The cyber threat hiding in your supply chain

How supply chain attacks work, what makes them so effective and how to reduce your exposure

Contact our experts
2 colleagues of cyber security looking at a pc
Supply chain attacks have become one of the most critical cyber threats for organisations of every size. The principle behind them is deceptively simple: rather than targeting organisations directly, attackers compromise a supplier, software component, or third-party service. From there, a single breach can ripple outward and hit a large number of companies at once.  

Recent incidents highlight a shift toward large-scale, hard-to-detect attacks, and Belgium is no exception. 
 

According to the Centre for Cybersecurity Belgium (CCB), cyber incidents increased by 70% in 2025, largely driven by growing reliance on third-party providers and interconnected ecosystems. These figures confirm that the supply chain has become a primary attack vector, capable of turning a single compromise into a large-scale systemic risk.

Real-world example: Axios and Trivy (March 2026)

In March 2026, North Korean-linked attackers compromised Axios, the widely used open-source package present in 80% of cloud environments and downloaded over 100 million times per week. The hackers injected malware designed to steal credentials and maintain persistent access across affected machines.

Just days earlier, the compromise of Trivy demonstrated another critical scenario. Attackers infiltrated DevOps tools and exfiltrated large volumes of cloud secrets (AWS, Azure, Kubernetes) through CI/CD pipelines.

How supply chain attacks work

Supply chain attacks rely on a simple principle: compromising a trusted third party to reach the actual target. In an environment heavily dependent on vendors, software, and external services, these attacks now take several critical forms. 

Software Supply Chain Compromise

Injection of malicious code into widely used software or dependencies. Once the compromised package is updated or installed, the malware can leverage on victims' privileges and enable widespread compromise. 

DevOps / CI/CD Attacks

Compromise of pipelines to steal secrets and infect deployments. Once inside, attackers can steal secrets and inject malicious code into production deployments without altering the reviewed source code.

Third-Party Compromise 

Exploitation of a vendor to gain indirect access to internal critical systems. If a supplier with privileged access is breached, attackers may use that trusted relationship as a path into customer environments. 

Hardware / Firmware Attacks 

Insertion of malware into devices, making detection difficult and persistence likely. These are harder to detect and tend to persist even after software-level remediation, making them particularly difficult to root out. 

The impact on organisations

The consequences of supply chain attacks tend to be both amplified and systemic.

  • Large-scale propagation: a single compromise can impact multiple organisations
  • Exfiltration of critical data: credentials, customer data, intellectual propert
  • Operational disruption: interruption of systems or business activities
  • Significant financial losses: remediation costs and business interruption losses
  • Reputational damage and loss of trust from partners and customers
  • Increased regulatory exposure (NIS2, GDPR)

Zoom on the Axios breach

An attacker hijacked a software maintainer’s user profile via a targeted social engineering campaign and pushed malicious versions of the Axios library. The compromised version installed backdoors on affected machines, bypassing normal code checks and leaving no code changes in the project repository. Those backdoors were tailored to Windows, macOS, and Linux, and were deliberately hidden to allow remote control of systems which induced a targeted and sophisticated supply-chain breach that requires immediate containment and credential rotation.

If you suspect that your organisation might be compromised, here’s what you can do: 

  • Perform code scanning using a tool such as Aikido to detect any compromised packages 
  • Audit CI/CD activity to identify any pipeline that was affected 
  • Isolate affected hosts immediately 
  • Rotate all credentials on compromised machines 
  • Investigate any lateral movement 
  • Roll back to a clean version of the software 

More technical details can be found on Aikido's analysis of the Axios npm compromise

How to reduce your supply chain risk?

BDO assists clients in different sectors and has identified a recurring pattern: organisations assume they are covered because they have a contract with security requirements in place. That is a false sense of security. Contractual clauses are a starting point, not a finish line. 

Here are practical steps you can take to strengthen your position

  • Classify and continuously reassess vendor risk, with alternatives for critical suppliers
  • Prepare supplier-focused incident response playbooks and communication templates
  • Train staff on supply-chain risks and dependency hygiene

How BDO can help 

In the face of rapidly increasing supply chain attacks, organisations must shift from fragmented risk management to a structured, integrated, and risk-driven approach aligned with business criticality. BDO supports companies in identifying critical suppliers and handling them accordingly ensuring the organisation takes back control.

Third-party risk assessment and management (TPRA/TPRM)

We help you identify, evaluate, and mitigate supplier-related cyber, operational, and compliance risks. We combine (vendor) risk assessment and classification, tailored due-diligence, contractual remediation and continuous monitoring to reduce your exposure and keep your business resilient.

Identity and access management (IAM)

We secure access through a structured IAM approach, including maturity assessments, gap analysis, roadmap definition, and technical analysis of environments (Active Directory, Entra ID, etc.).

Cybersecurity governance

We integrate supply chain risk into governance frameworks, aligning with NIS2 and ISO 27001, and strengthening detection, response, and resilience capabilities.

Business continuity, disaster recovery and incident response

We combine business impact analysis, recovery strategies, resilient IT failover and backup architectures, and clear detection-to-recovery IR processes.

Want to assess your supply chain risk or strengthen your third-party management?

Reach out to our BDO experts:

Daniel Mohabeer

Daniel Mohabeer

Senior Consultant
View bio

Frequently asked questions

A supply chain attack is a cyberattack where the attacker compromises a trusted third party, such as a software provider, vendor or service partner, to gain access to the systems of the actual target. Because the compromised component is trusted by default, these attacks can spread rapidly and are difficult to detect.

Organisations rely more heavily than ever on external vendors, open-source software and cloud services. That interconnectedness creates more entry points for attackers. A single vulnerability in a widely used component can affect thousands of organisations at once. 

Warning signs include unexpected changes in software dependencies, unusual activity in your CI/CD pipelines, unexplained credential usage and anomalous outbound network traffic. Regular code scanning and pipeline auditing are your best early warning systems. 

Contracts set expectations, but they do not prevent attacks. Effective supply chain risk management requires continuous vendor assessment, technical controls such as least privilege and code scanning, and tested incident response playbooks.