Ivanti’s 2025 State of Cybersecurity Report revealed that just 1 in 3 organizations feel prepared to protect themselves from software supply chain threats. With attackers increasingly targeting third-party dependencies, supply chain attacks may become a painful Achilles heel for cybersecurity if organizations continue to overlook them.

The rising risk of software supply chain attacks

Attack surfaces are ever-expanding rapidly and a key vector of that expansion is organizations’ software supply chains. Modern enterprises rely on numerous software applications, tools and dependencies within their own tech infrastructure. A single organization uses an average of 112 SaaS applications, according to a 2024 report by BetterCloud. And that web only grows more complex. On average, each software application has 150 dependencies — 90% of which are indirect dependencies — which account for the vast majority of vulnerabilities.

The amount of threat actors targeting third-party dependencies has increased rapidly in the past few years with 75% of all software supply chains reporting attacks in 2024. Software supply chain threats have also grown more sophisticated as attackers look for any weakness in a supplier’s code to exploit. Yet, security teams often struggle to vet all of their software components properly.

Ivanti’s cybersecurity research found that even though 84% of leaders at organizations say that it’s “very important” to monitor the software supply chain, nearly half (48%) have not yet identified the most vulnerable components in their own supply chain. This lack of due diligence leaves companies exposed to great financial and reputational risks.

Common types of software supply chain attacks

According to Gartner, 45% of organizations will have experienced a software supply chain attack by 2025. Here's a brief overview of some the most common types of software supply chain vulnerabilities targeted by attackers:

  • Upstream server attacks are the most common supply chain attacks. These occur when hackers compromise a system positioned "upstream" from users, such as a code repository and injects a malicious payload / malware. This payload then spreads to "downstream" users via something like a software update.
  • Midstream attacks refer to incidents where attackers compromise intermediary systems such as software development tools rather than the original codebase.
  • Dependency confusion attacks attempt to fool a developer or system into downloading a compromised software dependency from an external source. Some common methods of attack include using a name for a malicious software upload that’s similar to a trusted internal library. The malicious version is often integrated into the software build instead of the legitimate dependency.
  • Code-signing certificate attacks occur when hackers inject malicious software into digital code signing certificates meant to verify software security and authenticity. These attacks occur when threat actors compromise the development environment via social engineering or another tactic.
  • CI/CD infrastructure attacks target automated development pipelines by introducing malware, such as cloning authentic GitHub repositories for malicious purposes.

Recent examples of supply chain attacks

You don’t have to dig too deep into the news to find real-life examples of these types of attacks coming to a head. Here are a few incidents of supply chain attacks from the past few years that got global attention.

  1. Okta social engineering attack

    •  In October of 2023, Okta, an identity and access management services provider, experienced a serious data breach of its customer support system after four different Okta customers fell victim to social engineering attacks targeting their IT service desk. Attackers used these administrative credentials to launch multiple downstream attacks resulting in unauthorized access to the data of thousands of Okta customers including 1Password, BeyondTrust and Cloudflare.

  2. Kaseya ransomware attack

    • In this July 2021 case, hackers exploited six zero-day vulnerabilities in Kaseya's remote management tool and used these vulnerabilities to distribute a malicious ransomware payload via a software update that infected hundreds of managed service providers (MSPs) and their clients. The attack halted operations at nearly 2,000 businesses worldwide and made headlines when the attackers demanded a staggering $70 million dollar ransom payment (which ultimately went unpaid).

  3. Codecov CI/CD attack

    • In January of 2021, bad actors infiltrated the popular code testing tool Codecov, which at the time was used by over 29,000 customers. Attackers gained unauthorized access to Codecov’s Bash Uploader script and introduced malicious code which was then used by Codecov customers in their CI/CD pipelines. Codecov did not detect and report the attack until April of 2021 — meaning that these bad actors potentially had access to sensitive data in thousands of customer systems for months.
    • Each of these supply chain breaches caused cascading, wide-reaching damage both to the exploited provider, their thousands of customers and beyond.  

Serious impacts of supply chain attacks

The scale of damage that results from software supply chain attacks cannot be understated. Each of the above attacks resulted in significant financial and reputational damage and prompted many organizations to reconsider their approach to vendor security.

Financial impacts

Cybersecurity Ventures predicts that the global annual cost of software supply chain attacks to businesses will reach a staggering $138 billion by 2031, up from $60 billion in 2025. These losses encompass everything from lost revenue, costs of remediation and legal fees and potential penalties for non-compliance. Following its 2023 data breach, Okta shares fell by 11%. Following another major data breach in 2022, Okta was then hit with a lawsuit by affected shareholders and required to pay out $60 million dollars.

Operational impacts

Supply chain attacks can lead thousands of customers to suffer disruptions and system shutdowns, halting critical operations and causing delays that further impact other vendors. Let’s look at just a few of the institutions impacted by the Kaseya breach. In Sweden, a large food retailer was forced to close 800 shops over the weekend, and the State Railway also suffered disruptions. Eleven schools and more than 100 nurseries in New Zealand also had to halt all online operations, resorting to pen and paper until the incident could be resolved.

Reputational damage

A publicly damaged reputation can set a company back in terms of trust with their customers and shareholders. Businesses may lose vendors and customer loyalty that took them years to establish. In March 2023, popular business communications software 3CX was compromised when hackers injected malicious code into their application, potentially exposing sensitive data of over 600,000 customers and garnering the company months of negative media attention and public backlash.

The buck stops where? Technical debt and shared responsibility

With software supply chain threats expected to rise in frequency and severity, it’s imperative for enterprises to establish clear accountability and adhere to strict security best practices for third-party vendors and software supply chain cybersecurity.

Who owns software security? 

Currently, many organizations lack strict and standardized processes for evaluating the security of third-party vendors. Moreover, many customers and vendors aren’t even on the same page about who holds responsibility for managing third-party software security.

The State of Cybersecurity Trends Report analyzed organizations with various levels of cybersecurity capabilities to develop our Cybersecurity Maturity Scale. This scale ranged from less mature organizations (Level 1s and Level 2s) to organizations with more advanced cybersecurity capabilities. (Level 4s).

Through this research we found that the less mature organizations most often believed that cybersecurity was solely the responsibility of the vendor. However, those with the highest levels of cybersecurity preparedness advocated for shared responsibility between both the software vendor and the customer.

How to protect against software supply chain threats

Software supply chain security is a vital part of comprehensive and proactive cybersecurity strategy.

Fortifying your software supply chain and defending against potential attacks requires organizations to treat all third-party vendors and components as an extended part of their entire attack surface. Here are our key recommendations for organizations to ensure they’re prepared to better prevent supply chain attacks as well as detect and respond to any potential supply chain threats. 

1. Rigorous vendor management and risk assessment

Do your due diligence before aligning with software vendors. Seek out vendors that comply with industry standards and have a published vulnerability disclosure policy. Regular auditing, code reviews and proactive assessment from both the vendor and customer are key to mitigate risks.

Our research finds that organizations with the most advanced levels of cybersecurity are most likely to do their due diligence when evaluating the cybersecurity of their third-party vendors including:

  • Incorporating security assessment questionnaires (SAQs) in their evaluation. 
  • Considering vendors' security certifications such as ISO 27001 and SOC 2. 
  • Reviewing industry-specific compliance standards. 
  • Ensuring vendors have incident response plans and processes to handle potential security breaches. 
  • Requesting a Software Bill of Materials (SBOM) to understand the open-source and third-party components used in their software.

2. Continuous monitoring and proactive remediation across all dependencies

Employing automated threat detection tools and processes to monitor and evaluate all of your software components is key. Dependencies, particularly in open source software components, are often overlooked and are a major vulnerability risk if not regularly monitored and updated.

AI and automation tools can provide real-time insights into device, application and network performance to detect potential issues. Self-healing and automated remediation solutions offer effective ways to resolve problems with minimal or no human intervention.

3. Regular communication with third-party vendors

A cornerstone of establishing mutual accountability for software supply chain security is frequent, open communication between customers and third-party vendors. Security and IT teams need to stay informed of any software updates, patches to fix known vulnerabilities and any emerging security threats.

Learn more about software supply chain security

Want to learn more? Read the full State of Cybersecurity Trends Report to gain in-depth insights into today’s most pressing cybersecurity threats and strategies for proactive risk management.