Skip to main content
← Back to writing

Your Supply Chain Is Wider Than Your Risk Register

The modern software supply chain attack hero image.

Earlier this week I asked Claude Code to help me clean up a small data pipeline. It suggested installing a Python package I had never heard of. I read the line, accepted it, watched uv download it along with eleven other packages it depended on, and went back to writing prose. None of those twelve got an audit, not even the one I asked for.

This is the most common security event in software, and almost nobody calls it a security event. We call it Tuesday. A supply chain attack is what happens when criminals tamper with a piece of software your organisation has already chosen to trust, so the compromise arrives on the next routine update rather than through the front door.

A supply chain attack is what happens when criminals tamper with a piece of software your organisation has already chosen to trust, so the compromise arrives on the next routine update rather than through the front door.

If you write code for a living, or you lead people who do, every install your team runs from a public catalogue is an act of faith. The public catalogue is a stranger handing you a sealed envelope and you put the contents into production. Sometimes the envelope is from someone you have heard of. Sometimes it is from a maintainer who has been targeted by a North Korean intelligence service for eighteen months and you are about to find out.

In March 2026, a maintainer of axios, an HTTP library installed roughly 100 million times a week, was approached on a fake Slack workspace, walked through a fake Microsoft Teams call, and convinced to install software that turned out to be a remote access tool.1 Two malicious versions of axios went live on npm, the default. They were pulled within three hours. At roughly a hundred million downloads a week, three hours is a lot of installs.

I am writing this because the conversation about supply chain security is stuck. Most leaders still picture it as a developer-tooling problem the platform team handles with automated patching. That picture is a decade out of date. The point of this post is to widen it.

How modern attacks work

Illustration on attack vector

A useful way to look at modern attacks is as a cascade with three links. The industry treats them as separate categories, when they are three stages of the same attack.

The first link is social engineering. Someone manipulates a human into doing something they would not otherwise do. The axios maintainer accepting a fake Teams call. The XZ Utils maintainer, exhausted and under-supported, accepting help from a fake co-maintainer who patiently spent two years earning commit access before introducing a backdoor. The Cyberhaven developer who handed over a Chrome Web Store credential to a phishing kit. Forget the phishing email you delete each morning. The pattern across all three is months of patient effort against one specific person who happens to hold publish rights to a critical piece of infrastructure.

The second link is the supply chain itself, which is the multiplier. The compromised maintainer publishes one version of one package, and every project that depends on it, transitively, downloads it on the next build. The axios release reached roughly 100 million weekly downloads worth of infrastructure within hours. One compromised laptop becomes thousands of compromised production environments without any further attacker effort.

The third link is blast radius. The malicious code runs somewhere: a developer’s machine, a CI runner, a production container. Whatever credentials sit in that environment are now the attacker’s. The Shai-Hulud worm of late 2025 lived inside compromised CI runners, stole cloud tokens and npm publish tokens, then used those tokens to backdoor every other package the victim could publish, restarting the cascade at scale.

What the supply chain actually includes

Most teams, when asked where their supply chain risk sits, will point at the public code libraries developers build with. That is the loudest layer, the one the security industry has spent the most years naming, but it is not the whole shape of the problem.

Here is what the supply chain actually includes in 2026. One paragraph per layer, one incident as the evidence.

Public code libraries. This is the layer most people picture. Developers build with components from public catalogues instead of writing everything from scratch; npm and PyPI are the two largest, each holding millions of these reusable pieces. The structural example from late 2025 was Shai-Hulud, a self-spreading attack that reached over 500 of these libraries, including widely-used ones like @ctrl/tinycolor (downloaded 2.2 million times a week on its own). No flaw in the catalogue platform was needed; the attack ran on the trust between the people who publish code and the people who use it. Once an attacker held a publisher’s account, every other library that person could publish picked up the same hidden payload on the next release, automatically.2

Build environments. Software gets built in two places: on the developer’s workstation, where it is written and tested, and on the automated pipeline, where it is assembled and pushed to production. Both lean on pre-built tools pulled from public catalogues. The IDE, the AI coding assistant, the local command-line binaries your engineers run, and the build tools the pipeline uses are all pieces of software downloaded from an internet catalogue, each with access to source code, cloud credentials, and the keys that push to production. In March 2026, an attacker silently swapped the code behind 75 of the 76 published versions of a widely-used build tool called Trivy. Every pipeline already pointing at those versions started running the attacker’s code on the next build. The payload harvested those credentials directly. Four days later the same playbook hit Checkmarx, another build tool. Trivy and Checkmarx are both security scanners; the tools your organisation runs to detect supply chain attacks became the supply chain attack.3

Browser and IDE extensions. Browser extensions sit on the most permissive trust model in installed software: they can read every page you visit and every form you complete. Cyberhaven, a security company, had its publishing account stolen in December 2024 after one of its developers fell for a phishing email. A malicious update pushed automatically to roughly 400,000 corporate users within 48 hours, sending their browser session data to the attackers. The attackers picked the days between Christmas and New Year deliberately, because security teams were on leave. The same operation hit roughly a dozen browser extensions, with combined reach in the hundreds of thousands of users.4 The plug-in stores inside developer tools like VS Code run on the same trust model.

SaaS vendors. Codecov, in 2021, had a credential stolen from its build process and used to modify the upload script that every Codecov customer was running. For two months, every customer’s build environment passwords flowed to an attacker’s server. 3CX, in 2023, became the first documented case of a supply chain attack delivering another supply chain attack; the 3CX developer’s laptop had been compromised earlier through a different vendor’s software. CircleCI, in 2023, required every customer to reset every password stored in their CircleCI account after one of its own employees was compromised.5

Hardware. The Evil Crow Cable Wind is a USB cable that looks identical to a phone charger, costs around forty US dollars, and quietly types commands into the computer it is plugged into. It detects the operating system, has Wi-Fi, and runs hidden code the moment it is connected.6 The hardware question is whether your procurement process can tell a real cable from a malicious one. The honest answer, at most companies, is no.

None of those layers show up in the inventory most companies use to track the software they actually run.

Why attackers have the advantage

Attacker only need to compromise a single entry point, defenders need to keep many things safe

The reason this is not slowing down is that the economics are obscene.

Imagine you are running a small criminal operation, or a moderately funded state-sponsored team. You have a budget of two hundred thousand US dollars and a few months. You could try to attack a Fortune 500 company directly. You will find a competent security team, endpoint detection software on every device, monitoring systems watched by people who do this for a living, network segmentation, and an incident response firm on retainer. Your budget gets you maybe one foothold if you are lucky, and you spend the rest of it not getting caught.

Or you could spend the same money learning a single open-source maintainer’s habits over six months. You build a relationship. You contribute useful patches. You demonstrate good judgement. You earn commit access. One day you push a new version. Within hours that version is running in CI pipelines at thousands of companies, including most of the Fortune 500, with the same credentials those companies use to deploy to production.

This is the asymmetry. The defender has to keep every package safe; the attacker only needs one maintainer.

The defender has to keep every package safe; the attacker only needs one maintainer.

The XZ Utils backdoor is the warning shot. A persona called Jia Tan spent two years building credibility in the XZ Utils project, took over maintenance from a burnt-out solo author who was getting hostile pressure from a sockpuppet account to “hand it off to someone with more time”, and inserted a backdoor designed to give remote code execution on any SSH server using the compromised library. It was caught by accident, by a Microsoft engineer noticing half a second of unexplained latency in his test environment. If he had been less curious, the backdoor would have shipped into the next Debian stable release. Every Linux server running OpenSSH would have been remotely exploitable.7

That was a state-level patience campaign aimed at the most boring possible piece of infrastructure, and it nearly worked. The next ones are almost certainly already in progress.

The defences that work in this era shrink the blast radius more than they prevent the compromise itself. The 2018 playbook (a code scanner, a security team, regular developer training on common vulnerabilities) is still necessary, but no longer enough. The moves that matter most are mundane: short-lived access credentials, publishing keys scoped to a single task, build systems walled off from production, an inventory that can answer “who is affected?” in minutes rather than weeks, and builds that use only the library versions a team has tested with. None of those prevent a compromise. All of them shrink the cost of one. When they work, a compromise becomes a five-minute story for the post-mortem. When they don’t, it is a week of resetting passwords and access keys across every system.

What a breach actually costs

Australian boards are now expected to oversee cyber risk the way they oversee financial risk. Listed companies have to tell the market about serious cyber incidents; any organisation holding personal data must notify the privacy regulator as soon as practicable once an eligible breach is identified; critical infrastructure operators have between twelve and seventy-two hours to report significant incidents to the Australian Cyber Security Centre, depending on severity.8

A supply chain incident at a listed company is a stack of costs: market disclosure, mandatory regulator notification, a forensics engagement at typical day rates, customer contractual notifications, and the executive time absorbed by all of the above. IBM’s most recent figures put the average Australian data breach at AUD 4.26 million, with detection and escalation alone accounting for AUD 1.65 million of that.9 Supply chain compromises sit at the worst end of that distribution; globally they take 267 days on average to identify and contain, longer than any other breach class measured, because the trust relationship between maintainer and consumer is exactly what the attacker rented.10

For a board, the question is what the organisation can tell its regulators or its auditors, in writing, on the day a component it installs turns out to be malicious. Most companies cannot answer that today.

What’s next in this series

The supply chain in 2026 is wider than most organisations are tracking. The next two posts in this series go deeper into the parts I had to compress here.

The next post is about AI’s supply chain specifically: the new plug-ins extending AI coding assistants like Claude Code, the publicly hosted AI models companies are downloading without inspection, and the hidden code that rides in on what looks like AI-assisted work. The AI tools reshaping how software gets built run on the least-audited part of the supply chain.

The post after that is the practical one: what mature engineering organisations actually do, how detection works once prevention has failed, and how a board gets to “yes, we can answer that” on the question above.

Next Tuesday, somewhere in your organisation, a developer will install something nobody read. The act of faith stays an act of faith. The point of this series is to widen the picture of what you are taking on faith.


Footnotes

  1. Jason Saayman, “Compromise of axios: maintainer’s first-person account”. axios GitHub issue #10636. Retrieved 16 May 2026. See also Google’s UNC1069 writeup on the documented playbook.

  2. “500+ npm packages compromised in ongoing supply chain attack ‘Shai-Hulud’”. Truesec. Retrieved 17 May 2026. See also Sysdig’s initial-wave technical writeup and CISA’s advisory of 23 September 2025.

  3. “TeamPCP expands supply chain compromise: spreads from Trivy to Checkmarx GitHub Actions”. Sysdig. Retrieved 17 May 2026.

  4. “Cyberhaven says it was hacked to publish a malicious update to its Chrome extension”. TechCrunch. Retrieved 17 May 2026. See also Sekoia’s analysis of the broader campaign.

  5. Codecov (2021): “A deep dive into the Codecov supply chain breach”, GitGuardian. 3CX (2023): “3CX software supply chain compromise”, Mandiant / Google Cloud. CircleCI (2023): “Security alert: rotate any secrets stored in CircleCI”, CircleCI. All retrieved 17 May 2026.

  6. Joel Serna Moreno, EvilCrowCable-Wind repository (maker’s primary documentation). Retrieved 17 May 2026.

  7. Andres Freund, discovery announcement on the oss-security mailing list, 29 March 2024. See also Wikipedia’s “XZ Utils backdoor” for the “Jia Tan” persona context.

  8. “Report a cyber security incident”. Australian Signals Directorate’s Australian Cyber Security Centre. Retrieved 18 May 2026.

  9. “Average cost of an Australian data breach hits AUD $4.26 million”. SecurityBrief Australia, citing IBM’s 2024 Cost of a Data Breach Report. Retrieved 18 May 2026.

  10. “Cost of a Data Breach Report 2025”. IBM, in collaboration with the Ponemon Institute. Retrieved 18 May 2026.