Instead of going after one company just to make money fast, hackers now aim at suppliers, support services, or common software tools - gaining trust-based entry to many users at once. Cases highlighted in recent reports - the Shai-Hulud NPM worm, the break-in at Salesloft, and the corrupted OpenClaw package - all show how problems upstream spread quickly across systems. Not limited to isolated targets, these attacks ripple outward when shared platforms get hit.
Modern supply chain attacks unfold in linked phases, says Group-IB. One stage might begin with a tainted open-source component spreading malicious code while quietly collecting login details. Following that, attackers may launch phishing efforts - alongside misuse of OAuth tokens - to seize user identities, opening doors to cloud services and development pipelines. Breached data feeds these steps, supplying access keys, corporate connections, and situational awareness required to move sideways across systems. Later comes ransomware, sometimes followed by threats - built on insights gathered during earlier stages of breach. One step enables another, creating loops experts call self-sustaining networks of attack.
Soon, Group-IB expects artificial intelligence to push this shift further. Because of AI-powered tools, scanning for flaws in vendor networks, software workflows, or browser add-on stores happens almost instantly. These systems let hackers find gaps faster - operating at speeds humans cannot match.
Expectations point to declining reliance on classic malware, favoring tactics centered on stolen identities. Rather than using obvious harmful software, attackers now mimic authorized personnel, slipping into everyday operational processes. Moving quietly through standard behaviors allows them to stay hidden longer, gradually reaching linked environments.
Because they handle sensitive operations like human resources, customer data, enterprise planning, or outsourced IT support, certain platforms draw strong interest from threat actors.
When a compromise occurs at that level, it opens doors not just to one company but potentially hundreds connected through shared services - multiplying consequences far beyond the initial point of failure.
Cases like Salesloft and the breach tied to Oracle in March 2025 show shifts in how data intrusions unfold. Rather than seeking quick payouts, hackers often collect OAuth credentials first. Missteps in third-party connections give them room to move inward.
Once inside client systems, fresh opportunities open up. Data copying follows naturally. Trust-based communication chains become tools for disguise later. Infected updates spread quietly through established channels. Fraud grows without drawing early attention.
Fault lines in digital confidence now shape modern cyber threats, according to Dmitry Volkov, who leads Group-IB. Rather than one-off breaches, what unfolds are ripple effects across systems. Because outside providers act like open doors, companies should treat them as part of their own risk landscape.
Instead of reacting late, they build models for supply chain risks early. Automated scans track software links continuously. Insight into how information moves becomes essential - without it, gaps stay hidden until exploited.
With breaches in supply chains turning into routine operations, protecting confidence among users, collaborations, and code links has shifted from being a backup measure to a core part of today’s security planning.
What once seemed secondary now shapes the foundation. Trust must hold firm where systems connect - because failure at one point pulls down many. Security can no longer treat relationships as external risks; they are built-in conditions. When components rely on each other, weakness spreads fast. The report frames this shift clearly: resilience lives not just in tools but in verified connections. Not adding layers matters most - it is about strengthening what already ties everything together.
