Kumar, VimalNair, Shilpa2026-07-092026-07-092026https://hdl.handle.net/10289/18438Software supply chain attacks targeting open-source package ecosystems have increasingly become prevalent, where the compromise of a single third-party dependency can affect many downstream applications. Existing approaches to supply chain security are largely reactive, focusing on known vulnerabilities rather than identifying packages that are inherently more susceptible to attack. This thesis proposes an attacker-centric risk profiling framework that investigates package-level susceptibility using socio-technical metadata, including dependency structure, ecosystem impact, and maintenance activity. A hierarchical composite scoring framework is developed, with metric weights derived using ROC AUC analysis to produce an interpretable risk score. The framework is evaluated on 79,000 RubyGems packages, including 380 known malicious instances. Results show that malicious packages are more likely to appear in higher-ranked regions of the score distribution, with consistent enrichment over a random baseline. It also shows that supply chain risk is distributed across a broader high-risk region rather than concentrated at the extreme tail. Quantitative evaluation and case study analysis further show that maintenance and impact-related signals offer the best discrimination between benign and malicious packages. The proposed approach, therefore, functions as a prioritisation tool, supporting effective allocation of security effort in large-scale ecosystems.enAll items in Research Commons are provided for private study and research purposes and are protected by copyright with all rights reserved unless otherwise indicated.RubyGemspackage metadatasoftware supply chain attackssoftware supply chain securityInvestigating RubyGems packages for software supply chain attack susceptibility through socio-technical metadataThesis