The Software Supply Chain (SSC) has captured considerable attention from attackers seeking to infiltrate systems and undermine organizations. There is evidence indicating that adversaries utilize Social Engineering (SocE) techniques specifically aimed at software developers. That is, they interact with developers at critical steps in the Software Development Life Cycle (SDLC), such as accessing Github repositories, incorporating code dependencies, and obtaining approval for Pull Requests (PR) to introduce malicious code. This paper aims to comprehensively explore the existing and emerging SocE tactics employed by adversaries to trick Software Engineers (SWEs) into delivering malicious software. By analyzing a diverse range of resources, which encompass established academic literature and real-world incidents, the paper systematically presents an overview of these manipulative strategies within the realm of the SSC. Such insights prove highly beneficial for threat modeling and security gap analysis.

翻译：软件供应链（SSC）已成为攻击者试图渗透系统、破坏组织的重要目标，并引起了广泛关注。有证据表明，攻击者专门针对软件开发人员使用社会工程学（SocE）技术。具体而言，他们在软件开发生命周期（SDLC）的关键步骤中与开发人员互动，例如访问Github仓库、引入代码依赖项以及获取拉取请求（PR）的批准，以植入恶意代码。本文旨在全面探究攻击者为诱骗软件工程师（SWE）交付恶意软件所采用的现有及新兴SocE策略。通过分析涵盖既有学术文献和真实事件在内的多样化资源，本文系统性地概述了SSC领域中这些操纵性策略。这些见解对于威胁建模和安全漏洞分析具有重要价值。