Contrast customers get certainty in moments when everyone else is guessing. When a code dependency supply-chain attack hits, they do not waste hours asking if they might be exposed. They know immediately whether their applications are running compromised code, and they can act with confidence.
That clarity mattered in the recent qix NPM supply-chain attack, which is the latest reminder that attackers do not need to find new ways to attack you when they can poison the code you already trust.
Here is what happened:
- Maintainers of extremely popular NPM packages were phished and their NPM credentials stolen.
- Attackers published updates to 18 critical packages (as of 8 September 2025) containing crypto-stealing malware.
- Any node project building with the latest affected modules unknowingly pulled in backdoored code.
The majority of teams are still in the dark about their exposure. This is because traditional SCA tools have a major blind spot: they only scan your code and manifest files. While they can identify what could be risky, they can't tell you what was actually executed, leaving a critical gap in your security analysis.
At Contrast, we were able to respond immediately to the npm hijacking news. Thanks to our Application Detection and Response (ADR) tool, we knew exactly which packages were running inside our applications. When the npm hijack occurred, we didn't waste time wondering, "Could we be impacted?" Instead, we used Contrast to instantly verify if the malicious libraries were present and running. This is the key difference between a theoretical risk and a real, actionable threat.
How ADR improves incident response to supply-chain attacks
| Incident Response Step |
The Old Way: Manual & Static |
The New Way: Automated with Contrast ADR |
| Initial Triage |
"Could we be impacted?" (A question of theoretical risk) |
"Are we impacted?" (A question of verified impact) |
| Data Sources |
Static code scans, manifest files, build logs, institutional knowledge |
Real-time, runtime data from inside the application. |
| Investigation |
Manual, time-consuming. Requires teams to dig through logs to piece together exposure. |
Automated and immediate. Provides an instant, definitive answer on whether malicious code is present and running. |
| Containment |
Slow and often overly broad. May involve patching or shutting down many systems out of an abundance of caution. Inherently larger blast radius. |
Fast and surgical. Pinpoints the exact applications affected, allowing for targeted remediation. Inherently smaller blast radius. |
| Overall Efficiency |
Low. Wastes time and resources on potential, unverified threats. |
High. Maximizes efficiency by focusing resources only where a confirmed impact exists. |
| Key Differentiator |
Tells you if you are potentially impacted |
Tells you if you are definitively impacted |
The solution is runtime visibility
Supply chain attacks are not slowing down; they are speeding up. To stay ahead, you need more than a static check of your manifests. The solution is runtime visibility - knowing exactly what is running in production at all times.
This is the promise of Contrast's Application Detection and Response (ADR) platform. ADR helps you eliminate the blind spots that poisoned dependencies create, allowing you to move from a state of uncertainty to one of assured security without losing days to guesswork.
