. Every external script, stylesheet, and package is a link in a trust chain. If any link is compromised, the entire chain fails. The challenge is knowing which links exist and whether they're still trustworthy.
ShieldReport evaluates your domain's external dependencies, checks for subresource integrity implementation, and identifies third-party scripts that could become supply chain attack vectors.