cs.CR
S3C2 Summit 2025-09: Industry Secure Supply Chain Summit
May 28, 2026
This report summarizes the key takeaways from the S3C2 Summit 2025-09, a gathering of industry practitioners focused on identifying best practices and challenges in securing modern software supply chains.
Today's digital ecosystem relies heavily on software supply chains, which enable developers to reuse code and ship software at scale. However, a single vulnerable component can jeopardize the entire supply chain. In recent years, cyberattacks in software supply chains have become increasingly common. These attacks can disrupt critical systems and put organizations, including major software companies, government agencies, and open-source contributors, at risk. This growing threat has led to increased attention from both the software industry and the U.S. government toward strengthening software supply chain security. On September 15, 2025, three researchers from the NSF-backed Secure Software Supply Chain Center (S3C2) convened a Secure Software Supply Chain Summit, bringing together 10 practitioners from 8 organizations across diverse domains. The goals of the Summit were threefold: (1) to facilitate cross-industry sharing of practical experiences and challenges in securing software supply chains; (2) to foster new collaborations among participants; and (3) to identify pressing challenges to guide future research directions. The Summit featured discussions on six central topics: vulnerable dependencies, component and container choice, malicious commits, build infrastructure, culture, and the role of LLMs in the supply chain. For each topic, participants engaged with a curated set of discussion questions designed to gather insights and pain points. This report summarizes the key takeaways from these discussions. Each section highlights which topics continued from previous summits and which ideas emerged for the first time in this summit; the full list of initial discussion prompts is provided in the appendix.
Software Supply Chain Smells: Lightweight Analysis for Secure Dependency Management
The paper introduces 'software supply chain smells,' structural indicators of se…
SynthChain: A Synthetic Benchmark and Forensic Analysis of Advanced and Stealthy Software Supply Cha…
The paper introduces SynthChain, a comprehensive, multi-source synthetic testbed…
Towards Predicting Multi-Vulnerability Attack Chains in Software Supply Chains from Software Bill of…
The paper proposes a graph-learning approach to predict multi-vulnerability atta…
ChainGuards: Verification of Sensed Data using Permissioned Blockchain Technology
ChainGuards is a decentralized system that uses product-specific rules and block…
Supply-Chain Poisoning Attacks Against LLM Coding Agent Skill Ecosystems
The paper introduces Document-Driven Implicit Payload Execution (DDIPE) to demon…
Security Concerns in Generative AI Coding Assistants: Insights from Online Discussions on GitHub Cop…
This paper analyzes online developer discussions to identify four major security…
Operationalising Artificial Intelligence Bills of Materials (AIBOMs) for Verifiable AI Provenance an…
The paper introduces the Artificial Intelligence Bill of Materials (AIBOM) schem…
Multi-target Coverage-based Greybox Fuzzing
The paper proposes MTCFuzz, a multi-target coverage-based greybox fuzzer, to dee…