2025年度软件供应链安全态势分析报告
2025SoftwareSupplyChainSecuritySituationAnalysisReport 目录 摘要............................................................................................................................................1核心发现....................................................................................................................................3第一章研究背景与政策依据...................................................................................................51.1研究背景......................................................................................................................51.2政策法规依据..............................................................................................................51.2.1国内政策法规体系...........................................................................................51.2.2国际政策法规动态...........................................................................................7第二章软件供应链安全风险态势分析...................................................................................92.1全球软件供应链攻击态势..........................................................................................92.2开源生态安全风险分析............................................................................................112.3CI/CD管道安全风险分析........................................................................................132.4AI/ML供应链安全风险分析....................................................................................13第三章典型案例深度分析.....................................................................................................153.1Shai-Huludnpm蠕虫事件深度分析.......................................................................153.1.1事件背景.........................................................................................................153.1.2攻击手法分析.................................................................................................153.1.3攻击代码分析.................................................................................................163.1.4影响范围评估.................................................................................................183.2NPM史上最大规模供应链攻击事件分析..............................................................193.2.1事件背景.........................................................................................................193.2.2攻击手法分析.................................................................................................193.2.3攻击代码分析.................................................................................................193.2.4影响范围评估.................................................................................................213.3GitHubActions供应链攻击事件分析.....................................................................213.3.1事件背景.........................................................................................................22 不是需要更多的安全软件而是需要更安全的软件3.3.2攻击手法分析.................................................................................................223.3.3攻击代码分析.................................................................................................223.3.4影响范围评估.................................................................................................243.4其他重大供应链攻击事件........................................................................................243.4.1Bybit/SafeWallet供应链攻击事件.................................................................243.4.2s1ngularityNxnpm供应链攻击事件............................................................253.4.3DeepSeek仿冒恶意包事件...........................................................................263.5攻击技术演进趋势....................................................................................................283.5.1社会工程学攻击精细化与AI赋能.............................................................283.5.2代码混淆技术复杂化.....................................................................................293.5.3攻击目标多元化.............................................................................................293.5.4攻击工具自动化.............................................................................................30第四章软件供应链安全防护体系.........................................................................................314.1软件成分分析(SCA)技术.....................................................................................314.2软件物料清单(SBOM)管理..................................................................................314.3SLSA框架与供应链等级.........................................................................................324.4孝道科技解决方案....................................................................................................34第五章企业软件供应链安全建设路径.................................................................................395.1安全成熟度评估........................................................................................................395.2建设路线图................................................................................................................405.3投资回报分析...............................................