What is a Supply Chain Attack?
Instead of attacking you directly, attackers compromise a trusted third party - a software vendor, library, or service provider. When you update or install their product, you get malware included.
Trust is Weaponized
You trust software updates. Attackers exploit this trust by compromising the update mechanism itself.
Notable Attacks
| Attack | Year | Impact |
|---|---|---|
| SolarWinds | 2020 | 18,000+ organizations including US government |
| Kaseya | 2021 | 1,500+ businesses via MSP software |
| npm packages | Ongoing | Various malicious packages |
| CCleaner | 2017 | 2.27 million users |
Attack Vectors
- Compromised updates - Malware in official updates
- Dependency confusion - Malicious packages with similar names
- Typosquatting - Malicious packages with typo names
- Compromised developer accounts
- Build system compromise
Protection Strategies
- Verify software signatures
- Use SBOMs - Software Bill of Materials
- Audit dependencies regularly
- Zero trust architecture
- Network segmentation
- Vendor security assessment