Supply Chain Attack

Supply Chain Attack

Supply Chain Attack is a kind of cyber attack that targets trusted 3rd parties, and

1. Statistics

According Kaspersky, 31% of enterprise business had been impacted by a supply chain attack in 2025.

2. Remarkable incidents (ordered by date)

2.1. 2024

CVE-2024-3094 — The XZ Utils Backdoor (Wikipedia) - xz

2.2. 2025

2.3. 2026

https://notepad-plus-plus.org/news/hijacked-incident-info-update[Notepad Hijacked by State-Sponsored Hackers] - Notepad
Threat Actor Group TeamPCP-related
- CVE-2026-33634 — Trivy ecosystem supply chain temporarily compromised - Trivy
- Security Update: Suspected Supply Chain Incident - LiteLLM
  - The developers suspect that the incident is related to the Trivy supply chain incident.
  - Investigation Report by JFrog Security Research Team: https://research.jfrog.com/post/litellm-compromised-teampcp/
- Telnyx Python SDK: Supply Chain Security Notice - Telnyx Python SDK
  - Investigation Report by JFrog Security Research Team: https://research.jfrog.com/post/team-pcp-strikes-again-telnyx-popular-library-hit/
Post Mortem: axios npm supply chain compromise - Axios (JavaScript library)

3. See Also

A Javascript package called left-pad was a package with 11 lines of code suddenly took down from NPM in March 2016, which occured failure of building software all around the world. It included Meta, PayPal, and Netflix.
- This is the incident called left-pad incident.
- This is not a case of Supply Chain Attack, but it is considered one of the biggest events shows what happens if the trusted 3rd party become unaccessible or sometimes infected.
- The developer Azer Koçulu wrote an essay about the incident on his blog. (Internet Archive)