Software supply-chain (SSC) attacks are increasingly multi-stage, cross-source, and temporally distributed. A single attack campaign may leave weak and fragmented traces across multi-source telemetry that captures different granularities and perspectives of runtime behavior. Existing runtime detection systems often analyze these sources independently, making it difficult to identify low-frequency attack evidence or reconstruct the temporal context in which it appears. We present FUSECHAIN, a runtime detection framework that represents multi-source software supply-chain telemetry as a temporal heterogeneous provenance graph over a unified event-time axis. By aligning package/runtime traces, process events, network telemetry, DNS/HTTP metadata, and security alerts on a unified temporal graph, FuseChain captures cross-source dependencies and sparse attack evidence that may be ambiguous within any individual source. It learns anomaly-centric temporal representations from benign-prefix telemetry and performs deployable attack-stage reconstruction through a lightweight decoder on top of a frozen anomaly backbone. Our experiments show that jointly optimizing anomaly detection and stage prediction is ineffective under sparse and imbalanced runtime supply-chain telemetry. Across seven SSC attack scenarios, FuseChain improves deployable stage reconstruction from 0.369 to 0.881 Stage Recall@500 with a frozen-backbone decoder, while adaptive retrieval further increases observable-stage recall from 0.524 to 0.655 without modifying the detector. These results highlight the deployable value of decoupling runtime SSC anomaly detection from downstream attack-stage interpretation.

翻译：软件供应链攻击日益呈现多阶段、跨来源及时间分布特性。单一攻击活动可能在捕获不同粒度和视角运行时行为的多源遥测中留下微弱且碎片化的痕迹。现有运行时检测系统通常独立分析这些来源，导致难以识别低频攻击证据或重构其出现的时间上下文。我们提出FUSECHAIN——一种运行时检测框架，将多源软件供应链遥测表示为统一事件时间轴上的时态异构图谱。通过将包/运行时轨迹、进程事件、网络遥测、DNS/HTTP元数据及安全警报对齐至统一时态图谱，FUSECHAIN可捕获跨源依赖关系及在单一来源中可能模糊的稀疏攻击证据。该框架从正常前缀遥测中学习以异常为中心的时间表征，并通过在冻结异常骨干网络之上的轻量级解码器执行可部署的攻击阶段重构。实验表明，在稀疏且不平衡的运行时供应链遥测下，联合优化异常检测与阶段预测效果欠佳。在七种软件供应链攻击场景中，FUSECHAIN通过冻结骨干解码器将可部署阶段重构的Stage Recall@500从0.369提升至0.881，自适应检索机制更在不修改检测器的条件下将可观测阶段召回率从0.524提升至0.655。这些结果凸显了将运行时软件供应链异常检测与下游攻击阶段解释解耦的部署价值。