2025 in Review: The Year Supply Chain Became the Attack Surface
2025 will be remembered for one dominant trend: attackers systematically targeted the connections between organizations rather than organizations themselves.
December 2025 marks the end of a year that will be remembered for one dominant trend: attackers systematically targeted the connections between organizations rather than organizations themselves.
The statistics tell part of the story. Global cybercrime costs reached an estimated $10.5 trillion. Forty-four percent of breaches involved ransomware. But the most significant number is this: 30% of breaches traced back to supply chain or third-party failures.
Attackers learned—or perhaps confirmed—a fundamental truth: why attack one company when you can attack the vendor serving a thousand?
The Year in Supply Chain Attacks
Each month brought new examples of this pattern:
June: CitrixBleed 2 (CVE-2025-5777) arrived, echoing the devastating vulnerability from 2023. The same week, the largest credential breach in history exposed 16 billion login credentials aggregated from infostealer malware running across millions of endpoints worldwide. Session tokens for major platforms became commodities traded in bulk.
September: A ransomware attack on Collins Aerospace’s MUSE passenger processing system grounded operations at Heathrow, Brussels, and Berlin airports simultaneously. Not three separate attacks—one attack on shared infrastructure with industry-wide impact.
October: Red Hat’s internal GitLab breach exposed 570GB of data, including 800 Customer Engagement Reports with credentials, VPN configurations, and infrastructure details for clients including IBM, Cisco, and the Department of Defense. Consulting artifacts became attack blueprints.
November and December: The cascade continued. Organizations discovered they were affected by breaches announced months earlier. Third-party notifications arrived. Credential rotation campaigns disrupted operations. The downstream effects of supply chain compromises played out across industries.
Why Supply Chain Attacks Dominate
Several factors converged to make 2025 the year of supply chain attacks:
Concentration of critical services. Modern enterprises rely on specialized vendors for functions that were once in-house: identity management, payment processing, cloud infrastructure, security tools. These vendors achieve scale by serving many customers. That scale creates concentration risk.
Asymmetric returns for attackers. Compromising a single well-positioned vendor provides access to hundreds or thousands of downstream targets. The effort-to-impact ratio is massively favorable for attackers.
Trust relationships bypass security. Vendors often have privileged access to customer environments. Security controls designed to stop external attackers don’t apply to trusted partners. Once inside the vendor, attackers inherit that trust.
Detection gaps at boundaries. Organizations monitor their own networks. They often can’t monitor what happens inside vendors. By the time a supply chain breach is discovered, lateral movement has already occurred.
Delayed disclosure. Vendors may not immediately disclose breaches to affected customers. The gap between compromise and notification gives attackers time to exploit access across multiple downstream targets.
The Defensive Shift
Traditional security focused on protecting the perimeter—the boundary between “inside” and “outside.” Supply chain attacks blur that boundary. The vendor inside your network is both trusted and a potential threat vector.
Effective defense requires a different mental model:
Assume breach at the boundary. Treat vendor connections as potential compromise paths. Segment vendor access. Monitor vendor activity. Limit what vendors can reach.
Map dependencies, not just vendors. A vendor assessment that covers direct suppliers misses the picture. What vendors do your vendors use? Where are the concentration points?
Build for degraded operations. If a critical vendor goes offline, can you continue operating? Manual fallbacks, alternative providers, and reduced functionality modes need to exist before they’re needed.
Continuous over point-in-time. Annual vendor assessments miss drift. Security posture changes. Vendors get breached. Continuous monitoring—external attack surface, threat intelligence, security ratings—provides ongoing visibility.
Include supply chain in incident response. IR plans typically assume the organization is compromised. What if the compromise is at a vendor? Who do you call? What’s the escalation path? How do you communicate with customers when the problem isn’t yours to fix?
Checklist: Preparing for 2026
- Review all third-party security incidents from 2025 that affected your vendors
- Update vendor risk assessment processes based on lessons learned
- Identify single points of failure in critical vendor dependencies
- Document manual fallback procedures for critical vendor outages
- Include vendor failure scenarios in 2026 tabletop exercises
- Implement or improve continuous vendor security monitoring
- Brief leadership on supply chain risk trends and mitigation investments
- Review vendor contracts for breach notification, liability, and SLA terms
- Establish direct contacts with vendor security teams—don’t wait for incidents
Looking Ahead
The supply chain attack trend won’t reverse in 2026. If anything, it will intensify. Attackers have found a strategy that works, and they’ll continue exploiting it.
Organizations that thrive will be those that accept a fundamental shift in security thinking: your attack surface now includes every vendor, every integration, every trust relationship. Defending it requires visibility, resilience, and planning that extends far beyond your own walls.
The perimeter didn’t disappear. It expanded to include everyone you do business with.
At Dédalo, we help organizations assess their supply chain risk and build resilient vendor management programs. As you plan for 2026, we can help you map dependencies, improve monitoring, and prepare for the incidents ahead.