Supply Chain Attacks: How Attackers Target the Platforms You Trust and What You Can Do About It

What’s the one threat you’re likely ignoring, yet has the power to damage your brand? Recent supply chain attacks have quietly turned the third-party systems you trust into ticking time bombs. They target you at home and in the boardroom - which brings up an important question: What exactly is a supply chain attack, and how do you stop it before it’s too late? 

What is a supply chain attack?  

In a nutshell, a supply chain attack happens when attackers target the vendors, software providers, or service platforms you trust. This means every app you use, and every SaaS tool your business integrates is an unseen entry point for attackers. 

Whether you’re a consumer or business owner, your best defense isn’t a single tool or technique but how you approach trust, visibility, and risk management.  

Today, the average software project includes 68.8 dependencies, with 5.1 critical vulnerabilities per application and 80% of dependencies remaining unpatched after more than a year. 

A compromised app with unpatched dependencies can ripple across thousands of organizations, affecting millions of users. 

In a plotline worthy of a techno-thriller (think Zero Day by Mark Russinovich or Daemon by Daniel Suarez), “rose87168” exfiltrated six (6) million sensitive records from Oracle Cloud’s SSO and LDAP systems. The stolen data included encrypted passwords, OAuth2 keys, and email addresses. 

The hack was traced to an Oracle Fusion Middleware vulnerability, which “rose87168” exploited to take full control of Oracle Access Manager and its OpenSSO agent. This enabled the exfiltration of data from over 140,000 unsuspecting organizations. 

After the attack, “rose87168” showed up on the BreachForums platform (relaunched under new domains in mid 2025) to peddle their spoils to the highest bidder. 

Before you shrug this off as another hacker “stunt,” ask yourself: How many third-party tools do you rely on, and how many of them are at risk? 

Below, we talk about how supply chain attacks work and why attackers are weaponizing them. 

How do supply chain attacks work? 

In 2025, software supply chain attacks have dominated the broader attack landscape as sophisticated, multi-phase operations.  

These attacks involve attackers hijacking software updates or popular open-source packages that millions of people use daily. 

Here's a breakdown of how they work, based on recent incidents like the npm breach in September 2025: 

Initial access via social engineering

• Attackers began with phishing campaigns targeting maintainers of popular open-source packages.  

• In the npm attack, an email from support@npmjs.help tricked an npm maintainer, Josh Junon, into updating his two-factor authentication credentials on a phishing page. 

A maintainer is authorized to manage packages on the npm registry. An npm package is a distributable unit of JavaScript code that developers can install and reuse in their own applications. Essentially, an npm registry is a library of packages. 

Account takeover

• After his credentials were stolen, the attackers used them to gain access to Junon’s maintainer account. They leveraged the same tactics to hijack accounts on other platforms, including GitHub, PyPI, DockerHUB, Cloudflare, and Amazon Web Services. 

Malicious code or payload injection

• With account access, the attackers updated 19 open-source packages with malicious code. These packages are highly popular, downloaded over two (2) billion times weekly. 

• Essentially, the attackers modified JavaScript to hook into (or attach to) browser functions (like fetch and XMLHttpRequest) that handle crypto transactions. 

Payload execution

• The payload monitored wallet activity, swapped wallet addresses with attacker-controlled ones, and redirected funds to attacker-controlled wallets. 

• This occurred in real-time, affecting users who installed or used compromised packages. 

Propagation via dependencies

• Because many packages were deeply embedded in dependency trees, the payload spread widely.  

But what’s a dependency tree? First, a dependency is a specific npm package a developer picks out to use in their project. It's any external piece of code their software needs to work properly. By extension, a dependency tree constitutes a family of npm packages. 

• Many developers thought they were safe because they didn’t install the compromised packages. However, the packages were included automatically through other dependencies. So, their projects were still infected. 

• Despite the successful attack, however, SC Media reports that the financial impact was minimal. The attackers only managed to haul in $1,027 worth of crypto for their trouble. But even though the theft was small, the greater danger lies in exposed credentials. 

Data exfiltration

• In a related "s1ngularity” npm supply chain attack, threat actors leaked corporate secrets and exposed private repositories. There were three (3) phases to the attack. 

S1ngularity Phase 1 (August 26-27, 2025) 

Attackers exploited a vulnerability in the Nx GitHub Actions workflow to publish a malicious npm package, which included a malware script. The malware was a credential stealer targeting Linux and macOS systems.  

After harvesting sensitive secrets like SSH keys, GitHub tokens, and npm credentials, the attackers uploaded them to public GitHub repositories. Phase 1 impacted 1,700 users and exposed 2000+ unique secrets and 20,000 files. 

S1ngularity Phase 2 (August 28-29, 2025)

The attackers used the stolen GitHub credentials from Phase 1 to flip private repositories to public. This led to another 480 accounts compromised and 6,700 private repositories belonging to organizations exposed. 

S1ngularity Phase 3 (begun on August 31, 2025)

Finally, the attackers targeted a single organization, using two compromised accounts to publish an additional 500 private repositories. 

Ultimately, the “s1ngularity” attack shows the attackers didn’t just stop after Phase 1. They continued probing and looking for higher-value targets. The attackers also used AI tools to automate reconnaissance and exfiltration.  

The above attacks highlight three (3) software supply chain risks: 

• Trusting dependencies implicitly is a trap: As seen in the npm attacks, even widely used packages can be compromised, putting your brand at risk of operational disruptions, financial loss, and reputational damage. 

• CI/CD pipelines are high value targets: CI/CD (continuous integration/continuous delivery) accelerates development by automating the building, testing, and deployment of new code. If attackers compromise your pipeline by injecting malware, it means every user who downloads your app gets infected.  

• Credential sprawl can expose your intellectual property to anyone who knows where to look: Do you store GitHub tokens, SSH keys, and npm credentials in private repositories? In the “s1ngularity” attack, attackers flipped private repositories to public, exposing proprietary code to the world. This shows how a single workflow failure can compromise an entire supply chain. 

If you’re thinking, “this can’t happen to me,” think again. Attackers aren’t after your code or backyard projects. Their real target is the software systems powering services that matter to EVERYONE: energy grids, clean water, hospitals, cellular service, internet access, transportation.  

Attacking the platforms and vendors you trust allows them to bypass your defenses and shut down the vital services you and your customers depend on, which brings us to an important question. 

Which industries are experiencing supply chain attacks? 

The IT, tech, and telecommunications sectors sit squarely in the crosshairs. This group alone accounts for 63% of documented software supply chain incidents.  

It’s a strategic entry point for attackers aiming to reach targets across multiple industries. 

Let's explore the critical services threat actors are targeting: 

Utilities and energy

• Attacks on U.S. utilities surged by nearly 70% in 2024, targeting operational technologies like SCADA systems and smart grid infrastructure. 

• 90% of repeatedly compromised energy companies were breached via third-party systems. 

• 67% of third-party breaches stemmed from IT and software vendors, not other energy companies. 

• Attacks against water treatment plants are surging: In 2024, American Water (the largest water utility in the U.S.) was hit, impacting 14 million customers across 14 states and 18 military installations. 

Healthcare

• 64% of healthcare organizations experienced supply chain attacks in the past two (2) years. 

• Of those, 77% reported disruptions to patient care, including increased complications and higher mortality rates. 

Banking 

• In 2024, 97% of the top 100 U.S. banks experienced a third-party data leak. 

• 97% of these banks also suffered fourth-party breaches due to just 2% of vendors. 

Telecommunications

• Telecom giants like Verizon, AT&T, and T-Mobile have faced major supply chain attacks, often linked to state-sponsored groups like Salt Typhoon. 

• The global cost of software supply chain attacks is expected to hit $60 billion in 2025, with telecom among the most vulnerable industries. 

Supply chain risk cybersecurity: How to protect against supply chain attacks 

The devastating impact of supply chain attacks has shifted the frontline of defense. 

It’s no longer just about protecting your own assets but about securing every link in your supply chain. Let’s break down what that looks like. 

Why is software supply chain risk management important? 

Daily, you rely on software built with interconnected parts from diverse sources. A single compromised functionality can create a backdoor through which attackers infiltrate your network, steal trade secrets, and threaten public safety. 

In early 2025, CISA investigators discovered a vulnerability in Contec CMS8000 patient monitors. By design, the device firmware automatically connects to an external IP address not controlled by the manufacturer, but by nation state actors. Patient data is transmitted in plain text to this external IP address. 

And that’s not all: The backdoor gives attackers the ability to control monitors through remote code execution.  

What this means is that attackers can run arbitrary code on the device remotely. This allows them to change the device configuration or overwrite critical files, effectively controlling how the monitor operates. 

Such modifications could lead to monitors displaying inaccurate vital signs – which directly impacts patient safety, given that healthcare providers depend on accurate data to make treatment and care decisions. 

This is why software supply chain risk management is critical. An effective strategy: 

• Builds trust with customers and partners who rely on the security of your system 

• Prioritizes thorough vendor qualification, regular audits, and rapid coordination across all partners   

• Proactively identifies and mitigates vulnerabilities at every level, from software developers to manufacturers and logistic providers 

• Embraces Zero Trust principles, where no vendor or component is automatically trusted 

• Invests in transparency and real-time visibility tools to detect anomalies early 

• Tailors incident response plans to effectively address supply chain disruptions 

Put simply, software supply chain risk management is about stopping threat actors from gaining a foothold and exploiting the weakest link to cause widespread disruptions. 

The reality is that no individual or organization stands alone, and this is where C-SCRM comes into play.  

Supply chain risk cybersecurity: What is cyber supply chain risk management (C-SCRM)? 

Cyber supply chain risk management (C-SCRM) refers to the set of strategies and tools used to identify and mitigate risks across your entire supply chain. 

It’s a comprehensive approach that involves not just securing your own environment but also managing the risks posed by third parties. 

In 2023, the White House brought supply chain security into sharper focus through the National Cybersecurity Strategy, a bold vision for addressing supply chain vulnerabilities. It's structured around five (5) pillars: 

National Cybersecurity Strategy Pillar	Focus
Defend critical infrastructure	Strengthen resilience of essential services like energy, healthcare, and transportation Promote public-private collaboration
Disrupt and dismantle threat actors	Integrate diplomatic, information, military, financial, intelligence, and law enforcement capabilities to target cybercriminals and nation-state threats Ensure disruption campaigns become so sustained and targeted that criminal cyber activity is rendered unprofitable and ineffective
Shape market forces to drive security & resilience	Incentivize secure development of IoT devices Hold vendors and manufacturers accountable for insecure products or services Use federal grants to make investments in critical infrastructure that are designed with cybersecurity and all-hazards resilience in mind. Explore a federal insurance backstop where the federal government covers the costs of catastrophic attacks that cripple critical infrastructure
Invest in a resilient future	Address pervasive concerns such as Border Gateway Protocol vulnerabilities, unencrypted Domain Name System requests, and the slow adoption of IPv6 Prepare for a post-quantum future Secure clean energy assets Support development of a digital identity ecosystem Implement a National Cyber Workforce and Education Strategy
Forge international partnerships to pursue shared goals	Coordinate worldwide cybersecurity efforts Build coalitions to reinforce responsible state behavior Strengthen international partner capacity Secure international supply chains for information, communications, & operational technology products and services

 

The strategy directly addresses software supply chain risks through several initiatives: 

• Secure Software Development Framework (SSDF): NIST is tasked with updating SSDF to include best practices for secure software delivery. 

• Software Bills of Materials (SBOM): CISA will be advancing SBOM adoption by vendors as a key building block of software supply chain risk management. The goal is to improve transparency and visibility. An SBOM is like an “ingredients list” for software. It lists the software components and any open source or third-party components used. 

• Zero Trust Architecture: The federal government is leading the charge in supply chain risk cybersecurity, with a focus on multi-factor authentication, identity & access controls, and data encryption to strengthen critical supply chains in the energy, transportation, agricultural, public health, and ICT (information & communications) sectors. 

• Public-Private Collaboration: The strategy emphasizes working with industry leaders to secure open-source ecosystems and CI/CS pipelines. 

Ultimately, the White House initiative recognizes an important truth: Modern supply chain attacks don’t just target systems; they exploit trust. As the threats increase, no one is truly secure until everyone is secure. 

Why your most valuable digital secrets need LastPass

When it comes to guarding your most sensitive secrets – like npm credentials, SSH keys, and GitHub tokens – there's no room for shortcuts. 

You must secure them with solid access controls. 

With LastPass, you get: 

Secure Notes

Sometimes, your secrets don’t fit neatly into a “password” box. With LastPass, you can keep SSH keys, GitHub tokens, and npm credentials safe in Secure Notes. This means you store your secrets in one place, fully encrypted and accessible only after you authenticate. No more sticky notes or GitHub repositories. 

AES-GCM-256 encryption

This gold standard for encryption is so powerful it’s trusted by intelligence agencies, governments, and banking systems worldwide. With LastPass, your data is converted to ciphertext and remains unreadable to hackers. 

FIDO2 MFA

Threat actors enter your systems with stolen credentials from vendors you trust. But with FIDO2 MFA like passkeys and hardware security keys, your logins are tied to your device and biometric information. There are no passwords or codes to intercept. FIDO2 MFA is also phishing resistant, which means you and your vendors won’t be the weakest link in the supply chain. 

URL encryption

Your credentials to high-risk accounts are protected with URL encryption. This means attackers can’t link URLs to credentials and the services they access. 

Secure autofill

With LastPass, you get smart autofill with security options and Never URL rules. You log in faster and safer and never risk exposing your credentials to prying eyes. It’s ultimate convenience paired with smart, seamless security. 

Dark Web Monitoring

As seen in the npm attacks, hackers like to sell stolen credentials on the Dark Web. With LastPass Dark Web Monitoring, you get an early warning system if any of your email addresses are compromised. This means you can act quickly to update your credentials before the attackers exploit the information. 

LastPass securely stores my passwords for the sites I visit. I love that it can autofill the username and password when I visit a site. Additionally, I like the fact that it generates strong passwords for me. It can also store passkeys and other sensitive information, such as credit cards and social security numbers. The app is very easy to use (Lara K, senior manager of web development and verified G2 reviewer).

Ready to enjoy effortless security and greater peace of mind? Unlock your LastPass free trial today (no credit card required).  

Type of account	Who it’s for	Free trial?
Premium	For personal use across devices	Yes, get it here
Families	For parents, kids, roommates, friends, and whoever else you call family (6 Premium accounts)	Yes, get it here
Teams	For your small business or startup	Yes, get it here
Business	For small or medium-sized businesses	Yes, get it here
Business Max	Advanced protection and secure access for any business	Yes, get it here

 

Sources:

https://www.sisainfosec.com/blogs/npm-supply-chain-attack-hits-packages-with-billions-of-weekly-downloads-advisory-by-sisa-sappers/

https://arstechnica.com/security/2025/09/software-packages-with-more-than-2-billion-weekly-downloads-hit-in-supply-chain-attack/

https://www.ox.security/blog/npm-packages-compromised/

https://www.bleepingcomputer.com/news/security/ai-powered-malware-hit-2-180-github-accounts-in-s1ngularity-attack/

https://csrc.nist.gov/Projects/cyber-supply-chain-risk-management/publications

https://csrc.nist.gov/CSRC/media/Projects/Supply-Chain-Risk-Management/documents/briefings/Workshop-Brief-on-Cyber-Supply-Chain-Best-Practices.pdf

https://healthsectorcouncil.org/wp-content/uploads/2023/10/HIC-SCRiM_2023-2.pdf