supply-chain-advisory

Overview

Supply chain attacks bypass traditional code review by compromising upstream dependencies. This skill provides patterns for detecting, preventing, and responding to compromised packages in Python ecosystems.

When To Use

• After a supply chain advisory is published
• When auditing dependencies for a new or existing project
• During incident response for a suspected compromise
• When adding the SessionStart hook to a project

When NOT To Use

• General CVE triage unrelated to dependency supply chain
• Application-level vulnerability scanning (use a SAST tool)
• License compliance audits (different concern)