Supply Chain Attacks Through Open Source Software: A Comprehensive Analysis of NPM, PyPI, and Docker Hub Vulnerabilities
Abstract
Open-source software ecosystems have become critical
infrastructure for modern software development, yet they
remain vulnerable to sophisticated supply chain attacks. This
paper presents a comprehensive empirical analysis of supply
chain attacks targeting npm, PyPI, and Docker Hub, examining
23 documented campaigns affecting over 2.6 billion weekly downloads.
Through systematic analysis of attack vectors including
typosquatting, dependency confusion, and maintainer account
compromise, we identify recurring patterns and structural vulnerabilities
across package registries. Our analysis reveals that
86.1% of detected typosquatted packages contained malware,
with cryptocurrency theft emerging as the predominant attack
objective. We document the September 2025 npm compromise
affecting 18 packages through phishing, the self-propagating
Shai-Hulud worm campaign, and persistent XZ Utils backdoor
propagation in Docker Hub images. We propose a multilayered
defense framework incorporating Software Bill of Materials
(SBOM) automation, behavioral package analysis, and enhanced
authentication mechanisms. Our findings demonstrate that current
registry security measures remain insufficient, with malicious
packages persisting for extended periods despite detection
capabilities.
Supply Chain Attacks Through Open Source Software: A Comprehensive Analysis of NPM, PyPI, and Docker Hub Vulnerabilities
Open-source software ecosystems have become critical
infrastructure for modern software development, yet they
remain vulnerable to sophisticated supply chain attacks. This
paper presents a comprehensive empirical analysis of supply
chain attacks targeting npm, PyPI, and Docker Hub, examining
23 documented campaigns affecting over 2.6 billion weekly downloads.
Through systematic analysis of attack vectors including
typosquatting, dependency confusion, and maintainer account
compromise, we identify recurring patterns and structural vulnerabilities
across package registries. Our analysis reveals that
86.1% of detected typosquatted packages contained malware,
with cryptocurrency theft emerging as the predominant attack
objective. We document the September 2025 npm compromise
affecting 18 packages through phishing, the self-propagating
Shai-Hulud worm campaign, and persistent XZ Utils backdoor
propagation in Docker Hub images. We propose a multilayered
defense framework incorporating Software Bill of Materials
(SBOM) automation, behavioral package analysis, and enhanced
authentication mechanisms. Our findings demonstrate that current
registry security measures remain insufficient, with malicious
packages persisting for extended periods despite detection
capabilities.