Performing Supply Chain Attack Simulation
Overview
Software supply chain attacks exploit trust in package registries through typosquatting (registering names similar to popular packages), dependency confusion (publishing higher-version public packages matching private names), and compromised package distribution. This skill detects these attack vectors by computing Levenshtein distance between package names and popular PyPI packages, verifying package integrity via SHA-256 hash comparison, scanning for known CVEs with pip-audit, and testing dependency resolution order for confusion vulnerabilities.
Prerequisites
- Python 3.9+ with
pip-audit,Levenshtein,requests - Access to PyPI JSON API (https://pypi.org/pypi/{package}/json)
- Network access for package metadata retrieval
Key Detection Areas
- Typosquatting โ compare package names against top PyPI packages using edit distance thresholds
- Dependency confusion โ check if internal package names exist on public PyPI with higher version numbers
- Hash verification โ download packages and verify SHA-256 digests match published hashes
- Vulnerability scanning โ audit installed packages against OSV and PyPA advisory databases
- Metadata anomalies โ flag packages with suspicious author emails, missing homepages, or very recent first upload dates
Output
JSON report with risk scores per package, detected attack vectors, hash verification results, and CVE findings.
Verification Criteria
Confirm successful execution by validating:
- [ ] All prerequisite tools and access requirements are satisfied
- [ ] Each workflow step completed without errors
- [ ] Output matches expected format and contains expected data
- [ ] No security warnings or misconfigurations detected
- [ ] Results are documented and evidence is preserved for audit
Compliance Framework Mapping
This skill supports compliance evidence collection across multiple frameworks:
- SOC 2: CC6.1 (Logical Access), CC8.1 (Change Management)
- ISO 27001: A.14.2 (Secure Development), A.14.1 (Security Requirements)
- NIST 800-53: SA-11 (Developer Testing), SI-10 (Input Validation), SC-18 (Mobile Code)
- OWASP LLM Top 10: LLM01 (Prompt Injection), LLM02 (Insecure Output)
Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.
Deploying This Skill with Claw GRC
Agent Execution
Register this skill with your Claw GRC agent for automated execution:
# Install via CLI
npx claw-grc skills add performing-supply-chain-attack-simulation
# Or load dynamically via MCP
grc.load_skill("performing-supply-chain-attack-simulation")Audit Trail Integration
When executed through Claw GRC, every step of this skill generates tamper-evident audit records:
- SHA-256 chain hashing ensures no step can be modified after execution
- Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
- Trust score impact โ successful execution increases your agent's trust score
Continuous Compliance
Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.