Supply‑chain focus grows

Attackers are going after the places where trust accumulates. Not just laptops. Not just servers. They are aiming at software packages, IT vendors, cloud providers, and the long chain of companies that connect one organization to another. The logic is brutal and simple: compromise one supplier, and you may inherit access to hundreds or thousands of customers at once (microsoft.com, cisa.gov). That shift is no longer a theory. Verizon’s 2025 Data Breach Investigations Report found third-party involvement in breaches doubled to 30% in a year, a stark sign that outside vendors and service providers have become a mainstream route into victim networks (verizon.com, verizon.com). CrowdStrike’s 2026 threat report went further, calling supply-chain attacks a defining tactic of 2025, with intruders compromising upstream providers, development ecosystems, and public code repositories to reach downstream targets at scale (crowdstrike.com). The reason this works is that modern companies are stitched together from borrowed parts. Business software depends on open-source libraries. Internal systems depend on contractors and managed service providers. Customer data often sits with a processor, a payroll firm, or a cloud analytics platform. CISA has been warning that weaknesses in this information and communications technology supply chain can affect every user of a compromised product or service, because the same vulnerable component is replicated everywhere (cisa.gov, cisa.gov). Recent cases show how wide that blast radius can get. The 2024 ransomware attack on Change Healthcare hit a single payment and claims processor, then rippled across U.S. hospitals, pharmacies, and clinics; by January 2025, the company said roughly 190 million people were affected (securityweek.com). The MOVEit file-transfer campaign followed the same pattern from the software side: one widely used managed file transfer product was exploited, and data from more than 95 million people was ultimately exposed across many victim organizations (bleepingcomputer.com). What has changed lately is the speed and granularity of these attacks. They are not always giant, cinematic compromises like SolarWinds. Sometimes they are smaller and more surgical. A threat actor compromises a maintainer account. A poisoned package lands in a dependency tree. A vendor portal hands over privileged access. Microsoft disclosed on April 1, 2026, that the widely used JavaScript library Axios had been hit in an npm supply-chain attack, with malicious versions pulling code from attacker infrastructure and dropping a remote access trojan on Windows, macOS, and Linux systems (microsoft.com). GitHub said this week that a new pattern has emerged across the open-source ecosystem: attackers are stealing secrets from workflows so they can publish malicious packages and then use those footholds to compromise still more projects (github.blog). That is why the defensive advice has shifted from patch faster to trust less. CISA, NSA, and partner agencies have pushed SBOMs as a way to see what software is actually made of, and CISA has also published supplier-focused guidance that treats vendors as active security dependencies, not procurement paperwork (cisa.gov, cisa.gov). GitHub has tightened npm protections with stronger authentication and trusted publishing after what it described as a surge in package registry attacks (github.blog). For defenders, that means watching the suppliers that already sit inside the perimeter. It means auditing vendor access, limiting standing privileges, rotating credentials tied to build systems, and monitoring for unusual behavior in CI/CD pipelines and third-party integrations. The old model assumed compromise began at the edge. The new one starts with a trusted update, a contractor login, or two malicious Axios versions, 1.14.1 and 0.30.4, uploaded on March 31, 2026 (microsoft.com).