A routine software update pushed to millions of home routers in 2020 carried malicious code that had been inserted somewhere between the developer's keyboard and the end user's device. The SolarWinds breach — still the clearest public example of what researchers call a "software supply chain attack" — compromised federal agencies, Fortune 500 companies, and, quietly, households that ran affected network management tools. Most of those households never knew.

A framework called in-toto, covered recently on Hacker News, is an attempt to solve this at the infrastructure level by cryptographically verifying every step in a software's build and delivery process. It is a serious engineering effort backed by researchers at NYU and adopted in parts of the Linux Foundation ecosystem. It is also, for the foreseeable future, invisible to you as a consumer. You cannot install in-toto. You cannot verify whether any given app uses it. That gap between what security researchers are building and what a real family can actually do is the thing worth thinking about.

What's actually changing

Software supply chain attacks have moved from exotic threat to standard toolkit. Attackers no longer need to break into your device directly. They compromise the developer, the build server, the update distribution network, or the open-source library that hundreds of apps depend on. The malicious code arrives as a legitimate, signed update. Your antivirus does not flag it. Your router approves it. You never clicked anything suspicious.

Recent reporting across the security press has tracked a meaningful uptick in attacks targeting small-business and consumer software — not just enterprise tools. Home NAS drives, smart home hubs, password managers, and VPN clients have all been vectors in documented incidents over the past two years. The supply chain is the attack surface, and it is enormous.

Frameworks like in-toto matter because they shift verification earlier in the chain. But their adoption depends on vendors choosing to implement them, which depends on market pressure or regulation — neither of which moves fast enough to protect your household this month.

What we'd actually do

Stop auto-updating everything, all at once. Set critical-but-sensitive software — your password manager, VPN client, and home network firmware — to notify rather than auto-install, then wait 48 to 72 hours after a release before applying it. This is not paranoia; it is the same logic as waiting for a software patch to prove stable before deploying it in a production environment. Weaponized updates are sometimes caught and pulled within days. You don't need to be the first user.

Shrink the software surface on devices that touch your finances. The laptop or tablet you use for banking and tax documents should have the fewest apps of any device in your home. Each additional app is an additional supply chain you cannot audit. One device, one purpose, fewer vectors.

Know what's on your home network. Log into your router's admin panel — most are accessible at 192.168.1.1 or 192.168.0.1 — and look at connected devices. Write them down. If a device you don't recognize appears, that is a conversation worth having. This takes fifteen minutes and costs nothing. Most households have never done it.

Use a password manager that has a published security audit. Reputable ones publish third-party audits annually. If yours doesn't, that is a data point. If yours was recently acquired by a private equity firm or a large ad-tech company, that is also a data point. Supply chain risk includes corporate ownership changes.

Keep one offline backup of your most important files. A small external drive, updated monthly, stored somewhere other than next to your computer. This does not prevent a supply chain attack, but it limits the blast radius of one that includes ransomware.

The bigger picture

Security infrastructure is always a generation behind the threat. in-toto and frameworks like it represent serious progress, and over the next decade they will likely become baseline requirements for software distributed in regulated industries. That is genuinely good news. It is also slow news.

In the meantime, the household-level posture that holds up across most digital threats is the same: reduce surface area, delay automatic trust, maintain offline redundancy, and know what you have. None of that requires a cybersecurity degree. It requires fifteen minutes on a Tuesday.

Durability is not about having the perfect system. It is about being slightly harder to compromise than average, and knowing what to do if something slips through anyway.