We use third-party cookies in order to personalize your site experience. See our Privacy Policy.

Technology thesis · Cybersecurity

high conviction growth

Software supply chain security

Self-replicating npm/PyPI worms have turned package registries into an active attack surface; the EU Cyber Resilience Act, not the now-risk-based US mandate, is the demand driver through 2027.

Position maintained continuously · last reviewed Jun 24, 2026

The thesis

Core thesis

Modern software depends on hundreds of open-source packages, each a potential attack vector. The xz-utils backdoor (2024) showed a single compromised maintainer can affect millions of systems, and the self-replicating Shai-Hulud npm worms (2025–2026) showed those attacks now spread autonomously through stolen maintainer tokens. After the US retreated to a risk-based posture – OMB rescinded the M-22-18 SBOM attestation mandate in early 2026 – the regulatory driver shifted to the EU Cyber Resilience Act. Snyk, Sonatype and Chainguard provide supply chain security tooling. The fundamental problem: open-source is maintained by volunteers but depended on by corporations.

State of the art (2026)

Software supply chain security has shifted from compliance theatre to active incident response. The Shai-Hulud npm worm – first detected September 2025, then Shai-Hulud 2.0 backdooring 796 packages that November, and a cross-registry Mini Shai-Hulud hitting npm and PyPI in May 2026 – proved self-replicating package attacks now scale autonomously through stolen maintainer tokens. The US has retreated to a risk-based, agency-led posture after OMB rescinded the M-22-18 SBOM attestation mandate in January 2026; the regulatory centre of gravity has moved to the EU Cyber Resilience Act, whose reporting duties bite from 11 September 2026 and full SBOM obligations from December 2027. Chainguard (3.5bn valuation), Snyk, Socket and Endor Labs lead the commercial response.

The rest of the file

Everything below is live inside CanaryIQ

The full analysis behind the verdict — the structure is real; the content unlocks when you log in.

Signal stack

Evidence stacked leading → lagging

9 signals
talent
research
patent
expert
operational
regulatory
market

Technology-native KPIs

Metrics that predict trajectory, tracked over time

4 tracked
Critical CVEs in open-source dependencies
SBOM adoption rate in enterprises
Software supply chain attacks
Supply chain security market size

Landscape map

Who builds what — and who depends on whom

99 players · 6 layers

Catalyst calendar

Dated events that will move the position

4 ahead

Technology roadmap

Milestones on the path to maturity

8 milestones

Watchlists

Companies, people and papers — each with a remove-by condition

20 · 20
Companies · 20
People · 20

Decision frameworks

The same call, framed for your desk

Locked
Public Equity
PE / VC
Corporate Leader

Thesis changelog

When our view changed, and why

5 updates

Change our mind

2 disconfirming conditions

The rest is inside

You've read the verdict. The file is much deeper.

The full signal stack, technology-native KPIs tracked over time, the landscape of who depends on whom, the dated catalyst calendar, decision frameworks for every desk, live watchlists and the changelog of every time our call on Software supply chain security has changed — all live inside CanaryIQ.

Log in to read the full analysis Create an account