{"id":862,"date":"2025-05-09T22:39:27","date_gmt":"2025-05-10T03:39:27","guid":{"rendered":"https:\/\/stagefoursecurity.com\/blog\/?p=862"},"modified":"2025-05-09T22:42:05","modified_gmt":"2025-05-10T03:42:05","slug":"open-source-security-supply-chain-risk","status":"publish","type":"post","link":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/09\/open-source-security-supply-chain-risk\/","title":{"rendered":"Open Source Security Supply Chain Risk"},"content":{"rendered":"<article>\n<header>\n<h1>\ud83d\udce6 Beyond the Repo: How Open-Source Libraries Introduce Hidden Risk<\/h1>\n<p><em>By James K. Bishop, vCISO | Founder, <a href=\"https:\/\/stagefoursecurity.com\" target=\"_blank\" rel=\"noopener\">Stage Four Security<\/a><\/em><\/p>\n<\/header>\n<section><a href=\"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Supply-Chain-Open-Source.png\"><img fetchpriority=\"high\" decoding=\"async\" class=\"alignright wp-image-880\" src=\"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Supply-Chain-Open-Source-300x200.png\" alt=\"\" width=\"400\" height=\"267\" srcset=\"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Supply-Chain-Open-Source-300x200.png 300w, https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Supply-Chain-Open-Source-1024x683.png 1024w, https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Supply-Chain-Open-Source-768x512.png 768w, https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Supply-Chain-Open-Source.png 1536w\" sizes=\"(max-width: 400px) 100vw, 400px\" \/><\/a>Today\u2019s applications are rarely written from scratch. Developers assemble them like Lego kits\u2014using open-source libraries, frameworks, and packages that speed up delivery. But each of those components is a potential vulnerability. And in many cases, you\u2019re trusting strangers on the internet with the keys to your kingdom.This post explores how attackers exploit open-source ecosystems, why traditional vulnerability scanning isn\u2019t enough, and how to build defensible practices into your dependency management process.<\/p>\n<\/section>\n<section>\n<h2>\ud83e\uddf1 The Dependency Stack: How Deep Does It Go?<\/h2>\n<ul>\n<li>The average application contains hundreds of open-source components\u2014and <strong>even more transitive dependencies<\/strong> (packages pulled in by other packages)<\/li>\n<li>Each dependency has its own versioning, authorship, and update cadence<\/li>\n<li>Most development teams don\u2019t know what\u2019s buried five levels deep in their dependency tree<\/li>\n<\/ul>\n<p>This opacity is the attacker\u2019s playground.<\/p>\n<\/section>\n<section>\n<h2>\ud83c\udfaf Why Attackers Target Open-Source Libraries<\/h2>\n<ul>\n<li><strong>High trust, low visibility:<\/strong> Most teams blindly trust their package manager (npm, PyPI, RubyGems, Maven)<\/li>\n<li><strong>Massive reach:<\/strong> A single malicious or compromised library can infect thousands of downstream apps<\/li>\n<li><strong>Soft governance:<\/strong> Many packages are maintained by solo developers without formal security processes<\/li>\n<\/ul>\n<p>Attacks like <strong>event-stream<\/strong>, <strong>ua-parser-js<\/strong>, and <strong>colors.js<\/strong> have shown just how easy it is to introduce malicious code into the global software supply chain.<\/p>\n<\/section>\n<section>\n<h2>\ud83d\udd13 Common Exploitation Methods<\/h2>\n<ul>\n<li><strong>Typosquatting:<\/strong> Uploading malicious packages with names similar to popular ones (e.g., `requests` vs. `requests`)<\/li>\n<li><strong>Repo takeovers:<\/strong> Abandoned libraries are claimed by new maintainers with malicious intent<\/li>\n<li><strong>Credential compromise:<\/strong> Maintainer accounts get phished or hijacked, pushing malicious versions<\/li>\n<li><strong>Pre\/postinstall scripts:<\/strong> Malicious code runs during package installation\u2014often outside scanner visibility<\/li>\n<\/ul>\n<\/section>\n<section>\n<h2>\ud83d\udee0\ufe0f Defending Against Open-Source Supply Chain Risk<\/h2>\n<ul>\n<li><strong>Use SCA tools:<\/strong> Tools like Snyk, GitHub Dependabot, OSS Review Toolkit, and OWASP Dependency-Check can alert you to known vulnerabilities<\/li>\n<li><strong>Pin dependency versions:<\/strong> Avoid accidental upgrades by locking package versions explicitly<\/li>\n<li><strong>Verify package sources:<\/strong> Favor well-maintained libraries with clear ownership and update history<\/li>\n<li><strong>Audit before adoption:<\/strong> Review new packages\u2014especially small or unknown ones\u2014before introducing them into critical projects<\/li>\n<li><strong>Monitor post-install behavior:<\/strong> Be wary of packages with unexpected network or file system access during install<\/li>\n<\/ul>\n<\/section>\n<section>\n<h2>\ud83d\udce6 What About Software Bills of Materials (SBOMs)?<\/h2>\n<p>SBOMs are like ingredient labels for your software\u2014they list every component, version, and dependency. SBOMs help with:<\/p>\n<ul>\n<li>\ud83d\udccb Tracking and accountability<\/li>\n<li>\u26a0\ufe0f Fast response during vulnerability disclosures (e.g., Log4Shell)<\/li>\n<li>\ud83d\udd0d Auditing and risk scoring<\/li>\n<\/ul>\n<p>They don\u2019t solve the problem\u2014but they make it visible.<\/p>\n<\/section>\n<section>\n<h2>\ud83d\udce3 Final Thought<\/h2>\n<p>You can\u2019t secure what you don\u2019t know you\u2019re using. Open-source is essential\u2014but it\u2019s not free of risk. Treat every dependency as code you didn\u2019t write but still own. Because when that code gets compromised, it\u2019s your users\u2014and your business\u2014that suffer the consequences.<\/p>\n<p><strong>Need help auditing your open-source stack or building a secure dependency workflow?<\/strong> <a href=\"https:\/\/stagefoursecurity.com\/blog\/partner-with-stage-four-security\/\" target=\"_blank\" rel=\"noopener\">Let\u2019s talk<\/a>.<\/p>\n<\/section>\n<\/article>\n","protected":false},"excerpt":{"rendered":"<p>\ud83d\udce6 Beyond the Repo: How Open-Source Libraries Introduce Hidden Risk By James K. Bishop, vCISO | Founder, Stage Four Security [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"default","adv-header-id-meta":"","stick-header-meta":"default","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"set","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[19],"tags":[],"class_list":["post-862","post","type-post","status-publish","format-standard","hentry","category-supply-chain-security"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.0 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Open Source Security Supply Chain Risk - Stage Four Security Blog<\/title>\n<meta name=\"description\" content=\"Understand how open-source dependencies can expose your app to supply chain attacks through outdated packages, abandoned repos, and malicious maintainers.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/09\/open-source-security-supply-chain-risk\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Open Source Security Supply Chain Risk - Stage Four Security Blog\" \/>\n<meta property=\"og:description\" content=\"Understand how open-source dependencies can expose your app to supply chain attacks through outdated packages, abandoned repos, and malicious maintainers.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/09\/open-source-security-supply-chain-risk\/\" \/>\n<meta property=\"og:site_name\" content=\"Stage Four Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2025-05-10T03:39:27+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-05-10T03:42:05+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Supply-Chain-Open-Source.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1536\" \/>\n\t<meta property=\"og:image:height\" content=\"1024\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"stagefoursec\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Supply-Chain-Open-Source.png\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"stagefoursec\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/09\/open-source-security-supply-chain-risk\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/09\/open-source-security-supply-chain-risk\/\"},\"author\":{\"name\":\"stagefoursec\",\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/#\/schema\/person\/9224811ebe1947fee603931e220ecfde\"},\"headline\":\"Open Source Security Supply Chain Risk\",\"datePublished\":\"2025-05-10T03:39:27+00:00\",\"dateModified\":\"2025-05-10T03:42:05+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/09\/open-source-security-supply-chain-risk\/\"},\"wordCount\":487,\"publisher\":{\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/09\/open-source-security-supply-chain-risk\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Supply-Chain-Open-Source-300x200.png\",\"articleSection\":[\"Supply Chain Security\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/09\/open-source-security-supply-chain-risk\/\",\"url\":\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/09\/open-source-security-supply-chain-risk\/\",\"name\":\"Open Source Security Supply Chain Risk - Stage Four Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/09\/open-source-security-supply-chain-risk\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/09\/open-source-security-supply-chain-risk\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Supply-Chain-Open-Source-300x200.png\",\"datePublished\":\"2025-05-10T03:39:27+00:00\",\"dateModified\":\"2025-05-10T03:42:05+00:00\",\"description\":\"Understand how open-source dependencies can expose your app to supply chain attacks through outdated packages, abandoned repos, and malicious maintainers.\",\"breadcrumb\":{\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/09\/open-source-security-supply-chain-risk\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/09\/open-source-security-supply-chain-risk\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/09\/open-source-security-supply-chain-risk\/#primaryimage\",\"url\":\"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Supply-Chain-Open-Source.png\",\"contentUrl\":\"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Supply-Chain-Open-Source.png\",\"width\":1536,\"height\":1024},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/09\/open-source-security-supply-chain-risk\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/stagefoursecurity.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Open Source Security Supply Chain Risk\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/#website\",\"url\":\"https:\/\/stagefoursecurity.com\/blog\/\",\"name\":\"Stage Four Security Blog\",\"description\":\"Protecting today, fortifying tomorrow\",\"publisher\":{\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/stagefoursecurity.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/#organization\",\"name\":\"Stage Four Security Blog\",\"url\":\"https:\/\/stagefoursecurity.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/02\/cropped-Stage-Four-Security-Blog-Logo-1000x150-1.png\",\"contentUrl\":\"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/02\/cropped-Stage-Four-Security-Blog-Logo-1000x150-1.png\",\"width\":1000,\"height\":150,\"caption\":\"Stage Four Security Blog\"},\"image\":{\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/#\/schema\/person\/9224811ebe1947fee603931e220ecfde\",\"name\":\"stagefoursec\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/fdb94f17254222fa9c8b7db050a58a5fa4fb24ae32e20e7e1974b87b01a751d4?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/fdb94f17254222fa9c8b7db050a58a5fa4fb24ae32e20e7e1974b87b01a751d4?s=96&d=mm&r=g\",\"caption\":\"stagefoursec\"},\"sameAs\":[\"https:\/\/stagefoursecurity.com\/blog\"],\"url\":\"https:\/\/stagefoursecurity.com\/blog\/author\/admin_w171pcka\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Open Source Security Supply Chain Risk - Stage Four Security Blog","description":"Understand how open-source dependencies can expose your app to supply chain attacks through outdated packages, abandoned repos, and malicious maintainers.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/09\/open-source-security-supply-chain-risk\/","og_locale":"en_US","og_type":"article","og_title":"Open Source Security Supply Chain Risk - Stage Four Security Blog","og_description":"Understand how open-source dependencies can expose your app to supply chain attacks through outdated packages, abandoned repos, and malicious maintainers.","og_url":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/09\/open-source-security-supply-chain-risk\/","og_site_name":"Stage Four Security Blog","article_published_time":"2025-05-10T03:39:27+00:00","article_modified_time":"2025-05-10T03:42:05+00:00","og_image":[{"width":1536,"height":1024,"url":"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Supply-Chain-Open-Source.png","type":"image\/png"}],"author":"stagefoursec","twitter_card":"summary_large_image","twitter_image":"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Supply-Chain-Open-Source.png","twitter_misc":{"Written by":"stagefoursec","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/09\/open-source-security-supply-chain-risk\/#article","isPartOf":{"@id":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/09\/open-source-security-supply-chain-risk\/"},"author":{"name":"stagefoursec","@id":"https:\/\/stagefoursecurity.com\/blog\/#\/schema\/person\/9224811ebe1947fee603931e220ecfde"},"headline":"Open Source Security Supply Chain Risk","datePublished":"2025-05-10T03:39:27+00:00","dateModified":"2025-05-10T03:42:05+00:00","mainEntityOfPage":{"@id":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/09\/open-source-security-supply-chain-risk\/"},"wordCount":487,"publisher":{"@id":"https:\/\/stagefoursecurity.com\/blog\/#organization"},"image":{"@id":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/09\/open-source-security-supply-chain-risk\/#primaryimage"},"thumbnailUrl":"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Supply-Chain-Open-Source-300x200.png","articleSection":["Supply Chain Security"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/09\/open-source-security-supply-chain-risk\/","url":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/09\/open-source-security-supply-chain-risk\/","name":"Open Source Security Supply Chain Risk - Stage Four Security Blog","isPartOf":{"@id":"https:\/\/stagefoursecurity.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/09\/open-source-security-supply-chain-risk\/#primaryimage"},"image":{"@id":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/09\/open-source-security-supply-chain-risk\/#primaryimage"},"thumbnailUrl":"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Supply-Chain-Open-Source-300x200.png","datePublished":"2025-05-10T03:39:27+00:00","dateModified":"2025-05-10T03:42:05+00:00","description":"Understand how open-source dependencies can expose your app to supply chain attacks through outdated packages, abandoned repos, and malicious maintainers.","breadcrumb":{"@id":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/09\/open-source-security-supply-chain-risk\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/stagefoursecurity.com\/blog\/2025\/05\/09\/open-source-security-supply-chain-risk\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/09\/open-source-security-supply-chain-risk\/#primaryimage","url":"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Supply-Chain-Open-Source.png","contentUrl":"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Supply-Chain-Open-Source.png","width":1536,"height":1024},{"@type":"BreadcrumbList","@id":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/09\/open-source-security-supply-chain-risk\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/stagefoursecurity.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Open Source Security Supply Chain Risk"}]},{"@type":"WebSite","@id":"https:\/\/stagefoursecurity.com\/blog\/#website","url":"https:\/\/stagefoursecurity.com\/blog\/","name":"Stage Four Security Blog","description":"Protecting today, fortifying tomorrow","publisher":{"@id":"https:\/\/stagefoursecurity.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/stagefoursecurity.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/stagefoursecurity.com\/blog\/#organization","name":"Stage Four Security Blog","url":"https:\/\/stagefoursecurity.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/stagefoursecurity.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/02\/cropped-Stage-Four-Security-Blog-Logo-1000x150-1.png","contentUrl":"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/02\/cropped-Stage-Four-Security-Blog-Logo-1000x150-1.png","width":1000,"height":150,"caption":"Stage Four Security Blog"},"image":{"@id":"https:\/\/stagefoursecurity.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/stagefoursecurity.com\/blog\/#\/schema\/person\/9224811ebe1947fee603931e220ecfde","name":"stagefoursec","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/stagefoursecurity.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/fdb94f17254222fa9c8b7db050a58a5fa4fb24ae32e20e7e1974b87b01a751d4?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/fdb94f17254222fa9c8b7db050a58a5fa4fb24ae32e20e7e1974b87b01a751d4?s=96&d=mm&r=g","caption":"stagefoursec"},"sameAs":["https:\/\/stagefoursecurity.com\/blog"],"url":"https:\/\/stagefoursecurity.com\/blog\/author\/admin_w171pcka\/"}]}},"_links":{"self":[{"href":"https:\/\/stagefoursecurity.com\/blog\/wp-json\/wp\/v2\/posts\/862","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/stagefoursecurity.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/stagefoursecurity.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/stagefoursecurity.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/stagefoursecurity.com\/blog\/wp-json\/wp\/v2\/comments?post=862"}],"version-history":[{"count":4,"href":"https:\/\/stagefoursecurity.com\/blog\/wp-json\/wp\/v2\/posts\/862\/revisions"}],"predecessor-version":[{"id":889,"href":"https:\/\/stagefoursecurity.com\/blog\/wp-json\/wp\/v2\/posts\/862\/revisions\/889"}],"wp:attachment":[{"href":"https:\/\/stagefoursecurity.com\/blog\/wp-json\/wp\/v2\/media?parent=862"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/stagefoursecurity.com\/blog\/wp-json\/wp\/v2\/categories?post=862"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/stagefoursecurity.com\/blog\/wp-json\/wp\/v2\/tags?post=862"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}