Third-party cyber threats are nothing new, but they’re growing in sophistication and impact.
In September, a self-replicating worm called Shai-Hulud emerged as one of the first successful worm-driven supply-chain attacks in open-source software, compromising more than 500 packages. After gaining initial access and then deploying malware, Shai-Hulud scanned for sensitive credentials in targeting GitHub Personal Access Tokens (PATs) and application programming interface (API) keys for cloud services, including Amazon Web Services, Google Cloud Platform and Microsoft Azure.
The incident illustrates how the expanding presence of highly interconnected vendors, contractors and software-as-a-service (SaaS) platforms within supply chains is contributing to a sharp rise in data breaches. In fact, third parties are involved in 30% of all breaches now, up from 15% last year, according to the 2025 Data Breach Investigations Report from Verizon.
Why is this happening? Because vendors — whether they effectively enforce security or not — often have direct access to the core systems of their customers and partners, and attackers will always look to exploit the weakest link to gain entry. To further complicate matters, many business units and users are adopting external tech tools without organizational approval or oversight — “shadow” IT.
All of this combines to create a domino effect, when one weak link triggers layered vulnerabilities throughout a network of trusted partners, a precarious situation that can fully take hold before security teams realize when or where that first domino fell.
Five Common Blind Spots
Attackers routinely gain initial access by conducting extensive reconnaissance of the public-facing assets of suppliers to find open entry points. What’s more, they find it easier to exploit the entry points due to the following third-party security lapses:
- Unpatched software. Vendors delay needed patching, which leaves software exposed for indefinite periods.
- Misconfigurations. By 2026, misconfigured resources and insufficient management over them will lead to 80% of cloud breaches, according to Gartner. In many cases, customer-generated misconfigurations in cloud infrastructure allow unauthorized access to third-party systems or data.
- Abandoned or forgotten assets. When employees leave and their accounts and authorizations aren’t disabled, cyber adversaries can gain access to systems or inject malicious code into third-party software applications and other tech assets.
- Shadow IT. Security teams can’t protect what they don’t know about.
- Employee (lack of) awareness. The bad guys know they only need to gain the confidence of one third-party employee via a phishing scheme to steal massive amounts of data or unleash a malware attack throughout the chain.
Steps Toward a Well-Fortified Supply Chain
How, then, can you better protect your organization in an ever-expanding and complex state of the supply chain? Start by considering the following transformative best practices:
Transition from reactive assessments to proactive, real-time vulnerability intelligence and monitoring. Traditionally, companies evaluate vendor security once or twice a year. But the attack surface shifts round-the-clock. Today’s organizations have little control over how third-party applications are coded, monitored and maintained, but they may be among the first to suffer from a resulting exploit.
Consequently, it’s critical to take a more proactive approach, leveraging real-time threat intelligence and continuous and automated monitoring to adapt to new, third-party-linked attacks. This should include dynamic risk profiling, which examines digital footprints, security posture and behavioral patterns to determine vendors’ actual security practices as opposed to what they say they do.
Build resilient ecosystems. Instead of viewing your organization as a siloed entity, think of it as part of an extensive and often global supply chain ecosystem. This requires going beyond a solely perimeter focus to one that strives to identify and understand an entire complex web of three, four, six or more party relationships.
In a resilient ecosystem, members actively share real-time intelligence and collaborate on the latest attack trends and most effective defense responses to them. In addition, they implement contractual controls with liability clauses that identify risk as a shared responsibility for all members to ensure long-term protection.
Apply zero-trust principles to vendor access. Nearly two-thirds of organizations have either fully or partially implemented a zero-trust strategy, according to Gartner. This requires the adoption of a “never trust, always verify” mindset, one that constantly assesses identity, context and risk factors in determining authorization. Zero trust is also about taking a “least privilege” position, to restrict third-party partners to the minimum access needed to do their jobs.
Establish quantified risk management. Business leaders too frequently tune out vendor vulnerability conversations because their security counterparts fail to “talk their talk.” That’s why security leaders and teams need to describe the risks in clearly stated and quantified business terms — instead of dense techno-speak exchanges and “checklist mentality” compliance summaries — to illustrate the financial impact of chain-based compromises, and guide investment decisions accordingly.
In a sense, it takes a village to protect this ecosystem. All partnering organizations and vendors must think of themselves as part of a collective front to respond to cybercriminals who seek to “break the chain.” As a result, company leaders implement proactive, real-time monitoring and intelligence, zero-trust access controls, quantified risk management and resilient ecosystem measures, to ensure that the single “weakest link” doesn’t send the rest of the dominoes falling.
Michael DeBolt is chief intelligence officer at Intel 471.