Supply chain attack
An intrusion that compromises a trusted upstream vendor — software, SaaS, MSP — to reach every downstream organization that uses it.
A supply chain attack is an intrusion in which the attacker compromises a trusted upstream provider — a software vendor, a SaaS application, an MSP, an open-source dependency, a hardware supplier — in order to reach every downstream organization that trusts that provider. The downstream victim’s own defenses are largely irrelevant because the attack arrives through an update, a signed binary, or an authorized API integration the victim has already chosen to trust.
The 2020 SolarWinds Orion compromise remains the canonical example: attackers injected a backdoor into a routine product update that was then deployed by roughly 18,000 customers, including US federal agencies. The 2021 Kaseya VSA incident propagated REvil ransomware through an MSP platform. The 2023 3CX double-supply-chain compromise chained two vendors. ENISA’s Threat Landscape and MITRE ATT&CK both treat supply chain compromise as a top-tier initial-access vector.
Defining properties:
- Asymmetric reach. One compromised vendor = thousands of victims. Attackers favor the highest-multiplier targets.
- Trust is the payload. The malicious code is signed, the OAuth grant is authorized, the update is routine. Endpoint defenses tend to allow it.
- Multiple flavors. Software updates (SolarWinds), MSP platforms (Kaseya), open-source packages (npm, PyPI), SaaS-side OAuth grants, hardware implants.
- Long dwell time. Discovery often takes months. SolarWinds was live for at least nine months before disclosure.
- The SaaS variant is now dominant. A compromised marketing SaaS with a read scope on your mailbox is a supply-chain breach without anyone touching a binary.
Mitigations span technical and behavioral layers. NIS2 and DORA both push supply-chain risk management into the regulatory baseline for in-scope entities; ANSSI’s vendor-risk guidance and NIST SP 800-161 give the operational playbooks. On the human side, the OAuth grant review reflex, vendor onboarding verification, and a process for handling dormant external collaborators close the SaaS-shaped portion of the supply-chain surface — the part that conventional vendor-risk questionnaires usually miss.
Related terms
- OAuth grantAn access token a user issues to a third-party application via OAuth, giving that app standing permission to read or write data inside another SaaS — often beyond MFA, often forever.
- Shadow ITSoftware, SaaS, or cloud services in use inside an organization without IT or security approval — invisible to inventory, unmanaged, and rarely off-boarded.
- RansomwareMalware that encrypts data and/or exfiltrates it, then demands payment for decryption or non-publication — almost always entering through a human-mediated step.
- Social engineeringManipulating a person — rather than exploiting a software flaw — to obtain credentials, money, or access; the umbrella category under which phishing, vishing, and BEC sit.