Supply Chain Attacks Nearly Doubled in 2025: Understanding the Vendor Risk Problem
March 2026
The supply chain has become the preferred entry point for sophisticated attackers — and the numbers from 2025 make the scale of the problem undeniable. Supply chain attacks rose from 154 incidents in 2024 to 297 in 2025, an increase of nearly 93%. The strategy is logical from an attacker’s perspective: compromise one well-positioned vendor and you gain access to every downstream client. The multiplication effect makes supply chain compromise one of the highest-return investments in a threat actor’s toolkit.
This is not a problem limited to large enterprises. Every organisation that uses SaaS platforms, relies on third-party IT providers, receives data from vendor portals, or integrates external services into its operations has a supply chain attack surface. For Indian SMEs, the exposure is often invisible — they have no visibility into the security posture of the vendors they trust.
How Supply Chain Attacks Actually Work
The mechanics vary, but several patterns dominate.
Managed Service Provider (MSP) compromise is the most scalable. When an attacker gains access to an IT support provider or managed security vendor, they inherit that vendor’s access to all client environments. A single MSP breach can cascade across dozens or hundreds of client organisations simultaneously.
SaaS platform exploitation targets widely used business applications. The CL0P ransomware group’s campaigns exploiting Oracle E-Business Suite and other enterprise software are recent examples. When a platform used by thousands of organisations contains a vulnerability, attackers can automate exploitation at industrial scale.
Software update poisoning involves injecting malicious code into a legitimate software update that gets distributed to all users of that software. The most notable historical example, SolarWinds, demonstrated how a single compromised update could provide undetected access to thousands of organisations for months.
Vendor portal targeting involves attacking the web-facing portals that suppliers, contractors, or service providers use to interact with an organisation’s systems. These portals often carry elevated trust and access that allows lateral movement into core infrastructure.
The Visibility Gap That Makes This Hard
The fundamental challenge with supply chain risk is that an organisation cannot directly observe the security posture of its vendors. You can ask them to complete security questionnaires, review their certifications, or include security clauses in contracts — but none of these tell you what is actually happening in their systems right now.
The attack that compromises your environment via a trusted vendor will look, at initial inspection, like legitimate activity. The connection is authorised. The credentials are valid. The traffic follows normal patterns. Detection requires behavioural analysis — the ability to identify that something authorised is behaving in a way that is anomalous, even if it is technically permitted.
What Organisations Can Do About Third-Party Risk
- Map your vendor access surface. Most organisations cannot list every third party that has a live, authenticated connection into their systems. That list needs to exist, be reviewed regularly, and drive security decisions.
- Apply least-privilege to vendor access. Vendors should have access only to the specific systems required for their service. Broad, persistent access credentials are an invitation for abuse — whether by the vendor, or by an attacker who has compromised the vendor.
- Monitor third-party activity in real time. Vendor access events should appear in your security monitoring. Unusual activity from a trusted vendor — logins at atypical times, access to systems outside their normal scope, large data transfers — should generate alerts.
- Establish incident notification requirements. Contracts with critical vendors should include a mandatory, time-bound obligation to notify you in the event of a security incident that may affect your environment. Without this, you may be the last to know about a breach that started in a vendor’s system.
- Regularly review and revoke unused access. Vendor relationships end, projects complete, staff change. Access credentials that are no longer needed are dormant attack paths. Regular access reviews and revocation processes reduce this exposure.
India’s cyber threat landscape in 2026 makes supply chain risk a board-level concern. The entry point for the next major breach affecting your business may not be your firewall — it may be a trusted vendor you haven’t reviewed in two years.