What is a supply chain attack?
Supply chain attacks happen when threat actors compromise trusted third-party components (like software, services, and workflows) that organizations rely on, with the ultimate goal of infiltrating customers' downstream systems.
Unlike earlier high-profile cases that often tampered with on-premises hardware and software, modern supply chain attacks are increasingly cloud-native. This has two important implications:
Software supply chain risks allow attackers instant downstream access, meaning the slightest compromise creates a ripple effect across thousands of enterprise customers.
Cloud supply chains can be opaque due to transitive dependencies (a vendor depending on a third party that, in turn, depends on yet another). The effect? When the original dependency is attacked, some downstream customers might not even know they should be concerned until it’s too late.
Catch code risks before you deploy
Learn how Wiz Code scans IaC, containers, and pipelines to stop misconfigurations and vulnerabilities before they hit your cloud.
Watch now
Why are supply chain attacks so effective?
Here are the top reasons supply chain attacks are so successful in today’s environments:
Modern software development and deployment involves sourcing code, dependencies, and services from multiple vendors—so attackers simply exploit the trust inherent in this process, inserting malicious code into updates and compromising third-party services.
Supply chain attacks are difficult to defend against: Customers generally have limited visibility into the security practices of third-party vendors, especially when dependencies are buried deep within complex service chains.
The phases of a supply chain attack
Let’s take a look at how supply chain attacks work to further understand why they are so effective:
Phase 1: Reconnaissance
Rather than directly targeting well-defended organizations, attackers try to find weak links in the supply chain—attack vectors or backdoors in public repos, software dependencies, trusted update mechanisms, and CSP services.
Phase 2: Upstream attack and preliminary access
Once weaknesses are found, attackers proceed to exploit them by…
Injecting malware into legitimate software updates or patches (e.g., SolarWinds),
Inserting backdoors into source code (for example, XZ Utils),
Compromising build pipelines or developer tools pre-compilation (like XcodeGhost),
Conducting social engineering campaigns, or
Stealing vendor login credentials to gain unauthorized access to customer networks (for instance, the Target breach via an HVAC vendor).
Phase 3: Dormancy
With malware and logic bombs inserted, threat actors wait patiently until the dormant malicious code is activated (by customers installing malicious updates, for example).
If “phase 2” involved gaining direct access to vendor networks, attackers can use the persistent access to scope out potential targets.
Phase 4: Downstream delivery/access
Unsuspecting end users install infected updates, pull compromised images, or deploy malicious dependencies obtained through trusted delivery channels, triggering malware execution across the devices, CI pipelines, or runtime environments of scores of customers.
Phase 5: Privilege escalation and lateral movement
With access gained, threat actors move laterally within customer systems, escalating privileges, gaining root access, injecting ransomware, or exfiltrating sensitive information.
Phase 6: Persistence
Persistence is another reason supply chain attacks are so effective. Even after they are detected, hackers sometimes successfully mask the malicious script responsible for their persistent access, retaining backdoor access to reuse in other attacks.
Software Supply Chain Security [Cheat Sheet]
Learn how to secure the software supply chain end-to-end – from managing third-party dependencies and open-source libraries to protecting build pipelines.
Types of supply chain attacks
Software supply chain attacks
Software supply chain attacks infiltrate software vendor systems to deliver compromised software to thousands of customers.
According to CISA, common patterns include hijacking legitimate updates, undermining code signing, or compromising source code (e.g., via code injection or cross-site request forgery). Attackers also target development environments (CI pipelines and build systems) and container registries (through typosquatting and image poisoning).
Hardware supply chain attacks
Hardware supply chain attacks involve adversaries introducing counterfeit devices into the global supply chain. This could be through physical tampering during manufacturing or firmware and BIOS modifications. All these techniques aim at gaining full, persistent control of target hardware.
Third-party service attacks
These attacks target customers of cloud service providers (CSPs), managed service providers (MSPs), SaaS platforms, and AI vendors by compromising software updates, API keys, or service integrations.
Once installed, the compromised API keys or malicious updates are then used to gain access to all systems connected to the vendor. In third-party service attacks, attackers can move from upstream to downstream systems, as well as from tenant to tenant, particularly where multi-tenant isolation flaws exist.
Supply chain attack examples
Notable supply chain compromise attacks (like the Kaseya, Codecov, Log4j, NotPetya, and CircleCI attacks) demonstrate how successful threat actors have been at exploiting cloud supply chain risks. Below, we highlight a few—with links to more detailed reads.
Microsoft SAS token (2023)
Discovered by the Wiz Research team 2+ years after the initial exposure, this vulnerability happened when Microsoft AI researchers accidentally published an SAS token that granted complete access to Microsoft’s storage account (leaking more than 38 TB of sensitive data).
The public SAS token granted broad permissions (including read and write) to the storage account, potentially enabling model and data tampering. This incident emphasizes the need for configuration management and real-time monitoring in supply chain risk management.
Oracle Cloud Access Manager Incident (2025)
Reports from dark web monitoring suggested a possible exposure involving Oracle Cloud Access Manager, where an attacker allegedly sought help decrypting millions of records. While unconfirmed by Oracle, the incident highlights how third-party services can become attractive targets for attackers and underscores the importance of continuous monitoring of vendor risk.
Security impacts of supply chain attacks
Financial consequences
Due to their cascading effect, supply chain attacks are costlier than most, with vendors and customers both bearing the brunt. Global costs of software supply chain attacks alone are estimated at $60 billion in 2025, and they’re expected to reach a whopping $138 billion by 2031.
Compliance and regulatory consequences
Regulatory and industry frameworks (e.g., NIST SP 800-161r1 and NIST SP 800-218 SSDF, ISO/IEC 27036, NIS2, DORA, and OpenChain ISO/IEC 5230) are tightening supply chain requirements for vendors and enterprise customers alike, with significant fines for non-compliance. The takeaway? Businesses need to take proactive steps before supply chain attacks get them in trouble.
What is the SLSA Framework?
In this article, we’ll discuss how DevOps teams can take advantage of this framework to create reliable build pipelines and, more generally, secure the entire software development lifecycle.
Leggi di più
Supply chain attack mitigation strategies
Secure the development lifecycle
Start by embedding mandatory and continuous security scans like software bill of materials (SBOM) generation, static application security testing (SAST), software composition analysis (SCA), and IaC scanning throughout the code-to-cloud pipeline.
This will provide visibility into artifact origin and verify third-party component integrity via signing and attestations (e.g., Sigstore/Cosign), covering software, dependencies, certificates, and updates. These controls help protect your stack from breaking changes and flag unsafe third-party software configurations.
Implement secure coding practices (e.g., secrets never in code, parameterized queries, input validation, memory-safe patterns) and strong cryptography for data in transit and at rest. Dependency management should include automatically blocking vulnerable dependencies before deployment. Build environment hardening means enforcing secure configurations and sourcing updates and certificates only from trusted sources.
Secrets management and access controls are equally essential. Enforce role-based access controls (RBAC), secrets management best practices (like rotating secrets), and CI security strategies to curtail unauthorized access and minimize the potential damage of attacks.
Uncover shadow IT to surface unmonitored supply chain risks. Best practice? Use tools that map asset communications and relationships to detect unknown resources.
Automate secure software updates to prevent them from being sourced from hoax sites by unsuspecting employees.
Ensure third-party risk management
Before onboarding vendors, conduct rigorous assessments and verify adherence to regulatory requirements.
Don’t stop at pre-deployment assessments, continuously monitor vendor security posture, including software supply chain vulnerabilities discovered (Wiz threat research can help you with this) and the vendor's response.
Continuously map transitive dependencies to understand dependency relationships and immediately spot threats that you’re susceptible to.
Adopt zero-trust architecture
Zero trust is an important ingredient of the supply chain security framework. Implementing zero-trust principles like continuous authentication, strict authorization, least privilege, and network segmentation limit attackers’ ability to exploit vendor trust in any part of your infrastructure.
Prioritize runtime monitoring and response
After taking steps to prevent supply chain attacks, detection and response come next:
Continuously monitor your runtime environment to pinpoint anomalies and early indicators of compromise (IoCs). Deploy cloud detection and response (CDR) and security information and event management (SIEM) tools with analytics to detect anomalies and accelerate investigations.
Correlate runtime behavior with software inventories (SBOMs and provenance) to map vulnerabilities to real-time signals and the specific dependency, source file, or commit responsible – across every affected component.
Design and test incident response procedures specifically for supply chain attacks: Detail each team member’s role and emphasize containment speed and secure recovery.
Securing your supply chain with Wiz
Comprehensive supply chain security requires visibility across the entire code-to-cloud lifecycle, and Wiz has a solution for every phase:
Wiz Code delivers comprehensive SBOM, SAST, and SCA capabilities alongside continuous scanning of source code and third-party components throughout the software lifecycle. Code-to-cloud correlation ensures findings in code, builds, and registries are traceable to the running workloads and owners, so remediation is precise and fast.
The Wiz Security Graph maps relationships across code, pipelines, cloud resources, identities, and data so you can trace attack paths from runtime back to the exact source commit and owner for rapid, durable fixes.
Wiz Defend incorporates live threat data and MITRE TTPs into real-time threat detection, with specific coverage for supply chain risks like malicious packages, compromised images, and anomalous API behaviors. Context-aware detections fuse runtime signals with cloud identities, network exposure, and data sensitivity to cut noise and escalate only material threats — ensuring faster, more accurate responses to supply chain compromises.
Wiz's unified platform eliminates blind spots that attackers exploit in fragmented security tool stacks and maintains an always-current inventory of APIs, images, packages, identities, and data stores, with ownership mapped for rapid action.
Ready to harden your software supply chain end-to-end? Get a demo and see how to prioritize real attack paths, enforce signed/provenanced builds, and catch issues before they reach production.
Secure your Software Supply Chain
Learn how Wiz protects your cloud environment from supply chain attacks and strengthens your security posture.
