Stockholm university
Department of Computer and Systems Sciences

Reused code may be the source of cyber attacks

The code in your modern software is not new. To a large extent, it’s been reused from older software. The problem with this? You might be the victim of a software supply chain attack.

DSV researcher Nicolas Harrand talked about software supply chain attacks at Tech Tuesday.
Nicolas Harrand, DSV, was the speaker at Tech Tuesday in October 2025. Photo: Åse Karlén.

On October 14, 2025, the Department of Computer and Systems Sciences hosted a Tech Tuesday seminar for the tech community in Kista. Senior lecturer Nicolas Harrand was the speaker, sharing interesting insights from his research on cyber security.

What are software supply chain attacks? Why do they happen? And can we protect ourselves from attackers? Harrand delivered a crash course during the seminar.

“Software applications are both simple and complex – at the same time”, he said.

Lots of code is needed to write a program. And even though most of it is very simple, you still need huge amounts of it. Writing it from scratch would be a waste of time, hence it makes sense to reuse code that already exists.

“As developers, we are lazy. We don’t want to write long series of instructions, and that’s why we automate as much as possible. We reuse old pieces of code that do the job.”

“Modern software applications reuse both whole components and libraries. Reuse is so widespread that the majority of an application’s code is not written by its developers”, explained Nicolas Harrand.

The majority of an application’s code is not written by its developers

To give an example, he showed a video conference system with five components. Three of the components were developed by the company, and two were reused.

Nicolas Harrand also brought up Minecraft.

“In fact, only 15 percent of Minecraft’s code is written by the developers”, he said.

When comparing the libraries used by the video conference system to the libraries used by Minecraft, he found that 18 percent are shared by these two projects. This is quite a surprise – at first glance the two companies seem to be very different.

DSV researcher Nicolas Harrand shows that two different companies can share a lot of their code.
Two very different companies can still share a lot of their code, explained Nicolas Harrand. Photo: Åse Karlén.

But this sharing of code also comes with a risk.

In so-called software supply chains, many people are involved providing infrastructure, tools and reusable components. They don’t know each other, they are often not part of the same organisation, and they may not even be aware of each other. Still, they trust the free code that others have written. And attackers take advantage of this.

“A software supply chain attack reaches its targets indirectly by compromising an element – a tool or a component – of its supply chain.”

The attacker does not have to be very aggressive to cause great harm.

“By creating malware that is reusable to others, they attack indirectly”, said Harrand.

A recent example from September 2025 is the Shai Hulud worm. In a large-scale phishing campaign targeting developers, some developers were not alert and fell for the scam. The worm was uploaded, packages were infected and credentials stolen.

“Everyone who downloaded the library was affected by the worm which reproduced itself. This is what can happen when software is reused.”

“Unfortunately, there is no silver bullet that will protect you from this vast series of attacks”, concluded Nicolas Harrand.

There is no silver bullet that will protect you

According to him, the best defense strategy is three-folded: 1. React. 2. Detect. 3. Isolate. And there are patterns that can be associated with malicious attacks.

“Keeping track of everything you see is key. But that’s easy for me to say – and hard to do in practice. I’m not aware of any universal defence techniques that work all the time”, said Harrand.

This article is also available in Swedish

 

About the event

Tech Tuesday is a monthly networking and knowledge-sharing event for the tech community in Kista. It is organised by Kista Science City.

Portrait photo of Nicolas Harrand, senior lecturer at DSV.
Nicolas Harrand, DSV. Photo: Private.

On October 14, 2025, the Department of Computer and Systems Sciences (DSV) at Stockholm University was the host of the event.

Almost 60 participants from big tech companies, small startups, academic institutions and public agencies attended the seminar.

Senior lecturer Nicolas Harrand, DSV, was the speaker. The topic was “Software Supply Chain Attacks”.

Curious to learn more about software supply chain attacks?
Contact Nicolas Harrand

More information on DSV’s research in the cyber security area

Text: Åse Karlén

Theme
Digitalization and AI - Theme page
Research subject
Cyber Security

Last updated: October 15, 2025

Source: Department of Computer and Systems Sciences, DSV

eventNewsArticle

standard-article

false

{
  "dimensions": [
    {
      "id": "department.categorydimension.subject",
      "name": "Global categories",
      "enumerable": true,
      "entities": [],
      "localizations": {}
    },
    {
      "id": "department.categorydimension.tag.Keywords",
      "name": "Keywords",
      "enumerable": false,
      "entities": [],
      "localizations": {}
    },
    {
      "id": "department.categorydimension.tag.Person",
      "name": "Person",
      "enumerable": false,
      "entities": [],
      "localizations": {}
    },
    {
      "id": "department.categorydimension.tag.Tag",
      "name": "Tag",
      "enumerable": false,
      "entities": [],
      "localizations": {}
    },
    {
      "id": "webb2021.categorydimension.Category",
      "name": "News Category (Webb 2021)",
      "enumerable": true,
      "entities": [
        {
          "id": "webb2021.categorydimension.Category.research.news",
          "name": "Research",
          "entities": [],
          "attributes": [],
          "childrenOmitted": false,
          "localizations": {}
        }
      ],
      "localizations": {}
    },
    {
      "id": "webb2021.categorydimension.Label",
      "name": "Etiketter (Webb 2021)",
      "enumerable": true,
      "entities": [],
      "localizations": {}
    },
    {
      "id": "webb2021.categorydimension.Label.en",
      "name": "Labels (Webb 2021)",
      "enumerable": true,
      "entities": [
        {
          "id": "webb2021.categorydimension.Label.en.CompSci",
          "name": "Digitalization and AI",
          "entities": [],
          "attributes": [],
          "childrenOmitted": false,
          "localizations": {}
        }
      ],
      "localizations": {}
    },
    {
      "id": "webb2021.categorydimension.Keyword",
      "name": "Keywords (Webb 2021)",
      "enumerable": false,
      "entities": [],
      "localizations": {}
    },
    {
      "id": "DSV.eng.lokala.kat",
      "name": "Lokala kategorier DSV eng",
      "enumerable": true,
      "entities": [
        {
          "id": "DSV.eng.lokala.kat.nyh",
          "name": "Local news",
          "entities": [
            {
              "id": "DSV.eng.lokala.kat.nyh.fo",
              "name": "Research",
              "entities": [],
              "attributes": [],
              "childrenOmitted": false,
              "localizations": {}
            }
          ],
          "attributes": [],
          "childrenOmitted": false,
          "localizations": {}
        },
        {
          "id": "DSV.eng.lokala.kat.nyh",
          "name": "Local news",
          "entities": [
            {
              "id": "DSV.eng.lokala.kat.nyh.om",
              "name": "About the department",
              "entities": [],
              "attributes": [],
              "childrenOmitted": false,
              "localizations": {}
            }
          ],
          "attributes": [],
          "childrenOmitted": false,
          "localizations": {}
        }
      ],
      "localizations": {}
    }
  ]
}