Existing MulVal tools lack the capability to model and reason about threat propagation within software supply chains (SSCs), rendering them ineffective for analyzing complex, real-world incidents such as the XZ backdoor and the 3CX dual-supply-chain attack. Method: This paper proposes a MulVal extension framework tailored for supply chain security. It introduces a novel predicate system seamlessly integrated into MulVal’s syntax, enabling—for the first time—bidirectional logical reasoning between network-level attack graphs and SSC-specific constructs, including asset dependencies, interactions, and compromise states. By incorporating facts and rules representing supply chain assets, dependency relationships, protective mechanisms, and initial configurations, the framework constructs a multi-granularity attack graph spanning both network and supply chain layers. Contribution/Results: The approach successfully reconstructs multiple real-world supply chain attack paths, significantly enhancing threat traceability, interpretability, and detection accuracy.

Cyberattacks are becoming increasingly frequent and sophisticated, often exploiting the software supply chain (SSC) as an attack vector. Attack graphs provide a detailed representation of the sequence of events and vulnerabilities that could lead to a successful security breach in a system. MulVal is a widely used open-source tool for logical attack graph generation in networked systems. However, its current lack of support for capturing and reasoning about SSC threat propagation makes it unsuitable for addressing modern SSC attacks, such as the XZ compromise or the 3CX double SSC attack. To address this limitation, we propose an extension to MulVal that integrates SSC threat propagation analysis with existing network-based threat analysis. This extension introduces a new set of predicates within the familiar MulVal syntax, enabling seamless integration. The new facts and interaction rules model SSC assets, their dependencies, interactions, compromises, additional security mechanisms, initial system states, and known threats. We explain how this integration operates in both directions and demonstrate the practical application of the extension.