In December 2020, security firm FireEye discovered that a routine software update from SolarWinds had been weaponized to infiltrate roughly 18,000 organizations — including the U.S. Treasury, the Department of Homeland Security, and multiple Fortune 500 companies. The attackers didn't kick down the front door. They walked in through a supplier everyone trusted. That single incident redefined how we think about third-party risk, and it's just one entry in a growing list of supply chain attack examples that should keep every security leader up at night.

This post breaks down the most consequential supply chain attacks in recent history, explains the mechanics behind each one, and gives you concrete steps to harden your organization against the same tactics. If you manage vendor relationships, oversee IT procurement, or run a security program, this is the playbook you need.

What Is a Supply Chain Attack?

A supply chain attack targets the less-secure elements in your trust chain — your software vendors, hardware suppliers, managed service providers, or open-source dependencies. Instead of attacking you directly, the threat actor compromises a supplier you already trust. When you download that vendor's update, install their library, or connect to their service, the malicious payload rides in on your existing permissions.

The Verizon 2024 Data Breach Investigations Report found that supply chain interconnection was a factor in 15% of breaches — a 68% increase year-over-year. That trend hasn't reversed. The appeal for attackers is obvious: compromise one supplier, and you get access to hundreds or thousands of downstream targets simultaneously.

The SolarWinds Orion Breach: The Supply Chain Attack That Shook Governments

The SolarWinds compromise remains the gold standard of supply chain attack examples. Here's why it was so devastating.

How It Worked

A threat actor — later attributed to Russia's SVR intelligence service by U.S. government agencies — gained access to SolarWinds' build environment. They injected a backdoor called SUNBURST into the Orion IT monitoring platform's update process. When customers installed updates between March and June 2020, they unknowingly deployed the malware.

SUNBURST was surgically designed to evade detection. It lay dormant for two weeks after installation before phoning home. It mimicked legitimate Orion traffic. It checked for security tools before activating. The attackers then used this foothold to move laterally, escalate privileges, and exfiltrate data — sometimes deploying additional malware like TEARDROP.

The Impact

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 21-01, ordering federal agencies to disconnect SolarWinds Orion products immediately. Roughly 100 organizations were ultimately targeted for deep exploitation. The cleanup cost billions across the public and private sectors.

The Lesson

Trusted software updates are a massive attack surface. If your security model assumes vendor-signed code is safe, you have a blind spot. This is the core argument for zero trust architecture — never implicitly trust anything, even software from a vendor you've used for a decade.

The Kaseya VSA Ransomware Attack

On July 2, 2021, the REvil ransomware gang exploited vulnerabilities in Kaseya's VSA remote monitoring tool to push ransomware to managed service providers (MSPs) and their downstream clients. In one stroke, between 800 and 1,500 businesses worldwide were encrypted.

Why MSPs Are Prime Targets

MSPs hold the keys to dozens or hundreds of client environments. Compromising one MSP can cascade into a mass-casualty event. REvil understood this perfectly. They exploited authentication bypass and SQL injection vulnerabilities in VSA's on-premises servers to deploy ransomware through the very tool administrators used to manage endpoints.

The attackers demanded $70 million for a universal decryptor. Small businesses — dental offices, accounting firms, grocery stores in Sweden — bore the brunt. Most had never heard of Kaseya. They just knew their computers were locked.

The Lesson

You inherit your vendors' vulnerabilities. Every tool with administrative access to your environment is a potential entry point. Vet your MSPs the same way you'd vet your own infrastructure — because to an attacker, they're the same thing.

NotPetya: The $10 Billion Supply Chain Wiper

In June 2017, a software update for M.E.Doc — a Ukrainian tax accounting application — delivered what appeared to be ransomware but was actually a destructive wiper. NotPetya spread with terrifying speed, using the EternalBlue exploit and credential harvesting to move laterally across networks.

The Collateral Damage

NotPetya wasn't designed to make money. It was designed to destroy. Maersk, the global shipping giant, lost its entire IT infrastructure — 49,000 laptops, 3,500 servers — and estimated damages at $300 million. FedEx subsidiary TNT Express reported $400 million in losses. Pharmaceutical company Merck reported $870 million. Total global damages have been estimated at over $10 billion, making NotPetya one of the most expensive cyberattacks in history.

The Lesson

Supply chain attacks aren't always about espionage or ransom. Some are acts of destruction with geopolitical motives. Your organization doesn't need to be the intended target to become a casualty. Network segmentation, offline backups, and aggressive patching remain your best defenses against wiper-style attacks that spread through trusted connections.

The 3CX Compromise: When Your Desktop App Phones Home

In March 2023, the 3CX desktop application — a widely used business communications tool — was found distributing a trojanized version through its official update channels. The threat actor, attributed to North Korea's Lazarus Group, had compromised 3CX's build pipeline in a cascade that likely originated from an earlier supply chain compromise of a different software company, Trading Technologies.

A Supply Chain Attack Born From a Supply Chain Attack

This is what makes the 3CX case uniquely alarming among supply chain attack examples. The attackers compromised one software company to gain access to another, creating a chain of compromises. A developer at 3CX installed a trojanized version of Trading Technologies' X_TRADER software. The attackers used that foothold to access 3CX's build systems and inject malware into the 3CX desktop client used by over 600,000 organizations.

The Lesson

Your developers are a target. Their workstations, their personal tools, their side projects — all of it is attack surface. Supply chain security must extend to the development environment itself, including what software your engineers install on their machines.

The Event-Stream npm Incident: Open Source as Attack Vector

In November 2018, a widely used npm package called event-stream was found to contain a malicious dependency designed to steal cryptocurrency from a specific Bitcoin wallet application. The attacker had social-engineered the original maintainer into transferring ownership of the package, then injected malicious code in a downstream dependency called flatmap-stream.

This wasn't a sophisticated nation-state operation. It was one person exploiting the trust inherent in open-source software supply chains. The package was downloaded roughly two million times per week.

The Lesson

Open-source dependencies are supply chain links. Every library you import inherits the security posture of its maintainer — who might be a single volunteer managing the project in their spare time. Software composition analysis (SCA) tools and dependency auditing are no longer optional.

How to Defend Against Supply Chain Attacks

Studying supply chain attack examples is only useful if you translate those lessons into action. Here's what actually works.

Adopt a Zero Trust Architecture

Stop assuming that traffic from a trusted vendor is safe. Validate everything. Segment your network so that a compromised vendor tool can't reach your crown jewels. NIST's SP 800-207 Zero Trust Architecture provides the framework. Implement least-privilege access for every vendor connection.

Inventory and Monitor Your Software Supply Chain

You can't defend what you can't see. Maintain a software bill of materials (SBOM) for every application in your environment. Know what open-source libraries your developers are using. Know which vendors have remote access to your systems. Monitor those connections continuously.

Vet Third Parties Rigorously

Ask your vendors about their build pipeline security. Require SOC 2 Type II reports. Include right-to-audit clauses in contracts. If a vendor can't articulate how they protect their software development lifecycle, that's a red flag you can't ignore.

Run Phishing Simulations and Security Awareness Training

Social engineering remains the entry point for many supply chain compromises. The 3CX chain started with a developer installing trojanized software. The event-stream attack began with social engineering a maintainer. Your people are the first line of defense — and the most common point of failure.

Invest in cybersecurity awareness training for your entire organization. Pair it with phishing awareness training that simulates real attack scenarios so employees learn to recognize credential theft and social engineering attempts before they click.

Implement Multi-Factor Authentication Everywhere

MFA won't stop every supply chain attack, but it dramatically reduces the blast radius when credentials are stolen. If the SolarWinds attackers harvested credentials from your network but hit an MFA wall on every lateral move, the outcome changes significantly. Apply MFA to vendor portals, administrative consoles, VPNs, and cloud services — no exceptions.

Maintain Offline Backups and Test Recovery

NotPetya taught us that supply chain attacks can be destructive, not just exploitative. If a wiper propagates through a trusted software update, your recovery depends on backups that the wiper can't reach. Keep offline, air-gapped backups. Test your restore process quarterly at minimum.

What Makes Supply Chain Attacks So Dangerous?

Supply chain attacks bypass your perimeter defenses entirely. They abuse trust relationships that are fundamental to how modern business operates. You have to update your software. You have to use vendor tools. You have to rely on open-source libraries. Threat actors know this, and they exploit it.

The asymmetry is devastating: an attacker invests effort once to compromise a supplier, and the payload scales to every customer of that supplier. It's the most efficient attack model in cybersecurity today.

Your Supply Chain Is Your Attack Surface

Every vendor, every dependency, every managed service provider in your ecosystem extends your attack surface in ways your firewall can't see. The supply chain attack examples above — SolarWinds, Kaseya, NotPetya, 3CX, event-stream — all share a common thread: the attackers didn't need to defeat the victim's defenses. They defeated someone else's defenses and walked in through the trust relationship.

Start by mapping your supply chain. Inventory every third-party connection. Apply zero trust principles to vendor access. Train your employees to recognize social engineering and phishing attacks. And accept that in 2026, supply chain risk management isn't a nice-to-have — it's the foundation of your entire security program.