Supply chain, DevSecOps

ENISA advisory outlines secure use of third-party software packages

Supply chain vulnerability being exploited through a cyber attack on text code in an editor.

The European Union Agency for Cybersecurity (ENISA) has released its inaugural Technical Advisory on the secure use of package managers, offering guidance to developers on safely integrating third-party code into their projects. This advisory, developed with input from 15 stakeholders, experts, and the open-source community, addresses common risks associated with software supply chains, as reported by Security Affairs.

Modern software development heavily relies on package managers like npm and pip for code reuse and efficiency. However, this reliance introduces significant supply chain risks, as demonstrated by attacks in 2025. The advisory details common threats, including inherent code vulnerabilities and malicious package injections, and provides best practices for selecting, integrating, and monitoring third-party packages. It emphasizes verifying package provenance, scanning for known vulnerabilities, minimizing dependencies, and implementing robust checks within CI/CD pipelines. The guidance, while using npm and GitHub as examples, is applicable across various package manager ecosystems.

The advisory underscores the critical need for developers to adopt risk-aware decision-making when managing third-party dependencies. As the software supply chain landscape evolves, organizations must treat security as an ongoing activity, regularly reviewing and updating their practices.

Source: Security Affairs

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds