What’s a Software Supply Chain Attack? Examples and Prevention

Sophisticated cyberattackers have now expanded their focus beyond front-end applications.

Increasingly, attackers target software supply chain factory components like pipelines, build servers, libraries, tools, and processes.

Expert nation-state attackers and professional cybercriminals know that these software supply chain attacks are one-to-many type attacks that get them more bang for their buck.

Knowing how these attacks work is the first step to preventing them. Here’s a guide to the definition of a supply chain attack, examples, and what security measures to put in place.

What's a Software Supply Chain Attack?

Software supply chain attacks occur when cybercriminals infiltrate your software through any part of the software factory. A common way this happens is through third-party libraries, build assets, dependencies, and vulnerable code, but any assets or networks can be affected.

Most organizations think of their software supply chain as just the open source code—but it’s more than that. All elements of your software factory make up the supply chain, and all are at risk, which requires awareness of all components in the supply chain. 

How Do Software Supply Chain Attacks Work?

In general, cybercriminals target whatever they perceive the weakest link to be. Most supply chain attacks start with a misconfiguration, such as of a build server, that exposes credentials, which grant access to additional areas of the SDLC. Or if your organization has robust security measures, they might attack a third party they know you’re using. 

There are two main consequences of software supply chain attacks: First, they compromise your software and complicate the supply chain as updates trickle through the system. And second, they impact the users receiving your software at the end of the line. 

Types of Supply Chain Attacks

Here are some types of attacks to look for: 

Software Attacks

Software attacks happen when hackers inject malware into your code so it reaches customers via software updates. This occurred in the infamous SolarWinds attack, when cybercriminals inserted malicious code into SolarWinds Orion software and caused widespread disruption to thousands of organizations. 

Browser-Based Attacks

A browser-based attack inserts malicious code in end users’ browsers. For instance, cybercriminals can target JavaScript libraries or browser extensions that instantly execute code on devices so the malware runs automatically, meaning there’s no time for intervention. 

Open Source Attacks 

Open source code streamlines development and saves time—but a major con is that it’s especially open to cyber criminals who can find vulnerabilities and use those to target users. If there are malware or security issues within the code, all developers using it will be affected, causing widespread effects.

Watering Hole Attacks 

In this attack, cybercriminals crawl through high-traffic websites, identify vulnerabilities, and exploit those to deliver malware to unsuspecting businesses who use it. The key here is that criminals target places where lots of businesses “gather.”

JavaScript Attacks 

This attack type exploits JavaScript code vulnerabilities and embeds malicious scripts within web pages. When users load the page, their browser executes the script. This is sometimes known as a cross-site scripting (XSS) attack, which targets trusted websites so users don’t suspect malicious activity. 

Software Supply Chain Attack Examples

Looking at some supply chain attack examples, like the 2022 LastPass attack, can help you understand the reputational and fiscal costs associated with a breach. Some instances worth studying include:

1. Mimecast


Mimecast is an email management and cybersecurity organization that offers businesses cloud-based services. In 2021, hackers compromised a security certificate that authenticated Mimecast’s services on Microsoft 365 Exchange Web Services—and because Mimecast has deep access to customers’ email systems, this breach was highly problematic. It even affected senior Microsoft executives.

2. Kaseya


Also in 2021, IT management software company Kaseya experienced an attack on its virtual system administrator tool. Many MSPs used Kaseya to manage and monitor clients’ IT infrastructures, and as a result of this attack, hackers executed arbitrary code on impacted systems. From there, they deployed ransomware and held the MSP’s clients’ data hostage. 

3. ASUS


ASUS, a Taiwan-based technology company, used an automatic update to unknowingly introduce malware to users in 2019. Experts estimate that over a million users were impacted, demonstrating just how widespread a supply chain cyberattack can be. 

4. event-stream


In 2018, event-stream—which is a popular NPM JavaScript package—was injected with malware. Millions of people download event-stream regularly, and the malware was incredibly difficult to detect, so it affected countless applications over several months.

5. Codecov


In the 2021 Codecov attack, a hacker infected the Codecov Bash Uploader, which automatically issues reports to customers. The hacker inserted malicious code into the script, letting them eavesdrop on Codecov servers and gain unauthorized access to customer data. 

How To Prevent Software Supply Chain Attacks

There’s no singular solution to prevent attacks, but the best approach is multifaceted to cover as many bases as possible. Here are some recommendations:

  • Use threat intelligence: When it comes to cybersecurity, awareness is half the battle. Threat intelligence includes collecting detailed information on active cybersecurity threats, like hackers’ methods and potential vulnerabilities. By staying aware, you can act before a criminal harms you or a provider. 
  • Assess vendors’ security postures: Before working with a third-party provider, assess their security practices closely. Ask about potential vulnerabilities and incident response plans—this tells you how much thought they’ve put into mitigating the impact of a potential breach. 
  • Carry out a third-party risk assessment: By doing your due diligence before working with any kind of third party, you can ensure that their safety standards are up to par with yours. Complete a risk assessment to test out software before deploying it and double-check its practices.
  • Do frequent awareness training: Employees interact with your software every day, which means they’re the first people who might spot vulnerabilities, threats, and attacks. Make sure they know what to look for. Ongoing security awareness training arms them with the knowledge they need to keep your software safe. In addition, provide security training for developers so they know how to code securely and avoid risky misconfigurations.
  • Use endpoint detection and response (EDR) solutions: Insecure endpoints represent a significant security vulnerability. EDR tools continuously monitor activity to mitigate supply chain risk and triage potential problems before they get worse. 
  • Adapt a Zero Trust mentality: A Zero Trust mindset requires all users and devices to verify their trustworthiness, regardless of their location in or out of your network. By default, you’re suspicious of everyone and everything—which means you can spot threats faster and make sure access doesn’t fall into the wrong hands. 
  • Get visibility into your software factory: From code, through the build process, and into runtime, you need full visibility into what’s happening. Pair this visibility with insights about security controls to identify gaps in coverage. Cyberattackers will look for any tiny vulnerability in your software development process. Make sure you know your development environment better than they do.

Secure Your Software Supply Chain Today

Legit Security’s holistic platform is designed to safeguard your supply chain from threats. We analyze your SLDC, identify and explain potential risks, and help you comply with industry standards so customers know they can trust you.

Request a demo today and start securing your supply chain.

Share this guide

Published on
October 08, 2024

Get a stronger AppSec foundation you can trust and prove it’s doing the job right.

Request a Demo