NCSC urges firms to tighten supply-chain security
The NCSC warned organizations to review dependencies after rising attacks on software packages, citing maintainer account compromises, expired-domain takeovers, typosquatting and CI/CD abuse.
The National Cyber Security Centre (NCSC) warned organizations to review and strengthen supply-chain security after a rise in attacks on software packages in recent incidents.
Attackers have stolen maintainer credentials or tokens to push malicious updates, taken over expired domains tied to package maintainers, transferred ownership of legitimate packages, and published lookalike packages that rely on typosquatting. Stolen credentials have been reused to access and modify additional packages downstream.
The agency highlighted risks in modern development practices. Languages such as Node.js, Python and Rust have small standard libraries, which increases reliance on third-party packages. Many dependencies are fetched automatically by continuous integration and continuous delivery (CI/CD) pipelines without human checks, and some package ecosystems allow scripts to run during installation.
Developer environments are often less tightly controlled than corporate devices. Shared code repositories, developer keys and registry accounts are common targets. Open publishing models and uneven security controls among registry providers increase exposure for both maintainers and consumers.
To reduce risk the NCSC recommended pausing automatic dependency updates where compromise may be suspected and requiring manual review and approval for new updates, dependencies or versions. The agency advised rotating exposed credentials, enforcing multi-factor authentication for developer and registry accounts, using private or trusted registries where appropriate, and ensuring deployments occur through controlled CI/CD pipelines rather than directly from developer machines.
The guidance added that sensitive credentials should be stored securely, not left on developer workstations, and that teams should consult the Software Security Code of Practice when deciding how to adopt and update dependencies. It recommended balancing rapid patching with careful review of dependency changes to limit the potential impact of a compromise.
The guidance warned that automation, trust and scale can allow malicious code introduced into one package to spread rapidly across many organizations and services before detection.
While the agency highlighted Node.js, Python and Rust as especially exposed because of their modular ecosystems, it said other languages, tools and package repositories are also at risk.
Articles by this author
