Supply Chain Attack
An attack that targets a less-secure element in a software or hardware supply chain to compromise the many organisations that rely on that supplier.
Also known as: third-party attack, value-chain attack, software supply chain compromise
Last reviewed: 1 June 2026
A supply chain attack occurs when an adversary infiltrates a trusted software vendor, hardware manufacturer, or managed service provider and uses that position of trust to push malicious code or modifications to all of the vendor's customers simultaneously. Rather than attacking a hardened target directly, the attacker exploits the weaker links in the network of dependencies that organisation relies on.
High-profile examples have involved malicious updates pushed through software build systems, compromised open-source libraries that are pulled automatically into thousands of applications, and hardware components shipped with pre-installed implants. Because the compromise arrives via a trusted update or legitimate software package, recipients have no reason to suspect it.
The risk is amplified by the interconnected nature of modern software development, where a single widely-used library or platform can be a dependency for tens of thousands of products. Mitigations include software composition analysis, code-signing verification, vendor security assessments, and monitoring for unexpected network behaviour after software updates.
Examples
- Attackers compromise the build server of a widely used IT management software company and insert malicious code into a legitimate signed update, which is then automatically installed by thousands of enterprise customers.