This study presents the first systematic security assessment of public serverless repositories, uncovering pervasive systemic risks—including outdated dependencies, hardcoded sensitive parameters, insecure deployment configurations, typosquatting-based domain hijacking, and malicious payloads embedded in archives. We analyze 2,758 serverless components and 125,936 infrastructure-as-code (IaC) templates across five major platforms (e.g., GitHub, GitLab), employing a multi-modal methodology integrating static analysis, dependency scanning, configuration compliance checking, and typosquatting detection. Our findings reveal widespread vulnerabilities: 17.3% of components contain hardcoded secrets, and 9.1% are vulnerable to typosquatting attacks. We propose actionable, developer-oriented mitigation strategies grounded in empirical evidence. This work bridges a critical gap in empirical research on serverless supply-chain security and provides foundational insights for building trustworthy serverless ecosystems.

Serverless computing has rapidly emerged as a prominent cloud paradigm, enabling developers to focus solely on application logic without the burden of managing servers or underlying infrastructure. Public serverless repositories have become key to accelerating the development of serverless applications. However, their growing popularity makes them attractive targets for adversaries. Despite this, the security posture of these repositories remains largely unexplored, exposing developers and organizations to potential risks. In this paper, we present the first comprehensive analysis of the security landscape of serverless components hosted in public repositories. We analyse 2,758 serverless components from five widely used public repositories popular among developers and enterprises, and 125,936 Infrastructure as Code (IaC) templates across three widely used IaC frameworks. Our analysis reveals systemic vulnerabilities including outdated software packages, misuse of sensitive parameters, exploitable deployment configurations, susceptibility to typo-squatting attacks and opportunities to embed malicious behaviour within compressed serverless components. Finally, we provide practical recommendations to mitigate these threats.