A Breached Supplier = A Breached Client?

As software supply chain attacks surge in scale and sophistication, organisations face an urgent imperative to rethink how they manage digital dependencies. From stealthy backdoors in open-source tools to cascading outages triggered by trusted vendors, recent incidents highlight the fragility and interconnectedness of today’s software ecosystems. This article explores the evolving threat landscape and offers actionable recommendations to strengthen supply chain resilience. 

The European Union Agency for Cybersecurity (ENISA) defines software supply chain attacks as targeting “…the relationship between organizations and their suppliers…” or “… more specifically, an attack on a supplier that is then used to attack [another] target.” In the spring of 2024, ENISA identified software supply chain attacks as the most significant threat for the upcoming decade, which organizations will need to confront. Unfortunately, evidence suggests that this threat is on the rise. 

Research from cybersecurity leaders, including Mandiant and BlackBerry, as well as new incident data collected throughout 2024 and early 2025, confirms that software supply chain attacks remain one of the most significant and rapidly evolving threats to enterprise security. According to BlackBerry’s 2024 Global Supply Chain Cybersecurity report, cyberattacks impacted nearly three-quarters of all software supply chains over the past 12 months. These attacks can result in severe consequences, including operational disruption (55%), data loss (59%), intellectual property theft (52%), reputational damage (58%), and financial loss (64%). 

A big motivation for these attacks is the lack of centralized visibility into supplier relationships. In many organizations, supplier onboarding and management are decentralized across departments. While functionally convenient, this results in blind spots concerning where sensitive data resides and who has access to it. ENISA and several other threat intelligence bodies have reiterated that attackers actively exploit these blind spots to establish footholds inside organizations. 

In 2024, a prominent software supply chain compromise involved an attempted backdoor in the xz Utils compression software, which was part of a multi-year infiltration effort by a stealthy threat actor within the open-source community. This compromise highlighted how essential and widely trusted open-source tools can be manipulated over time by adversaries with the requisite time and resources.  

Additionally, the compromise of GitHub Actions in 2025 enabled attackers to hijack CI/CD pipelines, bringing attention to a new frontier in software development infrastructure threats. This popular GitHub automation tool, used for automating software workflow, was secretly altered to steal sensitive credentials, such as passwords and access keys, showing how easily trusted software components can be weaponised when security checks are missing.  

The Microsoft Blue Screen of Death outage caused by a faulty CrowdStrike update showed how supply chain issues, even at major tech firms, can trigger cascading impacts across the global digital infrastructure, affecting organizations within banking, healthcare, and manufacturing. Similarly, Kaspersky's 2024 "Story of the Year" details how long-tail dependencies and indirect attack vectors are increasingly favoured by attackers seeking scale and stealth. 

CISA has issued multiple advisories in 2025, warning of active exploitation campaigns targeting widely used software components in both public and private sector networks. These include compromises within secure software development practices and updates to open-source libraries, confirming the need for better oversight and secure-by-design principles in development and procurement. 

Software supply chain compromises are expected to continue growing in scale, frequency, and complexity as they can affect hundreds or thousands of organizations from a single point of compromise. With attackers refining their methods and aiming deeper into the software development lifecycle, the best defense is vigilance, transparency, and a commitment to proactive security throughout the entire ecosystem. 

Recommendations: 

• Update and rehearse your supply chain incident response plan. Breaches are no longer a matter of "if," but "when."
• Centralize oversight over supplier and partner data access. Decentralized control often leads to invisible risks.
• Enforce vulnerability and patch management at scale. Exploitable vulnerabilities remain a top method for gaining initial access, particularly in unmanaged dependencies.
• Implement software bill of materials (SBOM) tracking and require them from vendors.
• Implement a proper vulnerability management program informed by active vulnerability intelligence, such as that provided by DNV Cyber’s Exposure Management unit, to stay informed and receive guidance on the latest exploits, patches, and mitigations that specifically affect your business.  

Sources 

Author / Article / Publisher / Date   

1. ENISA Threat Landscape 2022. ENISA. October 2022. https://www.enisa.europa.eu/publications/enisa-threat-landscape-2022 
2. CISA Warns of Active Exploitation in GitHub Action Supply Chain Compromise. The Hacker News. March 2025. https://thehackernews.com/2025/03/cisa-warns-of-active-exploitation-in.html 
3. Foresight Cybersecurity Threats for 2030 – Update 2024: Executive Summary. ENISA March 2024. https://www.enisa.europa.eu/publications/foresight-cybersecurity-threats-for-2030-update-2024-executive-summary 
4. GitHub Action Compromise Puts CI/CD Pipelines at Risk. The Hacker News. March 2025. https://thehackernews.com/2025/03/github-action-compromise-puts-cicd.html 
5. Constantin, Lucian. Dangerous XZ Utils Backdoor Was the Result of Years-long Supply Chain Compromise Effort. CSO Online. 2 April 2024. https://www.csoonline.com/article/2077692/dangerous-xz-utils-backdoor-was-the-result-of-years-long-supply-chain-compromise-effort.html 
6. Top 10 Biggest Cyber Attacks of 2024 & 25 Other Attacks to Know About. Cyber Management Alliance. 27 December 2024. https://www.cm-alliance.com/cybersecurity-blog/top-10-biggest-cyber-attacks-of-2024-25-other-attacks-to-know-about 
7. Blue Screen of Death: Live Timeline of the Microsoft Outage & Impact. Cyber Management Alliance. 20 December 2024. https://www.cm-alliance.com/cybersecurity-blog/blue-screen-of-death-live-timeline-of-the-microsoft-outage-impact  
8. KSB: Story of the Year 2024. Securelist (Kaspersky). 28 December 2024. https://securelist.com/ksb-story-of-the-year-2024/114883/ 
9. Supply Chain Cybersecurity Survey Research. BlackBerry. June 2024. https://blogs.blackberry.com/en/2024/06/supply-chain-cybersecurity-survey-research