Supply chain attacks have been declared the number one global cyber threat of 2026 by Group-IB's High-Tech Crime Trends report, and the data supporting that designation is unambiguous. IBM research documents a fourfold increase in supply chain attacks since 2020. The Verizon Data Breach Investigations Report 2026 reveals that third-party involvement in breaches doubled in a single year, rising from 15% to 30%—meaning nearly one in three breaches now involves a vendor, contractor, or software dependency rather than a direct attack on the target organization. Perhaps the most alarming metric is the downstream cascade: each supply chain breach now produces an average of 5.28 victim organizations, the highest multiplier ever recorded. Two 2025 campaigns illustrate the scale of what is possible. Scattered Spider, a financially motivated threat group, compromised over 700 organizations by exploiting a Salesforce vulnerability to pivot through interconnected vendor relationships—each trusted connection becoming a new attack path. The Shai-Hulud campaign demonstrated the open-source vector: malicious packages injected into 800+ npm packages created a poisoned software supply that downstream developers unknowingly incorporated into production applications. In 2025, 136 verified supply chain breach events were publicly disclosed, but the rate has accelerated sharply since April 2025, averaging 26 incidents per month—double the prior rate. The Marks and Spencer supply chain compromise of 2025 demonstrated that retail is as exposed as technology and financial services. Organizations face a structural disadvantage: they can audit their own security posture, but they cannot directly control the security practices of their vendors' vendors. The attack surface of any organization is now as large as the cumulative attack surface of every entity in its supply chain.
Comments on "Supply Chain & Third-Party Attacks"
Create a free account or sign in to join the discussion.
Sign in to join the conversation