Supply Chain Attacks: Why Your Biggest Cyber Risk Might Not Be Your Problem to Fix
Imagine your business has done everything right. Your antivirus is up to date, your staff have completed security training, your Microsoft 365 is properly configured, and your IT provider is on top of patching. Then one morning you discover you have been breached – not because of anything your team did, but because a piece of software your accountancy package depends on was quietly compromised three months ago, before it even arrived on your systems.
This is a supply chain attack. And according to the latest data, it is now the defining cyber threat of 2025 and 2026.
The Numbers Are Stark
The Verizon 2025 Data Breach Investigations Report recorded the largest single-year shift in its history: third-party involvement in breaches doubled from 15% to 30% in a single year. That means nearly one in three breaches now traces back not to a direct attack on the victim, but to a compromise somewhere in their supply chain of software, services, or vendors.
The IBM 2025 Cost of a Data Breach Report puts a price on it: a supply chain compromise costs an average of $4.91 million and takes 267 days to identify and contain. That 267-day figure is the longest detection and containment window of any breach type tracked. For nine months, on average, nobody knows.
On the software side, Sonatype counted more than 454,000 new malicious open source packages in 2025 alone, a 75% jump year on year, bringing the cumulative total of known malicious packages above 1.2 million. These are packages that businesses, developers, and the software tools they buy every day may be pulling in without any awareness that something is wrong.
What Is a Supply Chain Attack?
A supply chain attack targets the trust relationships between organisations and the software, services, or vendors they depend on, rather than attacking the target directly.
The concept is straightforward. Attackers know that large organisations invest heavily in perimeter security. Breaking in directly is hard. But every organisation trusts something: a payroll provider, a cloud storage service, an accounting package, a piece of developer tooling, a browser extension. If an attacker can compromise that trusted supplier and embed malicious code or access into the product before it reaches the customer, they bypass every perimeter defence entirely. The malicious code arrives through a legitimate, trusted channel.
The scale effect is what makes this so attractive to attackers. Compromise one widely-used software component and you reach every organisation that uses it, simultaneously, without having to attack each one individually.
What Has Actually Happened in 2026
The incidents of the last twelve months illustrate how industrialised this has become.
In March 2026, a hacking group known as TeamPCP compromised Axios, one of the most widely used HTTP request libraries in web development, by taking over a lead maintainer’s account. They also hit Trivy, a popular security scanning tool used inside other software build pipelines, meaning that the security tool itself became the infection vector, running across thousands of repositories and harvesting credentials wherever it went. LiteLLM, an AI infrastructure library with roughly 3.4 million downloads per day, was also compromised in the same campaign.
In May 2026, a campaign dubbed “Megalodon” infected more than 5,500 software repositories through malicious commits disguised as legitimate automated contributions, harvesting cloud credentials, SSH keys, and CI/CD secrets. A separate TanStack attack published 84 malicious versions across 42 packages through the project’s own legitimate build pipeline in under six minutes.
Closer to home, the Marks and Spencer breach of May 2025 was traced to social engineering against employees at a third-party contractor. The operational disruption forced manual logistics processes, halted online shopping, and contributed to an estimated £300 million loss in operating profit. M&S did not get attacked directly. Their contractor did.
These are not incidents involving obscure tools. Axios and LiteLLM are mainstream, widely-deployed components. The organisations affected include OpenAI, Grafana, Cisco, and Checkmarx. If the tooling those organisations use can be compromised, the same risk applies to the everyday software that UK SMEs depend on.
Why It Is So Hard to Defend Against
Three factors make supply chain attacks particularly difficult to address.
Trust is the exploit. Perimeter defences filter for unknown or suspicious traffic. A software update from a vendor you have used for years, delivered through the same channel it always has been, is not going to trigger an alert. The malicious code arrives looking exactly like a legitimate update, because it came through the same process as every legitimate update before it.
Visibility is limited. Most organisations have reasonable visibility of their own systems. Very few have any visibility of their vendors’ security posture, or of the third-party components embedded in the software those vendors ship. The 267-day average detection time reflects this. Nobody is watching the right place.
The attack surface is enormous. Modern software is built on layers of open source components. A single application might depend on hundreds of libraries, each of which depends on dozens more. Sonatype’s data suggests that 95% of vulnerabilities are found in transitive dependencies: not the software you chose directly, but the software your software chose, and the software that software chose. Keeping track of that chain manually is not realistic for most businesses.
What This Means for UK SMEs
The sophisticated incidents described above involved development pipelines and open source ecosystems that most SMEs do not manage directly. But the supply chain risk for a typical UK business looks more like this:
- SaaS platforms. Your CRM, accounting software, HR system, or project management tool is a supply chain dependency. If that provider is breached, your data and potentially your access credentials may be compromised. A single SaaS vendor breach can sweep across every customer simultaneously.
- Managed service providers. Your IT provider has privileged access to your systems. Their security posture directly affects yours. This is a legitimate question to ask of any MSP: what is your own security accreditation, and how do you protect the access you hold on our behalf?
- Browser extensions and productivity tools. A malicious Chrome extension compromised 2,520 cryptocurrency wallets with $8.5 million stolen in a single incident in 2026. Browser extensions run with significant privileges and most users install them without any security review.
- Third-party contractors and freelancers. The M&S breach route. A contractor with access to your systems is a potential entry point if their own credentials or devices are compromised.
What You Can Actually Do
You cannot audit every piece of software your business depends on. But there are practical steps that meaningfully reduce your exposure.
Know your vendors. Maintain a simple list of the software and services your business depends on, who provides them, and what access they have. This does not need to be a formal risk register at SME scale: a spreadsheet that gets reviewed once a year is vastly better than no list at all. The goal is visibility.
Ask your suppliers about their security. Any significant software vendor or service provider should be able to point to Cyber Essentials certification, ISO 27001 accreditation, or an equivalent. If they cannot, that is a risk factor worth weighing. This is especially important for providers who hold your data or have privileged access to your systems.
Apply least privilege to third-party access. Contractors, software tools, and service providers should only have the access they actually need, for as long as they need it. Accounts should be removed promptly when a contractor relationship ends. Reviewing this periodically is straightforward and catches a surprising number of stale access points.
Monitor for unusual activity. Even if a supply chain attack succeeds in getting past perimeter defences, unusual behaviour inside your systems, unexpected login locations, unusual data access patterns, or new outbound connections, can still trigger detection. Security monitoring is not just about blocking attacks at the perimeter.
Keep software updated. When a supply chain compromise is discovered, vendors typically release a patched version quickly. Organisations running up-to-date software are exposed for a much shorter window than those running versions from months ago. Patching is not glamorous, but it remains one of the most effective controls available.
Have a response plan. If one of your key suppliers is breached, what do you do? Who decides whether to disconnect the integration? Who notifies affected customers if your data was involved? Thinking through this in advance, even informally, means the response is faster and more coherent when it matters.
The Broader Point
Supply chain attacks have become the dominant intrusion pattern because they are effective, scalable, and hard to detect. The attacker does not need to find a weakness in your defences: they need to find a weakness in someone you trust, then wait for you to invite their compromise in through the front door.
This does not mean traditional security controls are worthless. It means they are necessary but not sufficient. The organisations that weather supply chain incidents best are those with good vendor visibility, least-privilege access controls, active monitoring, and a response plan ready before the incident happens.
None of that requires an enterprise security team. It requires a clear-eyed view of what you depend on, and a partner who can help you manage the risk systematically.
How System Force IT Can Help
Vendor risk, third-party access management, and security monitoring are all areas we work on with clients as part of our managed security services. If you would like to understand your current supply chain exposure, or put better controls around the third-party access in your environment, we are happy to have that conversation.
Get in touch with the System Force IT team to talk through your supplier security posture and what a practical improvement programme looks like for your organisation.
Statistics in this article are drawn from the Verizon 2025 Data Breach Investigations Report, IBM Cost of a Data Breach 2025, Sonatype 2026 State of the Software Supply Chain Report, and Group-IB High-Tech Crime Trends Report 2026. This article reflects the threat landscape as of June 2026.


