The software build phase represents a critical vulnerability in the software supply chain, yet its unique risks—such as build non-determinism and compile-time stealthy intrusion—have lacked systematic analysis. Method: Leveraging 621 CVE disclosures and 168 real-world supply chain attacks, we conduct empirical analysis integrating NVD data mining, vulnerability text analysis, attack surface modeling, and cross-case validation. Contribution/Results: We propose the first empirically grounded attack vector taxonomy tailored to the build process, identifying four primary categories: source code manipulation, dependency confusion, build script injection, and compiler compromise. Our evaluation reveals that 23.8% of supply chain attacks involve the build phase, with dependency confusion and script injection being most prevalent. We release the first publicly available build-stage attack classification dataset, quantifying the threat share of the build phase and establishing a reproducible, evidence-based foundation for precise defense mechanism design.

The software build process transforms source code into deployable artifacts, representing a critical yet vulnerable stage in software development. Build infrastructure security poses unique challenges: the complexity of multi-component systems (source code, dependencies, build tools), the difficulty of detecting intrusions during compilation, and prevalent build non-determinism that masks malicious modifications. Despite these risks, the security community lacks a systematic understanding of build-specific attack vectors, hindering effective defense design. This paper presents an empirically-derived taxonomy of attack vectors targeting the build process, constructed through a large-scale CVE mining (of 621 vulnerability disclosures from the NVD database). We categorize attack vectors by their injection points across the build pipeline, from source code manipulation to compiler compromise. To validate our taxonomy, we analyzed 168 documented software supply chain attacks, identifying 40 incidents specifically targeting build phases. Our analysis reveals that 23.8% of supply chain attacks exploit build vulnerabilities, with dependency confusion and build script injection representing the most prevalent vectors. Dataset available at: https://anonymous.4open.science/r/Taxonomizing-Build-Attacks-8BB0.