Modern software systems heavily rely on third-party components, introducing significant supply chain security risks that existing lightweight identification mechanisms inadequately address. This work introduces the novel concept of “software supply chain smells,” formalizing them as structural indicators of security risk, and presents Dirty-Waters—a tool that automates their detection in Maven and NPM ecosystems through lightweight static analysis, dependency graph parsing, metadata inspection, and signature verification. Empirical evaluation reveals that these smells are prevalent yet distributed differently across the two ecosystems: Maven exhibits prominent issues related to traceability and missing signatures, whereas NPM’s registry-enforced safeguards render most smells rare. These findings demonstrate the effectiveness and practical utility of the proposed approach.

Modern software systems heavily rely on third-party dependencies, making software supply chain security a critical concern. We introduce the concept of software supply chain smells as structural indicators that signal potential security risks. We design and evaluate Dirty-Waters, a novel tool for detecting such smells in the supply chains of software packages. Through interviews with practitioners, we show that our proposed smells align with real-world concerns and capture signals considered valuable. A quantitative study of popular packages in the Maven and NPM ecosystems reveals that while smells are prevalent in both, they differ significantly across ecosystems, with traceability and signing issues dominating in Maven and most smells being rare in NPM, due to strong registry-level guarantees. Software supply chain smells support developers and organizations in making informed decisions and improving their software supply chain security posture.