Hidden structural risk in software trust networks

Authors

  • Radamanthus B. Batnag ⋅ PH Data Science Program, College of Science, University of the Philippines Diliman
  • Giovanni Tapang ⋅ PH National Institute of Physics, University of the Philippines Diliman

Abstract

Modern software is built on chains of implicit trust — each package dependency is a trust relationship. Recent attacks, most notably xz-utils (2024), demonstrate that these trust relationships are now deliberate attack vectors. We analyze the PyPI and npm dependency networks and show that both exhibit scale-free fragility: robust to random node removals but vulnerable to targeted attacks. We introduce the bridge score, a simple metric that identifies packages that are important to the ecosystem but not popular — the xz-utils equivalents in the ecosystem. In PyPI, the top bridge packages are dominated by machine learning infrastructure; in npm, by small utility libraries — in both cases invisible to download-based risk metrics. These are the packages typically overlooked by security and open source funding efforts.

Downloads

Published

2026-06-10

Issue

2026: Proceedings of the 44th Samahang Pisika ng Pilipinas Physics Conference

Section

Complex Systems and Data Analytics

License

Copyright License Agreement for Full Articles

How to Cite

[1]
RB Batnag and G Tapang, Hidden structural risk in software trust networks, in Proceedings of the 44th Samahang Pisika ng Pilipinas Physics Conference (Philippines, 2026), SPP-2026-2A-04. URL: https://proceedings.spp-online.org/article/view/SPP-2026-2A-04
BibTeX (.bib)