Software supply chain attacks have been occurring at twice their long-term average in recent months and have shown no sign of slowing down. 

The uptick in supply chain attacks began in April 2025, when Cyble dark web researchers observed claims of 31 such attacks. Since then, cyberattacks with supply chain implications have averaged 26 a month, twice the rate seen from early 2024 through March 2025 (chart below). 

Cyble’s most recent threat landscape report (registration required) documented 30 supply chain incidents in July, and such attacks have remained a near-daily occurrence through August. Each incident has the potential to impact many downstream customers; one ransomware group claims that a recent attack yielded data on 41,000 customers of a company. Ransomware attacks, data breaches, zero-day exploits and IP theft have been among the recent incidents impacting the supply chain. 

Reasons for the Increase in Supply Chain Attacks 

Cyble analysts see a number of possible reasons for the doubling of supply chain attacks over the last five months. 

Critical vulnerabilities in enterprise IT and software products in recent months have led to widespread exploitation of zero days and unpatched vulnerabilities. Citrix NetScaler and Microsoft SharePoint vulnerabilities, for example, have seen possible exploitation by ransomware groups. Cloud security threats and AI-based phishing campaigns have also played a role in the growing number of supply chain exploits. 

Targeting suppliers and service providers and their customers likely also helps threat actors build pressure on victims to pay the ransom. 

While nearly every sector has been hit by a supply chain attack this year (chart below), IT and IT services companies have been targeted far more than other sectors because they represent a rich target with significant downstream reach. 

Recent Supply Chain Incidents 

One noteworthy recent supply chain incident involved a suspected ransomware attack on a Swedish HR software provider, which impacted approximately 200 Swedish municipalities, along with multiple regional administrations, universities and corporations. The suspected ransomware attack largely disrupted a platform that manages critical employee data, including medical certificates, rehabilitation plans, and work-related injury records. 

The SafePay ransomware group claimed responsibility for a cyberattack on a major U.S.-based global technology and supply chain services provider. The group alleged the theft of 3.5TB of data, and the resulting operational disruption impacted key systems, including distribution, licensing, transaction systems, and API infrastructure. 

The Arkana ransomware group claimed responsibility for a cyberattack on a U.S.-based company that provides electronic design automation (EDA) tools and semiconductor IP. The group did not disclose the volume of data allegedly stolen but published a preview file listing 100 out of 41,000 companies and customers allegedly affected, among them the U.S. Department of Defense. Arkana claims the compromised data includes contracts, billing receipts, internal documents, EDA files, intellectual property, research materials, employee information, and more. 

A threat actor on BreachForums claims to have gained unauthorized access to a corporate helpdesk system that services multiple large organizations. The TA claims to have credentials and the ability to dump, exfiltrate, and manipulate extensive production data, including client and employee records, communication tickets, and logs. The compromised system hosts data of 8,521 clients and 808 active client companies. The TA also claimed to possess thousands of remote access credentials (VPN, RDP, TeamViewer), enabling potential lateral movement into client networks. 

The Team Underground ransomware group claims to have leaked 2.3TB of data allegedly stolen from a South Korea–based company that provides automation systems, industrial machinery, and technology solutions for the semiconductor, display, and battery industries. According to the group’s description, the stolen dataset contains highly sensitive material, including AI development files, scanned passports, trade secrets, contracts, financial records, and project information tied to major partners. 

A threat actor (TA) on DarkForums claimed unauthorized access to an Israeli software company specializing in business management and accounting solutions. The TA claimed to have gained full administrative access to a network of 78 dedicated macOS and Windows servers located in Israel. According to the TA, they possessed complete control over these systems via command-line interface (CLI), graphical user interface (GUI), and remote desktop protocols. 

INC Ransom group leaked 116GB of data allegedly stolen from a U.S.-based company that specializes in ultra-wideband (UWB) wireless USB solutions for high-speed data transfer for several industrial applications, including military uses. A preview of the leaked file structure suggests the attackers had access to financial records, inventory documentation, customer purchase orders, invoices, and quotes. The data also includes internal folders related to contracts, NDA tracking, vendor information, IT and systems engineering, customer engineering, manufacturing operations, and software resources. 

The Qilin ransomware group claimed responsibility for compromising a U.S.-based company involved in blockchain infrastructure and application development. The group published screenshots of SQL Server file trees as proof of access. The images reveal dozens of database files related to critical business systems. Based on the file tree samples, Qilin appears to have accessed structured data from SharePoint, application analytics, user profiles, HR, workflow automation services, product metadata, and blockchain environments. 

Qilin also claimed responsibility for attacks on two companies in the optical and semiconductor technology sector, a U.S.-based firm specializing in fiber optic and photonic systems for defense, telecommunications, and industrial applications, and a French company providing advanced equipment and solutions for semiconductor manufacturing. Qilin released 27 data samples from one of the companies, including scanned identification documents, invoices, certificates, technical product documentation, and internal business records. 

Qilin also claimed responsibility for a cyberattack targeting a U.S.-based telecommunications infrastructure provider known for delivering scalable mobile network solutions to government, commercial, and military clients. Qilin released seven samples that suggest access to sensitive facility documentation, technical blueprints, and client agreements. 

The Rhysida ransomware group claimed responsibility for a cyberattack against a U.S.-based technology company that provides artificial intelligence solutions and digital platforms. The group has published several samples allegedly taken from the breach, including internal correspondence, client information, contracts, blueprints of product architecture, and financial documents. 

Protecting Against Supply Chain Attacks 

Protecting against software supply chain attacks is challenging because these partners and suppliers are, by nature, trusted, but security audits and assessing third-party risk should become standard cybersecurity practices. 

Organizations should also build in controls and resilience wherever possible to limit the extent of any attacks. Such controls include: 

• Network microsegmentation 

• Strong access controls, allowing no more access than is required, with frequent verification 

• A strong source of user identity and authentication, including multi-factor authentication and biometrics, and machine authentication with device compliance and health checks 

• Encryption of data at rest and in transit 

• Ransomware-resistant backups that are immutable, air-gapped, and isolated as much as possible 

• Honeypots that lure attackers to fake assets for early breach detection 

• Proper configuration of API and cloud service connections 

• Monitoring for unusual activity with SIEM, Active Directory monitoring, and data loss prevention (DLP) tools 

• Routinely assessing and confirming controls through audits, vulnerability scanning, and penetration tests 

The most effective place to control software supply chain risks is in the continuous integration and development (CI/CD) process, so carefully vetting partners and suppliers and requiring good security controls in contracts are essential ways to improve third-party security. Services like Cyble’s third-party risk intelligence can help you get started on this process. By making security a buying criterion, vendors will be more likely to respond with better security controls and documentation.