Supply Chain Attack: How It Works and 5 Recent Examples

A supply chain attack is a type of cyberattack that targets a less secure element within an organization's supply chain to ultimately gain access to the main organization's systems or data. Instead of directly targeting a well-defended organization, attackers exploit vulnerabilities in smaller, less secure entities, often with less robust security measures.

Once attackers compromise a trusted partner, they can use that relationship as a conduit to reach the final victim, bypassing traditional security controls that focus primarily on direct access. These attacks leverage the trust relationships that exist between organizations and their suppliers or vendors. This trust is inherent in the business relationships and communication channels, such as software update mechanisms, which users and systems inherently trust.

Organizations can implement several strategies to reduce their risk of becoming victims of supply chain attacks:

1. Implement runtime security solutions: Use tools that help ensure security at runtime without affecting the performance of systems, blocking threats automatically.
2. Vet vendors thoroughly: Assess the security posture of all third-party vendors and suppliers, ensure compliance with security standards, and include cybersecurity requirements in contracts. 
3. Implement a zero trust architecture: Assume that everything is a potential threat and verify every user and device requesting access to the network. 
4. Enforce strong access controls: Limit access to sensitive data and systems, and require multifactor authentication for high-value targets. 
5. Monitor for anomalies: Actively monitor network traffic and system behavior for unusual activity, which could indicate a compromise. 
6. Maintain an incident response plan: Be prepared to respond quickly and effectively if a supply chain attack is detected. 
7. Secure the development and build processes: Protect all systems involved in the development, build, and deployment processes from unauthorized access and tampering. 
8. Use client-side protection tools: Employ tools like browser isolation and content security policies to prevent malicious code from executing on end-user devices.

This is part of a series of articles about software supply chain security.

How Does a Supply Chain Attack Work?

Supply chain attacks typically follow these steps:

1. A supply chain attack begins by targeting a vulnerable element within an organization’s supply chain, such as a third-party supplier or software provider, to gain indirect access to the primary target. Attackers can plan to breach a supplier’s system through various methods, such as exploiting vulnerabilities, social engineering, or compromising credentials. 
2. Once inside, attackers exploit the trusted relationship to inject malicious code, steal sensitive information, or manipulate business processes: 
   
   • One common approach is to compromise software updates. By altering a legitimate update from a trusted supplier or software provider, attackers can distribute malware under the guise of a routine update. 
   • Another tactic is targeting critical infrastructure, such as build systems, where malicious code is inserted directly into development pipelines. 
3. When a supply chain attack succeeds, it can affect multiple organizations simultaneously. When a trusted vendor or software component is compromised, the attack can propagate across the entire ecosystem, impacting customers, users, and downstream partners. 

The attack might remain hidden until the malicious code triggers its payload, causing widespread damage or data theft.

Key Attack Vectors in Modern Supply Chain Attacks 

Compromised Dependencies

Open source and third-party software dependencies are frequently targeted in supply chain attacks. Threat actors exploit vulnerabilities or insert malicious code into widely used libraries or modules. Organizations that rely on these dependencies unknowingly inherit the attacker’s code or exploits into their own products or services, which can further spread the compromise to end users or customers once the application is deployed or distributed.

This attack vector is hard to detect because dependency management tools automate updates, and the scale at which dependencies are used makes manual review unrealistic. Attackers may contribute to open source repositories under false pretenses or exploit trusted but unmaintained packages, turning the dependency itself into a delivery mechanism for malware or backdoors.

Build Pipeline Infiltration

Compromising the software build pipeline is a tactic for attackers aiming to insert malicious artifacts directly into production releases. By breaching build servers, CI/CD infrastructure, or artifact repositories, adversaries can inject malicious code or manipulate build scripts. Since compromised artifacts are signed and distributed as legitimate software, they carry the authority of the organization, enabling the attack to bypass many security checks downstream.

This infiltration often goes unnoticed until after widespread distribution because build environments typically hold elevated privileges and are trusted by internal and external systems. Attackers focus on insecure build scripts, unmanaged secrets, or poorly secured build agents as entry points. Post-compromise, malicious payloads are integrated and distributed at scale.

Compromised Development Tools

Development tools—such as IDEs, compiler toolchains, or testing frameworks—can themselves become attack vectors if modified or distributed maliciously. Attackers may exploit vulnerabilities in these tools or provide trojanized versions through unofficial channels. Once compromised tools are adopted by developers, they can execute unauthorized actions, embed backdoors, or leak sensitive information without detection.

This method is particularly insidious because developers often run these tools with high privileges, and a compromised tool can affect all projects it touches. Trust in the toolchain is crucial, and when that trust is violated, attackers can subvert build outputs or introduce persistent threats that propagate through released products.

Insider Threats

Insider threats originate from individuals with legitimate access to a company's systems, such as employees, contractors, or partners. These insiders may intentionally plant malicious code, leak credentials, or enable access for external threat actors. In supply chain attacks, insiders can undermine security by exploiting privileged access, bypassing controls that would otherwise block external adversaries.

Unlike external attacks, insider threats may evade detection for prolonged periods due to trusted status and knowledge of internal processes. Motivations can range from financial gain to coercion or disgruntlement. Organizations often struggle to balance operational trust and necessary monitoring

Third-Party Service Providers

Many organizations rely on outsourced IT services, cloud providers, and managed security services for efficiency. However, these third-party service providers present a substantial risk if their own security measures are lacking. Attackers may compromise a provider’s system, then use legitimate access and integration points to infiltrate client environments, achieve lateral movement, or exfiltrate data.

This vector is especially dangerous as providers often require wide-ranging permissions or network access for maintenance, support, or integration. When attackers compromise these providers, the impact can cascade across all connected clients, bypassing internal controls and potentially affecting an entire sector or industry.

Watering Hole Attacks

In a watering hole attack, adversaries compromise websites or online resources that are frequently visited by employees of a targeted organization. By injecting malware or exploit kits into these commonly used platforms, attackers hope to infect users who visit them as part of their daily workflow. These users become unwitting entry points for attackers to infiltrate corporate networks or supply chains.

This method allows attackers to focus efforts on a specific group associated with a business sector or supply chain, increasing the odds the right victim is affected. Watering hole attacks can result in the initial compromise of employee endpoints, which may then be leveraged to launch deeper attacks against company assets.

{{expert-tip}}

Examples of Recent Supply Chain Cyber Attacks 

1. JetBrains TeamCity Vulnerability

In late 2023, a critical vulnerability was discovered in JetBrains TeamCity, a leading CI/CD platform. Attackers exploited this flaw to gain unauthorized access to build environments, manipulate build processes, and insert malicious code into distributed software outputs. This exposed individuals using the affected TeamCity servers as well as any downstream recipients of software built with compromised infrastructure.

The TeamCity vulnerability spotlighted the risks associated with compromised build tools and automated pipelines. Organizations recognized the need for rigorous patch management, continuous monitoring of build servers, and strict access controls in CI/CD systems. The event prompted many software companies to harden their development and deployment workflows.

2. MOVEit Data Breach

In 2023, MOVEit—a widely used managed file transfer software developed by Progress Software—was breached after attackers identified and exploited a zero-day vulnerability. The flaw allowed unauthorized actors to access sensitive data handled by organizations using MOVEit, resulting in large-scale data breaches affecting government agencies, corporations, and financial institutions.

The MOVEit breach illustrated how critical vulnerabilities in software central to data exchange workflows can expose countless organizations to the same risk. Attackers bypassed perimeter defenses by directly exploiting a trusted third-party platform, exfiltrating data before victims could respond. 

3. 3CX Supply Chain Attack

In early 2023, the 3CX communications software supply chain attack compromised both the company’s build environment and its downstream users. Attackers infiltrated the 3CX software development pipeline and inserted malicious code into the official desktop app installer. The trojanized application was signed and distributed via legitimate channels, infecting a wide range of company customers.

This attack emphasized the threat posed when attackers gain access to software development processes, as malware can spread globally through trusted distribution mechanisms. Many organizations only discovered the infection after the malicious code had established persistence or exfiltrated sensitive data. Post-attack, companies strengthened build environment controls and expanded validation efforts for software updates.

4. Okta Data Breach

Okta, a major identity and access management provider, suffered a breach in 2022 that highlighted the role of third-party vendors in enabling supply chain attacks. Attackers gained unauthorized access to a third-party customer support provider, which in turn had privileged access to internal Okta systems. This breach enabled attackers to view or potentially modify customer data and affect downstream security in organizations using Okta’s services.

The Okta incident demonstrated how even well-secured organizations can be at risk through their vendor relationships. Trust in the security of customer-facing tools and support infrastructure proved to be a vulnerability. As a result, the security community has placed increased emphasis on vetting third-party providers and reviewing the scope of their access.

5. Kaseya VSA

In July 2021, Kaseya—a provider of remote management software for managed service providers—fell victim to a significant supply chain attack. Threat actors exploited vulnerabilities in Kaseya’s VSA software, delivering ransomware to downstream customers. The attackers used the company’s position as an intermediary to distribute malicious payloads to hundreds of organizations worldwide.

The Kaseya incident underscored how attackers can leverage upstream vendors’ central roles to spread attacks rapidly and efficiently. Detection was delayed due to the trust given to Kaseya’s software updates and management tools. In response, organizations reevaluated their reliance on single-point solutions and reinforced monitoring and authentication for connections with essential IT vendors.

Best Practices for Strengthening Supply Chain Security 

Here are some of the ways that organizations can protect themselves from threats in their supply chain.

1. Implement Runtime Security Solutions

Deploying runtime security solutions helps identify and stop threats as applications and systems operate. These solutions monitor system behavior, detect deviations from baseline activity, and block or mitigate attacks in real time. By focusing on actual threats during execution, organizations can prevent exploitation even if threats have bypassed earlier defenses or originate from trusted—but compromised—sources within the supply chain.

Runtime security provides visibility across distributed environments, from on-premise infrastructure to cloud and containerized deployments. This capability is crucial because threats can bypass static analysis or code review processes, only activating after software is operational. Coupling runtime protection with automated alerting and response mechanisms limits the potential damage from a supply chain breach and accelerates incident remediation.

2. Vet Vendors Thoroughly 

Organizations must establish a formal vendor evaluation process that includes cybersecurity as a primary criterion. This should begin with a security questionnaire assessing the vendor's practices in areas like data protection, access control, vulnerability management, and incident response. 

Vendors should also provide evidence of security certifications (e.g., ISO 27001, SOC 2) and demonstrate regular third-party audits or penetration tests. Contracts must define security expectations, right-to-audit clauses, and breach notification requirements. Organizations should regularly review vendor performance, monitor for public vulnerability disclosures involving the vendor, and require re-assessments after changes like acquisitions or product updates. 

3. Implement a Zero Trust Architecture

Zero trust security operates under the principle that no user or device, inside or outside the network perimeter, should be trusted by default. Every access request is continuously verified based on identity, device state, and context before authorization is granted. Implementing zero trust can limit lateral movement and reduce the impact of compromised credentials or malicious insiders within a supply chain context.

This approach requires organizations to segment networks, apply least-privilege access, and enforce multifactor authentication for sensitive operations. Zero trust also enables granular monitoring and adaptive responses to anomalous behavior. By reducing implied trust between systems and partners, organizations strengthen defenses against threats introduced through third-party relationships or hijacked supply channels.

4. Enforce Strong Access Controls

Enforcing strict access control policies is essential to minimize the risk of unauthorized access within the supply chain. This means adopting the principle of least privilege, where users and systems are only granted access to resources necessary for their roles. Regularly auditing permissions, implementing role-based access controls (RBAC), and leveraging just-in-time provisioning can limit potential compromise points across partners and internal teams.

Automated enforcement of access policies ensures consistency and reduces human error. Integrating access controls with centralized identity management systems simplifies oversight and enables rapid revocation or adjustment of privileges in response to detected threats or role changes. 

5. Monitor for Anomalies

Security tools should analyze logs, user behavior, network traffic, and system events to highlight deviations from established baselines. Machine learning and advanced correlation engines can improve detection accuracy by recognizing complex attack patterns characteristic of supply chain compromises.

Timely response to anomalies requires integration between monitoring solutions and security operations workflows. Automated alerts, playbook-driven incident response, and feedback mechanisms help organizations rapidly contain and investigate suspicious events.

6. Secure the Development and Build Processes

Organizations should enforce code reviews, monitor for suspicious changes, and use reproducible builds to ensure that source code matches distributed binaries. Protecting build servers and CI/CD infrastructure with dedicated security controls, frequent updates, and restricted access reduces the risk of unauthorized manipulation.

Implementing automated static and dynamic security testing within the build pipeline helps identify vulnerabilities before deployment. Requiring cryptographic signing of releases, coupled with verification processes for third-party dependencies and plugins, further reinforces trust in the software supply chain. These layered measures make it more challenging for attackers to introduce malicious components at any stage of development or distribution.

7. Maintain and Incident Response and Recovery Plan

Organizations must develop and regularly test procedures for containing, investigating, and mitigating supply chain incidents, with dedicated communication protocols for engaging partners, vendors, and regulators as necessary. Clear roles and responsibilities during crises help reduce confusion and enable quick containment of threats.

Recovery strategies should include secure backup and restoration capabilities, as well as mechanisms for isolating and remediating compromised assets without disrupting critical operations. Post-incident reviews are essential for identifying root causes and implementing improved controls to prevent recurrence. 

8. Use Client-Side Protection Tools

Client-side protection tools help secure the user environment, where attackers often attempt to exploit browser-based interactions and user endpoints. Techniques like browser isolation create a virtual buffer between the user’s device and the internet, preventing malicious content from reaching the local system. 

Content security policies (CSPs) restrict the sources from which scripts and other resources can be loaded, reducing the risk of malicious code execution from compromised vendors or third-party libraries. Organizations should also deploy endpoint detection and response (EDR) tools that monitor user devices for suspicious behavior, unauthorized software changes, or data exfiltration attempts. 

Runtime Supply Chain Security with Oligo

Oligo provides real-time protection for the software supply chain by identifying and blocking the exploitation of vulnerable open source components that are loaded and executed. By enforcing security at runtime, Oligo eliminates noise from unexploitable vulnerabilities and stops attacks before they reach production, all without disrupting development velocity. This ensures that only the code your applications truly depend on is monitored and protected — with zero friction.