The Trojan Horse in Your Dependency Chain

June 23, 2026

Security teams continue to focus on vulnerabilities while attackers increasingly focus on trust.

Chart Insight: 7.2% of components carried provenance risk. These packages were either impossible to verify or exhibited indicators of tampering, manipulation, or questionable origin.

Attacks like Shai-Hulud demonstrate a fundamental shift in the risk of the software supply chain. The next major breach may not begin with a zero-day vulnerability. It may begin with a trusted dependency that was never verified in the first place.

Recent campaigns have shown how attackers can compromise trusted open-source packages, steal developer and CI/CD credentials, and use them to spread deeper into the cloud and build environments.

Lineaje believes the industry is asking the wrong question. Most organizations know which software they consume. Far fewer know whether they can trust it. The original Trojan Horse was not dangerous because it did not look threatening. It was dangerous because it looked trustworthy. Modern software supply chain attacks work the same way.

What We Found

We analyzed the integrity of open-source components and found that more than one in four carried trust-related risk indicators that traditional security tooling does not measure.

2.6% were Unknown

For these components, no verifiable source could be established. We could not confidently determine where they originated, who maintains them, or whether the software being shipped is connected to a legitimate project.

4.6% were of Dubious Origin

These packages failed integrity validation. Package metadata, source code, or published references did not align with what the dependency claimed to be, indicating potential tampering or manipulation before entering the software supply chain.

Together, these represent software that organizations may trust but cannot verify.

The Industry Is Measuring the Wrong Thing

Most software supply chain programs are designed to answer:

"What is in my software?"

Far fewer are designed to answer:

"Can I trust it?"

Inventory, SBOMs, and vulnerability scanners provide visibility. Integrity establishes trust. Attackers understand the difference. That is why modern software supply chain attacks increasingly target the trust relationship between organizations and the software they consume.

A dependency can pass vulnerability scans, appear in your SBOM, and satisfy policy requirements while still serving as an entry point for attackers. Because the package is not vulnerable.

The package is the attack.

Key Takeaway

The software supply chain does not fail because organizations lack visibility.

It fails because organizations assume trust.

Every dependency enters your environment with privileges.

Every package inherits trust.

And every dependency that has not been verified should be treated as a Trojan Horse until proven otherwise.