← back to blog
Supply Chain

Your Vendor's Sloppy Code Is Your Breach

0x3 Security and Socket — supply chain attacks are already inside your stack

Here's the uncomfortable truth most SMB owners never get told: when you hire a web shop, a portal builder, or an "AI guy" to stand up your infrastructure, you don't just inherit their work — you inherit every package they pulled off the internet to ship it fast. Right now, that's exactly where the attackers are camped.

The attack surface moved — and nobody told the SMBs

Modern apps aren't written; they're assembled. A typical project drags in hundreds of open-source dependencies, most written by strangers, most never reviewed by the developer who installed them. The bad guys figured this out — instead of breaking down your front door, they poison a brick three suppliers upstream and let your own build pipeline carry it inside.

This isn't theoretical. For the first time in the report's history, Black Duck's 2026 OSSRA found the mean number of open-source vulnerabilities per codebase more than doubled — up 107% to an average of 581 per codebase. 87% of audited codebases contained at least one vulnerability, and 44% contained critical-risk issues.

"We use AI to build it faster" is the new risk multiplier

That portal dev or agency telling you they ship fast because they "use AI"? Read that as: code is entering your stack faster than anyone is checking it. The kicker from the same OSSRA report: 17% of open-source components now enter codebases outside standard package managers — via copy-pasted snippets, vendor inclusions, or AI generation — making them invisible to traditional manifest-based scanning. Speed without scrutiny is how the junk gets in. Your vendor looks productive; you own the breach.

This is happening to the tools the pros trust

If you think this only hits sloppy operators, look at who got hit recently:

  • Checkmarx (March 2026) — attackers trojanized a security vendor's own tooling; analysis showed a bundled KICS binary modified to add data collection and exfiltration not present in the legitimate version. A security company's supply chain, weaponized against its own customers.
  • Axios (March 2026) — malware injected into specific versions of one of the most widely used web-development libraries on npm, putting millions of apps at risk, including crypto platforms.
  • SAP CAP / TeamPCP (April 2026) — compromised npm packages tied to SAP's JavaScript and cloud ecosystem, caught downloading and executing unverified binaries inside developer and CI/CD environments.

These are the good vendors. Now picture the freelance shop that built your customer portal for a flat fee and hasn't logged in since.

Why this lands hardest on SMBs

Enterprises have an application-security team whose whole job is watching this. You have an owner, an office manager, and a vendor who's already moved on. There's no one between a malicious dependency and your customer data — and that gap is exactly what attackers are pricing in.

Where 0x3 Security comes in

We're not a generalist MSP that resets passwords and calls it security. Supply-chain risk is the actual fight right now, and we treat it like one — sitting between your vendors' code and your business, watching the dependencies they pull, the AI-generated code they ship, and the third-party pieces nobody else checks.

Part of how: Socket.dev. Most tools wait for a vulnerability to get a public CVE — which means you find out after it's known, often after it's in your stack. Socket flips that, analyzing a package's actual behavior (network access, filesystem operations, shell execution, obfuscated code) to catch supply-chain attacks before any CVE is published. It blocks malicious installs at the registry level and surfaces only the vulnerabilities that are actually reachable, cutting a large share of irrelevant alerts. Socket recently raised $60 million at a $1 billion valuation to extend that protection across developer and AI ecosystems — browser extensions, editor plug-ins, MCP servers, and AI skills marketplaces. Its customers include Vercel, Replit, Cursor, and Figma. When the companies building the internet's plumbing pick a tool to guard their dependencies, an SMB shouldn't be running anything less.

Bottom line

You can't audit every line your vendors write. You can refuse to fly blind on what they import. The breach that takes down an SMB in 2026 won't come through the firewall — it'll come pre-installed, signed off by a vendor who didn't have the skills to check. That's the gap we close.

Want to know what's actually living inside your portals and apps? We sit between your vendors' code and your business — watching the dependencies, AI-generated code, and third-party pieces nobody else checks.

References & further reading

  1. Black Duck — 2026 OSSRA Report: Open Source Vulnerabilities Double as AI Soars.
  2. The Register — Ongoing supply-chain attack targets security and dev tools (Checkmarx/KICS).
  3. Socket.dev — SAP CAP / TeamPCP npm supply-chain attack analysis (April 2026).
  4. BankInfoSecurity — Socket Raises $60M for Wider Software Supply-Chain Defense.
$ ./read_next
Threat Intel

The “Macs Don't Get Viruses” Era Is Over

Macs aren't a security feature anymore — they're just endpoints, and malware authors figured that out first. Inside SHub Reaper, and what SMBs with Macs need to do now.