Javlon Baxtiyorov
← Writing

The dependency is the attack surface now

By Javlon Baxtiyorov, Senior Software Engineer · · security, supply-chain, open-source, backend · 1 read

In 2026 the breach doesn't come through your code. It comes through the package you installed without reading. A backend engineer's note on supply-chain reality.

The dependency is the attack surface now
Photo by Haris Illahi on Unsplash

I spend most of my working life in the unglamorous backend — auth, sessions, payments. The thing that changed about that work in 2026 isn't the code I write. It's that the most likely way into a system I build is no longer a flaw in my code. It's a flaw — or a payload — in something I imported.

The numbers are not subtle

  • 65% of organizations reported a software supply-chain attack in the past year.
  • 66% of those attacks were malicious packages — built on purpose, shipped via typosquatting and social engineering, waiting for an install.
  • The 2026 OSSRA report found open-source vulnerabilities roughly doubling as AI-generated and AI-assisted code soared.
  • 97% of organizations now use open-source AI models in development. Far fewer can tell you which ones, where, or what they pulled in.

That last gap is the whole story. Adoption outran governance. We added a new, fast-moving class of dependency — models and their toolchains — without the visibility we barely had for ordinary packages.

What I actually do about it

None of this is solved by worrying. It's solved by treating dependencies as part of the attack surface, with the same discipline as input validation:

  • SBOMs as a build artifact, not a compliance afterthought. I want a list of everything in the image, generated on every build.
  • Continuous SCA over occasional audits. A dependency that was clean in January is a finding in June; the check has to run continuously or it's theater.
  • Exploit-aware prioritization. Most CVEs in a tree aren't reachable. The ones that are reachable and have a known exploit are the queue. Everything else is noise that burns trust.
  • Pin and verify. Lockfiles, hashes, and a hard look at any package whose name is one keystroke from a popular one.

Software Composition Analysis stopped being a developer nicety this year and became a supply-chain control. That's the right altitude for it. The boundary of the system I'm responsible for is no longer the edge of my repository — it's the edge of everything my repository trusts.

Sources: 2026 OSSRA Report (Black Duck), Open Source Security 2026: State of the Industry (Vulert), Top Open Source Vulnerabilities in 2026 (Mend).

← All writing Get in touch →