SalesTech Star

Client-Side Supply Chain Attacks and What They Mean for Business

By Vitaliy Lim, Co-founder and CTO, Feroot Security

Most websites are not built; they are assembled using a variety of scripts from several sources to save time and bring businesses online faster. But the scripts and code that are the building blocks of websites and e-commerce often contain vulnerabilities and can become compromised at the source.

Code can be compromised either intentionally or unintentionally – coding can be a long and arduous task with errors being commonplace. However, the compromises caused by a threat actor are obviously deliberate – some malicious scripts are designed to gather valuable PII, login credentials, or financial information from data inputted into online forms.

Regardless of how a business is compromised, the business must protect both the safety of its customers’ sensitive data and its reputation by detecting vulnerabilities and preventing cyberattacks.

Client-side software supply chain attacks occur several different ways: a hacker injects malicious code into open-source libraries or repositories which is then pulled and assembled into web applications or a hacker seeks out known vulnerabilities within third-party code and takes advantage of these vulnerabilities. Software supply chain attacks can happen to organizations of any size and across every industry. While this is no new phenomenon, client-side supply chain attacks have increased in both frequency and scale.

Often with client-side software supply chain attacks, the business may not know they’ve been compromised until their customers are victimized through payment card fraud or identity theft. Because JavaScript is so prevalent -– used by 98% of websites worldwide -– any business using JavaScript is at risk. This makes a client-side software supply chain attack one of the most common and dangerous types of cyberattacks facing businesses today.

JavaScript is often the weakest link when it comes to client-side software supply chain attacks. Because JavaScript is fairly easy to learn, developers and marketers love to make use of it. Most web applications were designed in JavaScript, but because JavaScript lacks security features, exploitation is easy.

Notably, with client-side software supply chain attacks, there is really nothing novel or sophisticated about many of these attacks. While some attackers may obfuscate their malicious code, most are merely taking advantage of existing code vulnerabilities added to web applications.

Read More: SalesTechStar Interview with Ryan Cush, Chief Revenue Officer at

The damage caused by a client-side supply chain attack, especially when critical systems are involved, can impact the core of operations right down to individual customers using the website. Experiences can range from major operational delays, regulatory and compliance fines, and loss of customers to a full blown PR crisis where the reputation of a company and its trust are at stake.

Prevention is key to protecting a business from client-side software supply chain attacks. Web developers can use software best practices, which include thorough knowledge of web assets and the data they store, utilizing automation to continuously monitor and guard against threats, scanning and monitoring for breeches, code vulnerabilities and potential threats through automated tools, and running updates and performing patches as they become available.

For security teams, prevention includes identifying and auditing web assets, using automated monitoring and detection with your web application, the application of Subresource Integrity (SRI), enabling policies and restrictions, and using an automated content security policy solution to help better manage policy violations.

Having a plan in place for mitigation in the event of a cyberattack is imperative to minimizing damage and returning to normal operations as quickly as possible. Software supply chain attacks are ever growing in frequency and sophistication, but so are the tools to identify and stop cyberattacks in their tracks. In a world that is increasingly dependent on virtual communication and interactions, it is worthwhile to adopt powerful approaches to client-side security and remain aware of the latest cyber threats.

Read More: Pax8 Acquires New Zealand Cloud Company Umbrellar