A new security report highlights a worrying shift in cybercrime strategy. Researchers at Group-IB say supply chain attacks are no longer isolated incidents. Instead, they have evolved into an interconnected, industrial-scale ecosystem linking breaches, credential theft, and ransomware into what they describe as a “self-reinforcing” cycle.
According to the company’s latest trends report, attackers are combining multiple techniques to compromise vendors and service providers. A single breach is now used as a launchpad for wider downstream attacks on businesses and their customers.
Recent incidents such as the Shai-Hulud NPM worm, the Salesloft breach, and the OpenClaw package poisoning show how criminals are targeting supply chains to exploit inherited access to customer networks.
“Open source package compromise feeds malware distribution and credential theft,” the research states. “Phishing and OAuth abuse enable identity compromise that unlocks SaaS and CI/CD environments. Data breaches supply the credentials, context, and relationships needed to refine impersonation and lateral movement. Ransomware and extortion arrive later in the chain, capitalizing on access and intelligence gathered earlier. Each stage strengthens the next, creating a self-reinforcing cycle of supply chain exploitation.”
Looking ahead, Group-IB predicts that in the next 1 year, supply chain attacks will become faster due to AI-assisted tools. These tools can scan vendors, CI/CD pipelines, and browser extension marketplaces for vulnerabilities at machine speed.
The firm also expects traditional malware campaigns to give way to identity-based attacks. In these cases, criminals act as legitimate users, blending into normal business activity and avoiding detection for longer periods.
Platforms offering HR, CRM, and ERP services, along with MSPs, are seen as high-value targets. A single compromise in such platforms can provide access to hundreds of customers.
The evolution is evident in cases like the Salesloft breach and the Oracle compromise of March 2025. Instead of stealing data for a one-time extortion payment, attackers collected OAuth tokens, exploited misconfigured partner links, and moved laterally. They then targeted downstream customers, stole data and contact lists, and repeated the cycle. In NPM and similar ecosystems, malicious updates were pushed to scale fraud operations.
“Cybercrime is no longer defined by single breaches. It is defined by cascading failures of trust,” said Dmitry Volkov, Group-IB CEO.
“Attackers are industrializing supply chain compromise because it delivers scale, speed, and stealth. A single upstream breach can now ripple across entire industries. Defenders must stop thinking in terms of isolated systems and start securing trust itself, across every relationship, identity, and dependency.”
Organizations are advised to treat third parties as part of their own attack surface.
“Strategic investments in supply chain threat modeling, automated dependency checks, and data flow visibility are no longer optional – they are foundational to modern security architecture,” Volkov added.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
