A good attacker will target the most vulnerable part of a software system. In the past, this has been application flaws, hardware bugs, or misconfigurations.
As the industry has evolved to detect and prevent these errors, attackers have moved to newer targets: your dependencies. Instead of attempting to execute a complex attack directly against a target, attackers are injecting malicious code into popular downstream transitive dependencies. Without proper controls, victims quickly inherit this malicious code into their software systems which can lead to a total system compromise.
This talk dives into the problem of software supply chain security and presents some ideas for addressing the problem.