Abstract

The growing prevalence of supply-chain attacks has revealed fundamental weaknesses that exist with current software ecosystems, in which malware spreads across intricate and opaque dependency networks. Static, graph-structured relationships between software components, developers and repositories are largely ignored by traditional natural language detection methods. In this work, we present an Explainable Graph Neural Network (XGNN) architecture to draw and understand the map of malware propagation in supply-chain networks. By parameterizing software dependencies with heterogeneous graphs— where nodes correspond to packages, versions and contributors, and edges represent dependency or communication relationships—the model learns latent relational patterns upon which malicious infiltration and propagation depend. The GNN architecture with message passing and graph attention components learns contextual embeddings, while interpretability modules GNNExplainer and GraphLIME offer interpretable explanations for infection pathways, root causes, and high-risk nodes. Experimental results on real-world datasets (i.e., npm, PyPI and Maven) show that our approach successfully achieves early detection while ensuring high-interpretable explanations compared to black-box baselines. The XGNN model makes cybersecurity analytics more transparent, which contributes to proactive defence and forensic analysis over software supply-chain ecosystems.