Abstract

Modern software heavily relies on Open Source Software (OSS) libraries and dependencies, creating complex digital supply chains. However, this reliance introduces significant vulnerabilities. The Dependency Paradox occurs when the integration of trusted components unknowingly exposes an application to malicious code introduced further up the supply chain. This study critically analyzes the landscape of OSS supply chain attacks, developing a taxonomy of threats based on high-profile incidents (e.g., SolarWinds, XZ Utils, Log4j). We categorize attack vectors into code contribution manipulation, dependency confusion, repository hijacking, and typosquatting. The findings emphasize that implicit trust in OSS components is no longer viable. A paradigm shift toward explicit verification is required, demanding the implementation of Software Bills of Materials (SBOMs), automated vulnerability scanning, and provenance tracking to secure the modern software ecosystem.