Hidden Amplifiers: Cross-Level Risk in Software Supply Chains
摘要
Modern software supply chains comprise hundreds of transitive dependencies, yet existing analysis tools operate at either the ecosystem level (dependency graphs) or the code level (static analysis within packages). This separation creates two failure modes. First, false-positive CVE alerts for unreachable code. Second, blind spots for structurally critical micro-dependencies. We introduce cross-level risk propagation, a framework that bridges code-level risk metrics with ecosystem-level dependency exposure through a unified risk formula. Preliminary evaluation on 50 packages across npm and PyPI reveals a class of hidden amplifiers -- micro-dependencies with fewer than 50 methods but over 50,000 dependents -- that carry outsized supply-chain risk invisible to all current Software Composition Analysis (SCA) tools. Without cross-level analysis, such packages can harbor exploitable code for years because no current tool considers both internal code structure and ecosystem position simultaneously. These results suggest that cross-level analysis opens a new design space for supply-chain security.
引用
@article{arxiv.2607.05894,
title = {Hidden Amplifiers: Cross-Level Risk in Software Supply Chains},
author = {Rakesh Podder and Rafael Fabian Gonzalez Arellano and Indrajit Ray},
journal= {arXiv preprint arXiv:2607.05894},
year = {2026}
}
备注
In The 42nd International Conference on Software Maintenance and Evolution (ICSME 2026)