Supply chain attack

Supply chain attack is an very broad and big type of cybersecurity attack that continuing getting more attention and reinvented year after year, usually related to ¹APTs groups that infiltrate an third-party companies to gain access to an even bigger and more critical companies or even governments.

It’s also related to other malicious activity to getter informations even from companies or projects that use third-party packages that is compromised by these bad actors. Since third-party package becomes very common to build projects using package manager like in Python, pip package manager, or JavaScript, npm package manager. Malicious activity continue to exploit misspelled famous packages (aka typesquatting) in the attempt to an unaware developer to use it or even taken over forgotten and/or not secured critical third-party packages that is build as requirement for a lot of companies and open-source software.

As if that weren’t enough, a new kind of supply chain attack in the browser extensions is also equally very powerful and broad kind of attack that can compromise all its users session cookies that is used to login in sites like Facebook or Google.

❓ What?

Supply chain attack can be divided, in general, into two categories: One that is the “traditional” way to infiltrate in an large companies or governments that an direct access or compromise is not possible or would take more time than compromised the third parties vendors by the bad actor. The other type is an software supply chain attack, that have even broader impact in different companies by different sizes, open-source projects or even private projects, since its a not target action but with the purpose to maximize the damage or the number of hosts compromised.

🔗 Traditional supply chain attacks

Generally this kind of attack is related to APTs used as a mean to infiltrate into a very secure environment that would not be possible or would take a lot of time and resource to infiltrate directly. So it usually target the third-party companies that do some business with this main target companies to exploit their trust relationship. Usually this would be the easier way to infiltrate the target companies or government then trying to defeat their high-level of security. This also can be related to software or hardware to try to infiltrate the main target but in an more specific and target manner.

🖥️ Software supply chain attacks

In software on the other hand has a even broad range of damage than the one that is mainly focus to one group of company or government. Since the bad actor will inject their code in an package that is used to a hundreds or even thousands of projects and software, that makes this kind of attack more broad than the previous one, that is far more surgical attack. Which make this kind of attack extremely dangerous, since it does not require far more sophisticate methods (sometimes all it takes is create an misspelled famous package name that is usually misspelled or an unattended widely used library repository or with poor security practices to be compromised) and have a broader range of damage.

❓ How?

This kind of cybersecurity attack exploit the weakest link in the chain of trust, generally the trust that an more security-minded companies or governments put in their third-party providers or even in the third-party libraries that their software uses. Since it would take a considerable resource and time to break into this large companies and governments directly, bad actors instead focus their attention to exploit their third-party providers, be it an software package, an third-party company or even hardware providers.

In traditional supply chain attacks, it usually translate to three attack vectors that the APTs can use:

• Hardware supplier for an company or government agency
  • The malicious actor can use tempered components in the manufacturing, distribution or installation phases. Since this kind of attack is far more sophisticated than the other ones, it usually related to APTs that is related to adversary state.
  • The two most notable ways to do this would be firmware manipulation or malicious chip or even components pre-installed in the hardware enabling an backdoor for the bad actor to break into the target internal servers and move laterally in the internal network. It has been done before, despite the level of sophistication it requires.
• Third-party software supplier to an company or government agency
  • Just like the less target software supply chain attack, an actor can also compromise an third-party software company that give services to one or more companies and find a way in the primary target though this less secure or vulnerable third-party vendor. It can be an third-party solution for off-site backup company or ²SaaS software solution in general that give its solution to one or more companies that the actor wants to infiltrate.
• Insider threats
  • Besides ways to exploit an technical approach, the bad actors can also use the human factor to help them infiltrate inside their primary target company through some vendor that that company trusts. Generally employees from the vendor that has access to the primary target company’s assets is compromised ( by social engineering, malware or even extortion). Making it a very viable option, since the human factor is also one of the weakest links that the bad actors generally try to use when an more technical approach would prove to be more difficult to achieve.

Going to the other side of the spectrum and to a more destructive and broad effect would be the software supply chain attacks in libraries or packages that is well know and used across all the world. Even it being less targeted and less sophisticated than the traditional method, it has a even greater impact in a lot of companies and projects that simply uses this package or library, it for sure will be more “louder” than the stealthy and target approach that the APTs is known for but the damage will be greater if not detect and fixed in time. Giving the bad actor access or damage to a lot of network and servers across the world that use this affected package or library.

❓ When & Who?

Starting to a more target approach, the “conventional” supply chain attack, in 2023 had a several big companies that was affect by this kind of attack. One of those is ³Okta, that in October 2023 had a massive infiltration that led to steal its customer session tokens that could be used to break into the networks of its clients.

Another very notable and important breach regarding supply chain attacks is ⁴SolarWinds company that in December 2020 had a massive infiltration in their products, distributing an compromised software though their update to all its costumer, ranging from US Fortune 500 companies, telecommunication companies and even US government agencies like Pentagon, state department and US military. The actor behind such attack was later discovered to be the APT29 or aka Cozy Bear, an Russian’s foreign intelligence service, an state adversarial attack.

Looking to the other side of the spectrum but even more destructive and broad in range than the more surgical and well planed APT attacks, is the compromise of third party libraries, packages and also open-source software.

In December 2024 a very popular library for JavaScript in the npm package manager was compromise, the library solana/Web3.js, it was weaponized to harvest users’ cryptocurrency wallet’s private keys. This library is widely used, with more than 400.000 downloads weekly.

For the open-source software side, was the ⁵xz utility that was compromised in February 2024. It is widely used in all Linux distribution ranging from traditional distributions like Debian though the widely used distributions like Ubuntu. The bad actor implanted an backdoor in the xz to allow unauthorized access to systems, tracked as CVE-2024-3094.

Besides the traditional way, software based and open-source based supply chain attack. There was a new kind of attack that recently has taken place in December 25th 2024 (yes, the date is no mere coincidence of the attack. To increase the time this malicious extension version would be online before taken down), was the time for also an extension browser supply chain attack. The target was every users of the extension Cyberhaven’s chrome extension that have an Facebook account. Even the time being exactly in the Christmas day, the company did an very good job taking down the compromised extension version (24.10.4) in less than 26 hours in such important holiday and notified affected customers on December 26 (again very impressive the response time frame of this company), still it had impact, since all chrome extensions update automatically for all its extension’s users. The bad actor could compromise one of the employees accounts in the Google Chrome Web Store by an phishing attack this employee and uploading his compromised version of the extension to all subscribes of this extension. So we have this new kind of supply chain attack with broad impact with the power to propagate almost instantly in the browser extensions, making it a very powerful and dangerous kind of cyber attack.

Another worth mention in scale and in impact is the Chinese APT compromise three of the biggest USA’s telecom companies named as “Salt Typhoon” that was discovered in October 2024. They infiltrate the USA’s telecom infrastructure though the compromised Cisco routers and they had access to customers call and text message metadata of million users and, of course, the data that picked the interest of this APT group was data from Washington D.C. residents. Reports in January 2025 also confirms that Salt Typhoon has also compromised U.S-based internet providers besides telecom companies.

🛡️ Protection?

So after the ways supply chain attack can be used to have a great impact on big companies, developers, governments and even users it make clear that today putting trusting in third-party assets is something that has to be evaluated carefully. Trust is something that is earned with time not something that has to be blinded accepted. Clearly the mindset of “what I use is actually secure?” is the way to go.

• For companies and governments, doing an routine check and evaluating the level of security of their third-party providers is also something that should be prioritized in addition to their own routine of security. That’s where guidelines like NIST SP 800-161 and ISO/IEC 27036 becomes increasingly important.

• For users i would recommend an mindset like “less is better”, installing all kind of extensions in the browser or all kind of packages in their distros would increase your attack surface, so limiting just what you really need is the way to go. yeah, i know, even though the case xz utility compromise is a very extreme one and would be almost impossible to mitigate in an user scenario but at least with a good package and extension hygiene would be far better than nothing.

• For developers, there is a couple of solutions to evaluate the third-party libraries that can help mitigate this kind of attack in their software development life cycle such as verify package integrity though checksum verification, do regular audits in your dependencies with tools that do this automatically like npm audit for npm package manager or pip-audit for Python’s package manager, lock down to specific known “good” versions of the dependencies like package-lock.json for npm or poetry.lock file for Python instead of using the term latest in the package dependency (which helps make your software more stable by providing a solid baseline and avoiding problems with deprecated functions that the latest version may remove) and, of course the obvious one, using trusted and verified sources of the dependencies together with a good tracking of ⁶SBOMs to keep track what is your dependencies and if something bad happen to them or a know vulnerability is discovered, you may know that you’re affected and can at least take some action.

Finally, there is no single silver bullet for this problem like all cybersecurity problems, it requires awareness and think what you trust before actually using it, again, trust is something that is earn though time and careful evaluation. This kind of attack teach us that security goes beyond your own personal security but also the trust that you take for granted from the things that you use everyday.