Have you heard the story about the widely-used cryptocurrency wallet app that garnered attention for making it easy to manage digital currencies? 

The app, powered by a trusted hardware wallet provider, offered a secure, user-friendly experience, allowing users to trade cryptocurrencies. However, unknown to the development team, a seemingly routine update introduced malicious code via a compromised version of a third-party JavaScript library integrated into the app.

Soon after the update, users started reporting suspicious activities—unauthorized transactions, disappearing funds, and unexpected wallet drains. Upon investigation, the development team discovered that their app had unknowingly been communicating with unauthorized servers controlled by hackers. 

The root cause was traced to a compromised version of the app’s web3 connection library, which had been infiltrated by attackers through a breached third-party NPM account. This allowed malicious code to be injected into the app, compromising both user wallets and trust in the app itself.

This attack is an example of a software supply chain vulnerability, where bad actors exploit weaknesses within the software code and connected ecosystem. By inserting malicious code into a popular library, the infiltrators were able to gain access to sensitive user data and execute unauthorized commands while remaining undetected. 

The compromised library has since been replaced, but the incident serves as a vivid reminder of third-party software use risk.

Software supply chain attack demystified

Play Video

A software supply chain attack targets the most unsuspecting victims: software developers who rely on external libraries, frameworks, or tools to build their apps. These attacks exploit vulnerabilities in the software development process. But how?

Imagine you’re developing an app and using components from third-party sources to speed things up. In one example, an attacker sneaks malicious code into a popular open-source library. At first, this harmful code might do zero damage—acting as a placeholder, or “stub”—but once the app is installed on users’ devices, it quietly connects to the bad actor’s remote servers, known as command-and-control (C2) servers. From there, the app downloads more dangerous software. 

The app looks normal to users, but behind their backs, their private data is being accessed and, in some cases, stolen, and their device is now under the hacker’s control.

These types of cyberattacks are dangerous because they exploit trusted components in the app development process, making it challenging for both developers and users to detect them.

Software supply chain attack origins

Software supply chain attacks can originate from several sources: malicious software providers, compromised open-source libraries, or even everyday code dependencies. 

Bad actors often target apps that rely on these external libraries because they offer an easy entry point for introducing malicious code. With more organizations using open-source code and/or third-party dependencies, supply chain attacks are on the rise.

Software supply chain attacks can remain undetected until after an app has been deployed and is in use, making them especially troubling. Organizations that unknowingly distribute compromised apps to their customers are unknowingly putting sensitive data at risk. 

A successful attack can be detrimental to the company’s reputation, opening them up to liability or regulatory penalties, and more.

Software supply chain attacks: evolution

Software supply chain attacks have evolved from one-off incidents to sophisticated, industrial-scale enterprises. Malicious actors, including nation-states and well-funded organized crime families, exploit software supply chains. 

Sample attack methods include:

  • Repo jacking: Attackers gain control of a repository (repo) used by many developers.
  • Repo poisoning: Dangerous code is injected into a legitimate repository through a compromised contributor.
  • Typo squatting: Malicious libraries are created with names similar to popular ones, hoping developers will be tricked into installing them.
  • Dependency confusion: Malicious packages are added to public repositories, exploiting the way software pulls dependencies from sources.

Software supply chain attacks can target high-value government agencies, hospitals, and schools—or they can go after everyday businesses. Motives can vary, ranging from spying and IP theft to hostage-style ransomware attacks, made easier by the use of cryptocurrencies as the preferred payment method.

Response of governments and private sector

The increased threat of software supply chain attacks has compelled governments and the private sector to respond with a plethora of new regulations and development frameworks to protect against harm.

For example, in Europe, the Cyber Resilience Act was put into action to improve the security of digital products, while in the United States, the Software Bill of Materials (SBOM) requirement seeks to give organizations greater visibility into the components they use. It is hoped that knowing what your code is made of, increasing testing, and better threat monitoring can help reduce the risk of software supply chain attacks from happening.

According to Gartner, the 2024 global information security market is estimated to be $200 billion, growing by 15% in 2025, proving that cybersecurity problems aren’t going away anytime soon. 

Threats from bad actors seem to be growing faster than defenses can be mustered, which is why businesses need to look beyond compliance measures and become more proactive with their activities.

Defense against supply chain attacks

What can today’s business leaders do to defend against software supply chain attacks?

  • App shielding

Multi-layered app shielding employs several advanced techniques, such as code obfuscation and anti-tamper technology, to make reading the code and reverse engineering nearly impossible, ensuring that an app’s sensitive data and logic remain secure from tampering.

  • Continuous monitoring

Supply chain vulnerabilities often go undetected because they are introduced long before the app goes live. Tools like Verimatrix XTD’s Supply Chain Defender™ can monitor app instances for any backdoor activity in real-time, ensuring that unauthorized communication is flagged before it becomes a serious issue.

  • Whitelisting connections

By whitelisting legitimate outgoing connections, organizations can prevent unauthorized servers from communicating with the app, effectively cutting off the attacker’s control over the app.

  • Pen testing

Integrating manual pen tests or automated testing looking for known vulnerabilities in third-party components can help catch issues early, before they become a larger problem. This includes using tools that verify whether libraries have been tampered with or contain malicious code.

  • Regular updates and patching

Keeping all software components up to date reduces the risk of known vulnerabilities being exploited by attackers. Regular patching should be part of every organization’s software development lifecycle.

Conclusion

Software supply chain attacks aren’t going away; they’re on the rise and more impactful than ever. 

By taking a more proactive cybersecurity stance with preventive and protection measures, continuous monitoring, pen testing, whitelisting connections, scrutinizing their software supply chain libraries, and detecting and responding to threats in real-time, businesses can elevate their game against hackers. 

Solutions like Verimatrix XTD stand ready to help developers, software engineers, SOC teams, and CISOs protect their apps from these potent, hidden dangers.