Supply Chain Attacks Doubled in 2025 — $60B in Losses and No Sign of Slowing
Software supply chain attacks more than doubled in 2025, with 70%+ of organizations hit by third-party incidents. AI is compressing attack timelines from weeks to hours.
Software supply chain attacks have become one of the defining cybersecurity threats of this era — and the numbers from 2025 confirm that the problem is accelerating dramatically.
The scale of the problem
- Supply chain attacks **more than doubled** in 2025 compared to the prior year
- Global financial losses hit **$60 billion** in 2025
- **70%+ of organizations** experienced a third-party or supply chain security incident
- AI-assisted tooling is now compressing attack timelines from weeks to hours
How these attacks work
Supply chain attacks target the trusted relationships between organizations and their vendors, software providers, and service partners. Instead of attacking a hardened target directly, threat actors compromise a supplier — and use that access as a backdoor into dozens or hundreds of downstream organizations simultaneously.
Recent high-profile vectors include: - CRM and ERP systems (Salesforce, SAP) used as pivot points into customer data - Managed Service Providers (MSPs) as force-multipliers for attacker access - Open-source package repositories seeded with malicious code - Software update mechanisms weaponized to deliver malware (the TrueChaos campaign targeting Southeast Asian governments via TrueConf used this method)
The AI acceleration factor
What's new in 2026 is the role of AI in enabling these attacks at scale. Threat actors are using AI to: - Automate the discovery of vulnerable dependencies across thousands of targets - Generate convincing spear-phishing for contractor and vendor employees - Accelerate the development of custom malware tailored to specific targets
The Axios and LiteLLM compromises in March 2026 — both enabling Remote Access Trojan delivery — demonstrated how quickly AI-assisted supply chain attacks can move from initial compromise to payload delivery.
Protecting your organization
- **Know your software bill of materials (SBOM).** You can't protect dependencies you don't know exist.
- **Vet third-party security posture rigorously.** Vendor questionnaires are not enough — require evidence of security controls.
- **Monitor for anomalous behavior from trusted systems.** Supply chain attacks succeed because the initial access looks legitimate.
- **Apply zero-trust principles to internal services.** Lateral movement from a compromised vendor should hit a wall, not a highway.
