Securing the invisible: Supply chain security trends

Adversaries are infiltrating upstream software, hardware, and vendor relationships to quietly compromise downstream targets. Whether it’s a malicious update injected into a CI/CD pipeline, a rogue dependency hidden in open-source code, or tampered hardware components, these attacks bypass traditional defenses by weaponizing trusted channels.

Continuous monitoring of third-party risk

“As more supply-chain attacks surface, third-party security is becoming essential for all businesses. Organizations must vet their suppliers, ensuring they practice good cyber security hygiene, while also working to limit exposure when attacks do occur on their partners,” said Colin Fraser, Director at i-confidential.

Despite growing national security concerns and government restrictions, Chinese military-linked companies remain deeply embedded in the US digital supply chain. These organizations continue to provide essential digital infrastructure, exposing US businesses and critical industries to potential cybersecurity threats.

This expanded attack surface presents many entry points for malicious actors, requiring CISOs to broaden their security focus beyond their organizational boundaries.

One of the biggest changes is the shift to continuously monitoring third-party risks, replacing one-time vendor assessments with real-time information about supplier vulnerabilities, exposures, and unusual behavior.

SBOMs move from compliance to operational necessity

DevSecOps has emerged as a cornerstone of supply chain resilience, with organizations embedding security deeper into their CI/CD pipelines, automating dependency scanning, and enforcing signed builds to ensure integrity across software development. Complementing this, Software Bill of Materials (SBOMs) are transitioning from compliance artifacts to operational tools, enabling security teams to pinpoint their exposure when new zero-days emerge.

This aligns with broader regulatory momentum: initiatives like the U.S. Executive Order on Improving the Nation’s Cybersecurity and NIST’s Secure Software Development Framework (SSDF) are pushing for greater transparency and mandatory adoption of SBOMs across sectors.

To help strengthen cyber resilience, the EU has introduced regulations such as DORA and NIS2. Both focus more on securing supply chains and seek to hold businesses accountable for their cybersecurity practices.

AI is not just a risk, it’s a defense tool

Meanwhile, AI is being harnessed for threat detection at scale, offering predictive capabilities that identify potential compromises before they manifest, especially in code and package repositories. Zero trust principles are expanding beyond internal networks to include vendor systems, enforcing identity, device posture, and behavior-based access controls across the extended enterprise.

Possibly the most disruptive trend is adversaries using generative AI to create convincing phishing and impersonation attacks that target procurement processes, vendor communication, and messages between executives.

Logility’s survey of 500 global supply chain leaders shows that 97% are already using some form of GenAI. But only a third are using tools designed specifically for supply chain tasks. 43% say they worry about how their data is used or shared when applying GenAI. Another 40% don’t trust the answers it gives.

CISOs are also confronting a resurgence of hardware-level threats, with tampered devices and compromised firmware raising alarms, particularly in critical infrastructure and high-assurance environments.

Real-time supply chain visibility

Real-time visibility is becoming non-negotiable, powered by IoT telemetry and blockchain-based traceability, giving defenders a clearer view of what’s happening across global supplier networks. In the automotive sector, for instance, BMW has implemented blockchain technology to ensure the traceability of components and raw materials in its multi-stage international supply chains, aiming to enhance transparency and prevent tampering.

“Supply chain security is a relatively new concept that organizations may have put on the back burner due to the relentless barrage of vulnerabilities, zero-day exploit campaigns, ransomware, and the challenges of working in both a COVID and post-COVID world. Understanding the need for a supply chain strategy and prioritizing it is the biggest challenge, and the problem is complex. It will require collaboration across executive, development, security, and legal teams, and the strategy will vary based on the organization and its business model,” Nate Warfield, Director of Threat Research and Intelligence at Eclypsium explained.

Defending against supply chain attacks requires more than technical controls, it demands a strategic, systemic shift. For CISOs, that means extending visibility, validating trust continuously, and hardening every layer—from code to component, from vendor to endpoint.