Supply Chain Attacks Explained: How Your Vendors Become Your Weakest Link

SolarWinds. MoveIT. Kaseya. Codecov. Log4j (sort of). Every few months there's another headline about some company getting breached through their vendors. Here's the thing most people miss: you don't have to be the primary target.

Attackers go after the weak link. Increasingly, that's your suppliers.

Here's how it works in practice.

Attacker finds a software vendor with thousands of customers. They compromise that vendor—maybe through a phishing email, maybe a zero-day, maybe just poor security hygiene. Once they're in, they plant malicious code in the vendor's software update. Then they wait. Every customer who updates automatically gets infected.

SolarWinds is the textbook example. Russian hackers spent months inside SolarWinds' network before inserting malicious code into their Orion platform. The update looked legitimate. It was signed. It came from a trusted source. And it deployed backdoors into 18,000 organizations worldwide.

What made it devastating was trust. These weren't suspicious emails from unknown senders. They were legitimate software updates from a vendor IT teams had been trusting for years.

MoveIT was different. Progress Software's MoveIT transfer tool had a zero-day vulnerability. Attackers exploited it to steal data directly from thousands of organizations. The vulnerability wasn't MoveIT's fault exactly—but once discovered, it became a mass exploitation vector.

Here's what keeps security teams up at night: you can't defend against what you can't see. Your vendors have access you don't monitor. They run code you don't audit. They store data you can't protect directly.

SBOMs—Software Bills of Materials—are part of the answer. Think of it like ingredient labels for software. If you know every library and component in your software, you know what needs patching when the next Log4j hits.

But SBOMs only help if you actually use them. Most companies collect them for compliance and never look at them again. Real value comes from automated scanning, dependency tracking, and rapid response.

Vendor risk management needs teeth, not just checklists. I tell clients to ask three questions before onboarding any critical vendor: What happens to our data if you're breached? What access do you have to our systems? How do you notify us of security incidents?

The answers—or lack thereof—tell you everything.

Practical steps that actually help: assess before you buy. Security shouldn't be an afterthought. If a vendor can't explain their security controls clearly, walk away.

Limit access. Vendors get minimum necessary access. Period. If they need admin access, document why and review quarterly.

Monitor. You can't monitor everything, but monitor what matters. Unusual data transfers from vendor accounts. Failed authentication attempts. Weird outbound traffic.

Plan for breach. Assume it will happen. Have playbooks. Know who to call. What to tell customers. How to contain it.

Diversify. Single points of failure are dangerous. If all your critical services depend on one vendor, you're at their mercy.

The reality is sobering: you can outsource the work but you can't outsource the risk. Your vendors become your security perimeter. Treat them that way.

This isn't a solved problem. Supply chain attacks keep getting more sophisticated. But awareness helps. Due diligence helps. Having a plan helps.

Most importantly, stop treating vendor security as someone else's problem. It's yours — whether you like it or not.