Nearly a third (29%) of managers reported an increase in cyber attacks on their supply chains over the past six months in a recent survey by the Chartered Institute of Procurement and Supply.

As hackers increasingly target the supply chain, most organizations fear that their suppliers aren’t prepared to defend themselves. SecurityScorecard’s 2025 survey found that 88% of security leaders are concerned about supply chain cyber risks.

To help understand and close this gap in cyber readiness, we’ve rounded up some of the most recent and notable supply chain attacks to extrapolate key takeaways and trends for 2026 and beyond. Keep reading for these examples as well as a complete overview of major types of supply chain attacks, how they work, and how you can prevent them. 

Recent supply chain attacks and trends

The fallout from recent cyber attacks on corporate stalwarts including Jaguar Land Rover highlighted a growing threat to businesses’ as well as the global supply chain.

Here are a few of the latest supply chain incidents and what they tell us about supply chain risks moving into 2026:

1. Jaguar Land Rover supply chain attack

Date: September 2025

Impact: Weeks-long production halt costing $2.5B and likely causing thousands of layoffs

Starting on August 1, a cyber attack on the global car giant Jaguar Land Rover (JLR) brought vehicle production to a standstill across the U.K., Slovakia, India, and Brazil, costing the company an estimated £120 million in lost profit and £1.7 billion in revenue. 

As the U.K.’s largest automotive employer, JLR’s production halt sent shockwaves through its supplier network, triggering layoffs, factory shutdowns, and bankruptcies. Nearly 80% of firms surveyed by the Black Country Chamber of Commerce reported negative impacts from the cyberattack, and 14% had already made redundancies by late September.

It is already considered the most economically damaging cyberattack in British history, likely costing the country a whopping £1.9 billion ($2.5 billion). 

Emerging trend

The attack on JLR highlights how deeply interdependent global manufacturing has become so that one breach can ripple across entire economies. With the U.K.’s National Cyber Security Centre now warning of four “nationally significant” cyberattacks every week—double the previous year’s average—it’s more important than ever for operational technology and industrial suppliers to strengthen cyber resilience immediately.

2. Asahi supply chain attack

Date: September 2025

Impact: System outage forced production halts at 30 domestic plants leading to product shortages across the national and likely global beer supply chain

At the end of September, Asahi—the brewer behind Japan’s best-selling beer with a 40% share of the domestic market—was hit by a cyberattack that halted production at most of its 30 factories. For weeks, operations were forced offline, with staff reverting to pen and paper to process orders and shipments. 

The outage caused widespread product shortages in convenience stores and supermarkets across the country and will likely impact shipping, orders and customer service nationwide.

Emerging trend

Unlike past cyberattacks aimed at stealing customer data or financial records, the Asahi breach is part of a growing wave targeting vulnerabilities in operational technology across the manufacturing sector in order to paralyze operations and extract ransoms. These incidents show that attackers are now striking at the core of production, logistics, and distribution—where downtime translates directly into lost revenue and other commercial consequences. 

Organizations in the manufacturing sector—many of which still rely on legacy systems and lack sufficient cybersecurity expertise, as many in Japan do—are particularly exposed to these threats. Manufacturing is now the most targeted industry for cyber attacks worldwide, according to IBM’s 2025 X-Force Threat Intelligence Index, and accounts for 40% of all cyberattacks in the Asia-Pacific region. As operations grow more automated and connected, the line between cyber risk and business risk is disappearing.

3. Marks & Spencer supply chain attack

Date: May 2025

Impact: Major operational disruptions that halted online shopping and reduced food availability costing £300M in profit

In May 2025, UK retailer Marks & Spencer (M&S) suffered a highly targeted cyberattack traced back to social engineering against employees at a third-party contractor. The breach forced M&S to manually operate critical logistics processes, disrupted food distribution, reduced availability across stores, and temporarily halted online shopping. With more than 60,000 employees and 500 stores, the operational slowdown quickly escalated into broader supply chain and revenue impacts, including increased waste, higher stock management costs, and an estimated £300 million ($400 million) loss in operating profit for 2025/2026.

The attack was part of a coordinated campaign by the ransomware group DragonForce, which also targeted Co-op and Harrods before shifting focus to U.S. retailers.

Emerging trend

The M&S incident highlights how attackers are increasingly exploiting third-party contractors to infiltrate complex retail supply chains where the consequences extend far beyond data loss. These disrupt logistics, in-store availability, and e-commerce operations and often result in significant profit losses. 

Retailers have therefore become high-value targets for financially motivated and opportunistic ransomware groups, with recent breaches at Dior, M&S, Harrods, and Co-Op illustrating a pattern of escalating, industry-wide vulnerability. 

4. National Defense Corporation supply chain attack

Date: March 2025

Impact: Leak of procurement and logistics data across multiple defense manufacturing subsidiaries 

In March, the home appliance and ammunition manufacturer National Presto Industries and its defense subsidiary, National Defense Corporation (NDC), were targeted by the Interlock Ransomware Group. The attackers claimed to have stolen roughly three million files and encrypted systems belonging to several affiliated entities, including AMTEC, a key supplier of ammunition and explosives for the military and law enforcement.

While no classified materials were confirmed as exposed, compromised procurement and logistics data could disrupt critical supply lines supporting military operations. The attack underscored how cybercriminals and potentially state-sponsored actors are exploiting lower-tier suppliers to gain visibility into the Defense Industrial Base’s (DIB) broader logistics network.

Emerging trend

The NDC incident reflects a broader shift in ransomware tactics, from opportunistic data theft to targeted attacks on critical infrastructure and the defense sector in particular. Cybercriminals and, in some cases, state-sponsored actors are increasingly targeting lower-tier suppliers to infiltrate the Defense Industrial Base’s (DIB) broader logistics network for economic or military gain.

In parallel, regulatory scrutiny of defense and other government contractors is intensifying. In 2025, there has been a significant uptick in False Claims Act (FCA) settlements and fines against contractors and grant recipients who fail to meet contractual cybersecurity requirements— five of which have resolved allegations of noncompliance with NIST 800-171 controls as required through DFARS 7012.

With CMMC enforcement beginning November 10, organizations handling defense information can expect tighter oversight, fewer exceptions for noncompliance, and heightened accountability across the entire defense supply chain.

Looking to strengthen your supply chain defenses before a breach or incident like this hits? Download our Supply Chain Risk Management Policy Template to put the right processes and documentation in place.

What is a supply chain attack?

A supply chain attack occurs when an adversary targets an organization, person, process, information, or resource that’s part of a supply chain as a means to infiltrate downstream or upstream systems rather than attacking the target organization(s) directly. 

Because many companies rely on third-party components and services, an exploit at any link in a supply chain—whether it’s a trusted partner, service provider, software vendor, open-source library, or hardware component—can expose vast numbers of businesses to operational disruption, corruption, data disclosure, and/or destruction. 

An adversary may target a smaller supplier with lower cyber maturity in order to gain access to a larger organization with higher cyber maturity, or it may target a larger supplier with hundreds or thousands of customers and users in order to maximize its impact. 

Within this broader domain, software supply chain attacks refer specifically to when software vendors are used as the attack vector. These attacks often originate from malicious updates, injected dependencies, compromised build pipelines, or open-source library backdoors, to name a few examples.

All types of supply chain attacks are rising in frequency and impact because organizations are increasingly dependent on third-party software, open-source libraries, outsourced services, and interconnected vendor ecosystems. The very trust model that allows enterprises to scale also creates expanded attack surfaces.

Types of supply chain attacks

Supply chain attacks take many forms, depending on where attackers insert themselves into the supply chain and at which stage of the lifecycle (design, development, manufacturing, processing, handling, and delivery). 

Below are the most common types—each with real-world examples that show how these attacks unfold and why they’re so difficult to detect.

1. Software update compromise

In this type of attack, an adversary infiltrates a software vendor’s update environment to insert malicious code into otherwise legitimate software updates. Because these updates are trusted and often automatically applied, thousands of downstream customers can be compromised before anyone notices.

This technique gives attackers immediate access inside networks that would otherwise be difficult to penetrate.

Notable example: SolarWinds (2019)

Beginning in 2019, a nation-state adversary breached the computing networks of SolarWinds, eventually inserting malicious code into a software update for its network management and monitoring suite of products called Orion. This update was distributed to over 18,000 customers, including federal agencies and Fortune 500 companies. Once installed, the trojanized code provided the adversary with a backdoor to breach the infected systems of a smaller subset of high-value customers for the primary purpose of espionage. 

To date, it remains one the most widespread and sophisticated supply chain attacks ever conducted against the federal government and private sector.

2. Software development compromise

In this type of attack, attackers infiltrate a software vendor’s development environment—such as CI/CD pipelines, build servers, or signing infrastructure—to inject malicious code into software before it is released. Typically, the attackers will use a common delivery mechanism like an email attachment or removable media to infiltrate the environment.

This type of attack is particularly dangerous because it originates upstream and abuses trusted developer workflows.

Notable example: Codecov (2021)

In 2021, attackers gained unauthorized access to the development environment of software testing firm Codecov and modified its Bash Uploader script—a tool used by more than 29,000 customers, including GoDaddy, Washington Post, and Royal Bank of Canada, in their CI/CD pipelines. The altered script silently exfiltrated sensitive information including environment variables containing secrets, credentials, and tokens from downstream customers’ build systems for two months undetected. 

The incident illustrates how infiltrating a single upstream build component can expose thousands of organizations that rely on trusted development tools.

3. Open-source dependency compromise

Modern software relies heavily on open-source libraries and code, which can introduce a serious design vulnerability in the acquisition process. Attackers can exploit this by injecting malicious code into widely used packages or by compromising maintainers directly (such as through credential theft or phishing). 

Once compromised code is added to software builds, the malicious instructions propagate downstream to consumers. Because open-source code is so commonly used, this type of attack can impact millions. 

Notable example: NPM maintainer compromise (2025)

In September 2025, attackers reportedly launched a targeted phishing campaign to compromise Node Package Manager (npm) maintainer accounts and inject malicious code into widely-used JavaScript packages. On average, these npm packages are downloaded over 2.6 billion times per week globally—making it one of the most significant attacks on the JavaScript ecosystem in recent memory and highlighting the growing supply chain risk in cloud-native development environments.

4. Third-party service provider breach

Instead of compromising the target organization’s own software, attackers may breach a third-party contractor’s software in order to gain unauthorized access to the target. Common victims are consulting firms, SaaS platforms, and managed service providers (MSPs). Since these integrate deeply with customer environments, a single breach can spread quickly and silently across hundreds of organizations.

Notable example: Workday (2025)

In August 2025, HR and finance software provider Workday suffered a data breach after fraudsters gained access to its third-party CRM platform through a targeted social engineering campaign. Attackers impersonated HR and IT staff via phone and text messages to trick employees into providing login access or their personal information in order to access customers’ business contact information. 

While no customer tenant data was compromised, the incident highlights how attackers increasingly target the extended ecosystem around major SaaS providers to try to access vast amounts of sensitive business data.

5. Hardware tampering or substitution

While software supply chain attacks are prominent in news headlines and cybersecurity efforts, hardware also poses a serious threat. Attackers can intercept legitimate hardware and replace it with faulty counterfeits or tamper with it when it’s being packaged, shipped, or transferred to contractors, or embed malicious functionality during procurement, maintenance, or upgrades. 

Because compromised hardware often appears authentic and functions normally at first, it can remain undetected until triggered—via remote signals, timers, or environmental changes—to disrupt operations or create hidden backdoors. This type of attack can undermine entire supply chains and is especially dangerous in critical infrastructure and defense sectors.

Example: Cisco counterfeit hardware scheme (2013–2022)

Between 2013 and 2022, criminal distributors imported counterfeit Cisco networking equipment from China and Hong Kong and resold it through dozens of storefronts, falsely marketed as new and genuine. The devices were deployed across U.S. hospitals, schools, and highly sensitive military systems, including platforms supporting F-15, F-18, and F-22 fighter jets, Apache helicopters, and B-52 bombers. 

The case illustrates how hardware substitution can infiltrate mission-critical environments, erode trust in global supply chains, and create long-term national security risks.

How to prevent supply chain attacks

Supply chain attacks are difficult to detect because they exploit trusted relationships—between organizations and their vendors, software providers, or contractors. But while these attacks are complex, there are proven ways to reduce your exposure and limit their potential impact.

The recommendations below combine recent statistics with technical, procedural, and organizational best practices to help protect your business from the most current supply chain threats. 

These align with requirements from major federal and commercial security frameworks, such as NIST 800-53 (which has an entire control family around supply chain risk management) ISO 27001:2022, SOC 2, PCI DSS, GDPR, and Microsoft SSPA. Implementing them can mitigate supply chain risks, strengthen your overall security and compliance posture, and maintain your subcontracts and place in supply chains. 

1. Establish a Supply Chain Risk Management (SCRM) Policy

More than 70% of organizations say they experienced at least one material third-party cybersecurity incident in the past year—and 5% suffered 10 or more incidents. Having a policy in place is the first step to mitigating increasing supply chain risk.

Before they begin evaluating vendors, organizations need a formal Supply Chain Risk Management Policy that defines how they identify, assess, onboard, monitor, and offboard third-party suppliers. This policy ensures that all relevant information security requirements are documented, agreed upon, and enforced with every vendor that stores, processes, transports, or otherwise touches your data or IT infrastructure.

A SCRM policy should outline:

• expected security controls
• evidence requirements
• contractual obligations
• incident notification timelines
• consequences for noncompliance

This policy is foundational to frameworks like NIST 800-53, NIST 800-171, CMMC, ISO 27001:2022, CMMC, and SOC 2, which all require clear supply chain governance.

2. Conduct thorough vendor and supplier due diligence

Despite the growing threat of supply chain attacks, 79% of companies say that less than half of their nthparty supply chain is currently overseen by cybersecurity programs. In fact, 36% of respondents revealed that only 1%-10% of their supply chain is protected. 

Moving forward, strengthening vendor compliance management and due diligence will be a key priority not only for operational continuity but for the economy and national security.

To start, map all third-party providers—from cloud and software vendors to managed service providers and contractors—and evaluate their security controls before granting access to your environment. Request compliance reports and attestations for frameworks like SOC 2, ISO/IEC 27001, or CMMC, and require security clauses in contracts to ensure vendors maintain adequate protections. 

Reviewing audit reports, penetration testing results, and incident response capabilities can also help you identify potential weak links before they become exploitable.

3. Implement continuous vendor monitoring

Due diligence shouldn’t stop at onboarding. Yet, fewer than half of organizations monitor cybersecurity across even 50% of their nth-party supply chains.

Continuous monitoring allows you to track changes in a vendor’s security posture over time and quickly respond to emerging risks. Automated tools can alert you to new vulnerabilities, expiring certificates, or reported breaches that might impact your organization.

Establish a third-party risk management (TPRM) process that includes regular risk assessments and tiering of vendors based on criticality and data sensitivity. This proactive oversight is key to maintaining visibility across an evolving supply chain.

4. Secure your build and deployment pipelines

When asked what types of supply chain risks concern them most, leaders listed increased reliance on software shared with third parties and open-source software usage among their top 5. 

This makes sense given that build systems are prime targets for software supply chain attackers. Protect them by implementing least-privilege access, code signing, and strict change management controls. Require multifactor authentication (MFA) for all build servers and use dedicated credentials for automation systems.

Incorporate security testing—including static and dynamic analysis, dependency scanning, and integrity verification—into your continuous integration/continuous deployment (CI/CD) pipeline. By integrating security earlier in the development process, you can catch issues before they reach production or customers.

5. Strengthen access controls and network segmentation

Only 34% of organizations in 2025 said they implement proactive breach prevention controls, including access controls.

Vendors and contractors often require access to your systems—but that access should be as limited and monitored as possible. As part of your vendor access management program, enforce the principle of least privilege and apply just-in-time access for sensitive environments.

Segment vendor access from your core network, monitor all third-party sessions, and require secure methods of connection such as zero-trust network access (ZTNA) or VPN with strong MFA. If a vendor is breached, these safeguards can prevent lateral movement and limit the blast radius of an attack.

6. Prepare an incident response plan that includes vendors

When a supply chain attack occurs, quick action matters. Yet, only 26% of organizations incorporate incident response into their TPRM programs while the rest rely on point-in-time, vendor-supplied assessments or cyber insurance.

To improve your response capabilities, develop an incident response plan that clearly defines how to contact and coordinate with affected vendors, contain the compromise, and communicate with customers or regulators.

Conduct tabletop exercises that include third-party breach scenarios and ensure vendor contracts specify notification timelines and cooperation expectations. A well-defined response plan can turn a chaotic event into a controlled process, minimizing downtime and reputational damage.

How Secureframe helps protect against supply chain attacks

Supply chain attacks represent a growing and unique threat vector. Because attackers increasingly target trusted vendors, software build pipelines, hardware manufacturers, and service providers, companies must shift from an insular approach to security toward the objective of securing the entire chain of trust.

Secureframe can help companies make this shift. With Secureframe, you can:

• Automate compliance management to security frameworks like SOC 2 and NIST 800-53 that include supply chain security controls, enabling organizations to meet requirements efficiently.
• Continuously monitor your infrastructure, applications, and vendor ecosystem to detect misconfigurations and vulnerabilities in real time.
• Detect misconfigurations or issues through real-time dashboards and assign remediation tasks via Slack, Jira, email, or directly within the platform.
• Automate remediation of security misconfigurations with step-by-step guidance or infrastructure-as-code fixes generated automatically by Comply AI.
• Streamline third-party risk management (TPRM) by integrating with your suppliers, retrieving security documentation, and automating supplier risk assessments.
• Enhance software integrity by verifying vendor security postures, tracking risk assessments, and managing supplier compliance documentation.
• Integrate your cloud platform and developer tools to see all of your vulnerabilities from services like AWS inspector and Github in one place. 
• Get guidance and answers to any questions you may have from compliance managers and a partner network of trusted auditors and pen testing firms.

Ready to secure your supply chain? Schedule a demo with Secureframe today to learn how.