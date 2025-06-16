The risk of compromised source code

We have all been there: The chief information security officer is asking if you’re affected by the latest hack or zero-day vulnerability, and you have to scramble to figure out how to check every file, repository, and server.

These incidents pose a severe threat to the business and can significantly disrupt productivity across many teams. The Apache Struts attack in 2017 and the Log4j vulnerability in 2021 are prime examples. In another incident, the Polyfill.io supply chain attack of 2024, malicious actors obtained a domain used to host Polyfill source code. Polyfill.js is code that’s used for backward compatibility, allowing older browsers to run code that contains modern JavaScript features. The attackers dynamically loaded malicious source code into victims’ browsers without their knowledge, and developers using Polyfill from a content delivery network (CDN) unknowingly loaded malicious code into their sites.

This incident is an example of an emerging kind of threat that cannot be detected by typical software composition analysis (SCA) or static application security testing (SAST) tools. Instead, this is a novel kind of supply chain poisoning where a resource that was previously completely legitimate suddenly isn't.