The software supply chain has transformed into a highly dynamic sociotechnical system characterized by complex dependency graphs, build environments that resemble jellyfish, and autonomous agents of automation. In this realm, traditional models of threat analysis, such as STRIDE and PASTA, not only show inherent lack of scalability but entail an epistemological inadequacy because of their inherent dependency on static system scopes and manual modes of enumerative threat analysis. This paper proposes SYNTHTM (Synthetic Supply Chain Threat Modeling) as an AI-native framework that approaches threat modeling as an end associative inference problem. SYNTHTM weaves together Graph Neural Networks (GNNs) and Large Language Models (LLMs) to build and reason about a dynamic Risk Propagation Graph based on various software development cycle resources, such as Software Bills of Materials, CI/CD data, and version information. SYNTHTM helps identify new attack paths, such as "dependency confusion attacks" and "Living off the Land" (LoT/P) attacks, which are difficult to discover via static analysis, through transitive and probabilistic reasoning about risk flows across build, dependency, and execution environments. The results of empirical validation on a complex micro-services-based system show that SYNTHTM outperforms manual threat modeling by expert professionals in identifying architectural threats by 42% and achieves an 85% reduction
Copyrights © 2026