T1195 represents one of the most asymmetric techniques in the MITRE ATT&CK framework. A single successful supply chain compromise can deliver malicious code to thousands or even millions of organizations simultaneously, bypassing every perimeter defense those organizations have built. The attacker does not need to find a vulnerability in the target, craft a phishing email, or brute-force a credential. They compromise something the target already trusts and let the normal distribution process do the rest.
Supply chain attacks have doubled in frequency since early 2025, averaging 26 incidents per month compared to the prior rate of roughly 13. The trend is being driven by both nation-state operators seeking persistent access to strategic targets and financially motivated groups exploiting open-source ecosystems for credential theft and cryptocurrency heists. In 2025 alone, incidents impacted UK retailers, Swedish municipalities, global SaaS platforms, and tens of thousands of software developers through compromised package repositories.
How Supply Chain Compromise Works
The attack begins not with the ultimate victim but with something the victim depends on: a software vendor, an open-source library, a hardware manufacturer, a managed service provider, or a development tool in the CI/CD pipeline. The adversary gains access to this upstream entity — through credential theft, social engineering, exploitation of a vulnerability in the vendor's infrastructure, or by purchasing or taking over an abandoned project — and then modifies the product or its delivery mechanism to include malicious code.
When the compromised product is distributed through normal channels, the malicious payload arrives at the victim's environment with the full trust of the vendor's digital signature, the organization's software whitelist, and the user's expectation that updates from known sources are safe. Endpoint detection systems typically do not flag the activity because it originates from a signed, approved application performing its expected update routine.
What makes T1195 particularly dangerous is the amplification factor. A traditional intrusion compromises one target at a time. A supply chain compromise delivers the payload to every customer, user, or dependent of the compromised upstream product simultaneously. The attacker can then selectively activate the payload only on targets of interest, leaving the vast majority of infected systems dormant — which further delays detection.
Sub-Techniques
MITRE breaks T1195 into three sub-techniques, each targeting a different link in the supply chain:
T1195.001 — Compromise Software Dependencies and Development Tools
Adversaries target the development ecosystem itself: open-source packages, code libraries, CI/CD pipelines, and build tools that developers incorporate into their applications. This is the fastest-growing attack surface. In September 2025, the Shai-Hulud worm demonstrated what a self-replicating supply chain attack looks like in practice — it compromised npm maintainer accounts through phishing, injected credential-stealing code into packages those maintainers controlled, stole the npm tokens from machines that installed those packages, and then used those tokens to infect additional packages maintained by the new victims. The cycle repeated automatically. Within 48 hours, over 180 packages were compromised. The follow-up campaign, Shai-Hulud 2.0, hit in November 2025 and escalated to 796 compromised packages totaling over 20 million weekly downloads, with data from over 500 GitHub users exfiltrated. This sub-technique also includes dependency confusion attacks, typosquatting (publishing packages with names similar to popular libraries), and poisoned pipeline execution where attackers inject malicious steps into CI/CD workflows.
T1195.002 — Compromise Software Supply Chain
This sub-technique covers the compromise of the software vendor or distributor directly — modifying application source code, tampering with build environments, or replacing legitimate releases with trojanized versions. The SolarWinds SUNBURST attack is the defining example: Russian intelligence operatives compromised SolarWinds' build environment and injected a backdoor into the Orion platform update that was then digitally signed and distributed to over 18,000 customers through the normal update mechanism. The 3CX incident in 2023 took this further — it was the first confirmed "double" supply chain compromise, where North Korea's Lazarus Group compromised a financial trading application (X_TRADER), used that to gain access to a 3CX employee's machine, then pivoted into 3CX's build environment and trojanized both the Windows and macOS versions of 3CX DesktopApp, which had over 12 million daily users. Marketplace-based attacks also fall here, where adversaries purchase or take over legitimate software listings — browser extensions, app store listings, SaaS integrations — and push malicious updates to the existing user base.
T1195.003 — Compromise Hardware Supply Chain
Hardware supply chain compromise involves the modification of physical devices during manufacturing, shipping, or distribution. This includes implanting backdoors in firmware, modifying chips or circuit boards, or infecting removable media at the factory. While less common than software-based supply chain attacks due to the physical access requirements, hardware compromises are exceptionally difficult to detect and nearly impossible to remediate through software patching. Examples include infected USB drives shipped with IBM Storwize storage systems in 2017 and compromised removable media distributed with Schneider Electric products. Nation-state actors with intelligence capabilities to intercept hardware shipments present the greatest risk in this category.
Real-World Case Studies
SolarWinds SUNBURST — The Attack That Changed Everything
In what remains the defining software supply chain compromise in modern cybersecurity, Russian intelligence operatives (tracked as APT29 / Cozy Bear) infiltrated SolarWinds' development infrastructure as early as October 2019 and spent months preparing. They developed a novel code injection tool called SUNSPOT that intercepted the Orion platform's build process and replaced a legitimate DLL with one containing the SUNBURST backdoor — without modifying the source code repository, which made the tampering invisible to standard code review.
Between March and June 2020, SolarWinds distributed the trojanized Orion updates to approximately 18,000 customers, including the U.S. Treasury Department, Department of Homeland Security, the National Nuclear Security Administration, and major enterprises across the Fortune 500. The SUNBURST malware implemented a two-week dormancy period after installation, then communicated with command-and-control infrastructure using DNS queries disguised as legitimate Orion telemetry. The attackers selectively activated follow-on payloads only on targets of strategic intelligence value, leaving the vast majority of compromised systems dormant.
The compromise was not detected by any government agency, any SolarWinds customer, or SolarWinds itself. It was discovered in December 2020 by FireEye (now Mandiant) during an investigation of their own breach — which turned out to be a downstream consequence of the SolarWinds compromise. The total dwell time exceeded 14 months.
The 3CX Double Supply Chain Compromise
In March 2023, endpoint detection platforms began flagging the 3CX DesktopApp — a legitimate VoIP softphone application used by over 600,000 companies and 12 million daily users — as malicious. Mandiant's investigation revealed what they called the first confirmed instance of a cascading (double) supply chain attack. North Korea's Lazarus Group had first compromised Trading Technologies' X_TRADER application, a financial trading platform that had been decommissioned in April 2020 but still had a valid code-signing certificate. A 3CX employee downloaded the trojanized X_TRADER installer on their personal machine. The attackers harvested credentials from that machine, moved laterally into 3CX's corporate environment, and eventually compromised both the Windows and macOS build environments.
The trojanized 3CX update deployed a multi-stage payload: first, the SUDDENICON downloader retrieved command-and-control addresses from encrypted icon files hosted on GitHub; then, the ICONICSTEALER information-stealing malware was deployed. For selected high-value targets — particularly cryptocurrency companies — the Lazarus Group deployed an additional backdoor called Gopuram. The 3CX incident demonstrated that a single supply chain compromise can trigger a chain reaction, with the initial victim becoming the launch point for a second, broader supply chain attack.
The 3CX attack revealed a dangerous blind spot: decommissioned software with active code-signing certificates. The X_TRADER application had been retired for two years, but its signing certificate remained valid and trusted by operating systems — giving the attackers a ready-made trust anchor for their trojanized payload. Organizations should audit and revoke certificates for retired products immediately upon decommission.
Shai-Hulud — The Self-Replicating npm Worm
In September 2025, security researchers at ReversingLabs identified a first-of-its-kind self-replicating worm in the npm package registry. Named Shai-Hulud after the sandworms in Frank Herbert's Dune, the malware spread by compromising npm maintainer accounts through targeted phishing emails disguised as npm security alerts. Once installed on a developer's machine, the worm harvested npm tokens, GitHub credentials, AWS and GCP credentials, and other secrets. It then used the stolen npm tokens to identify other packages the developer maintained, injected its own code into those packages, and published compromised versions to the registry — all automatically, without further attacker intervention.
The follow-up campaign, Shai-Hulud 2.0, launched in November 2025 and was significantly more aggressive. It compromised 796 unique npm packages with over 20 million weekly downloads in under 72 hours. The 2.0 variant executed during the preinstall phase (rather than postinstall), meaning the malicious code ran before installation completed and before security checks could intervene. It installed the Bun JavaScript runtime to evade Node.js-specific monitoring, harvested credentials from cloud provider metadata services (AWS, Azure, GCP), and established persistence by registering compromised machines as GitHub Actions self-hosted runners. The attackers compromised maintainer accounts from widely used projects associated with Zapier, PostHog, and Postman. Data from over 500 unique GitHub users across 150 organizations was confirmed exfiltrated.
Shai-Hulud represented a paradigm shift: it was the first supply chain attack that could propagate through an ecosystem without ongoing attacker involvement, turning each compromised developer into an unwitting distribution vector for the next wave of infections.
UK Retail Supply Chain Campaign (2025)
Between April and August 2025, a coordinated wave of cyberattacks targeted major UK retailers. Marks & Spencer suffered a highly targeted attack traced to social engineering against employees at a third-party contractor. The breach forced M&S to manually operate critical logistics processes, disrupted food distribution, reduced product availability across more than 1,000 stores, and temporarily halted online shopping entirely. The estimated impact exceeded £300 million in operating profit for 2025/2026. The campaign — attributed to the Scattered Spider group working with DragonForce Ransomware affiliates — also struck Co-op and Harrods before shifting focus to U.S. retailers. Jaguar Land Rover suffered what the UK Cyber Monitoring Centre described as the most economically damaging cyber incident in UK history, with the attack exploiting third-party supplier software to move laterally into JLR's core systems. More than 5,000 businesses across JLR's global supply chain were affected.
SaaS Platform Cascading Compromise — Salesloft/Salesforce (2025)
In August 2025, a threat actor tracked as UNC6395 compromised Salesloft's GitHub account and stole OAuth tokens associated with Salesloft's Drift chatbot integration with Salesforce. These tokens gave the attacker API-level access to Salesforce customer instances, bypassing standard authentication controls including MFA and SSO. The campaign affected more than 700 organizations across multiple sectors. Because the access was achieved through legitimate OAuth tokens issued by a trusted integration partner, the activity was invisible to traditional security monitoring focused on login events. The incident demonstrated that modern SaaS-to-SaaS integrations create supply chain trust relationships that many organizations do not monitor or control.
Detection Strategies
Detecting supply chain compromise is inherently difficult because the malicious payload arrives through trusted channels, often signed by the legitimate vendor. Traditional perimeter defenses and signature-based detection are ineffective against this class of attack. Detection relies on identifying behavioral anomalies in software that has already been installed and trusted.
Key Monitoring Points
| Detection Layer | What to Monitor | Why It Matters |
|---|---|---|
| File Integrity | Hash changes in installed binaries, DLLs, and packages after updates | Trojanized updates modify files that should match known-good hashes from the vendor |
| Process Behavior | Trusted applications spawning unexpected child processes (cmd.exe, powershell.exe, bash, curl) | Compromised software executing commands that the legitimate application would never invoke |
| Network Egress | New outbound connections from update processes to previously unseen domains or IPs | SUNBURST used DNS-based C2 disguised as telemetry; 3CX downloaded C2 addresses from GitHub |
| Code Signing | Changes in signing certificates, expired certificates used on new builds, new signers for familiar software | X_TRADER used an expired certificate; compromised vendors may sign malware with their own valid certificate |
| Package Registry | Unexpected version bumps, new preinstall/postinstall scripts, changes in package maintainer accounts | Shai-Hulud propagated by publishing new versions of packages under compromised accounts |
| OAuth/API Tokens | Token usage from unexpected IPs, unusual API call patterns, bulk data exports from SaaS integrations | Salesloft/Salesforce attack used stolen OAuth tokens for silent API-level data extraction |
Splunk Detection Queries
Detect trusted applications spawning suspicious child processes that may indicate a trojanized update:
index=sysmon EventCode=1
| search parent_image IN ("*\\SolarWinds*", "*\\3CXDesktopApp*", "*\\update*", "*\\updater*")
AND (process_name="cmd.exe" OR process_name="powershell.exe"
OR process_name="rundll32.exe" OR process_name="mshta.exe"
OR process_name="certutil.exe" OR process_name="bitsadmin.exe")
| stats count by parent_image, process_name, CommandLine, dest
| where count < 5Identify npm or pip packages executing unexpected network connections during installation:
index=sysmon EventCode=3
| search process_name IN ("node.exe", "npm.cmd", "python.exe", "pip.exe", "bun.exe")
AND NOT dest_ip IN ("104.16.0.0/12", "185.199.108.0/22")
| stats count values(dest_ip) values(dest_port) by process_name, dest, user
| where count > 3Detect bulk data exports from SaaS APIs that may indicate compromised OAuth tokens:
index=proxy OR index=cloud_audit
| search uri="*/services/data/v*/query*" OR uri="*/api/v1/export*"
| stats sum(bytes_out) as total_bytes dc(uri) as unique_endpoints by src_ip, user, app
| where total_bytes > 104857600 OR unique_endpoints > 20
| sort - total_bytesSupply chain compromise detection cannot rely on a single data source. The strongest detection strategy combines file integrity monitoring (catching modified binaries), process tree analysis (catching unexpected child processes from trusted applications), network anomaly detection (catching C2 communication), and SaaS audit logging (catching OAuth token abuse). Organizations that do not forward logs from all four of these layers to their SIEM have significant blind spots for this technique.
Known Threat Actors
The following threat groups have been documented by MITRE, government advisories, and security vendors as employing T1195 Supply Chain Compromise techniques:
| Threat Actor | Attribution | Notable Supply Chain Operation |
|---|---|---|
| APT29 / Cozy Bear | Russia (SVR) | SolarWinds SUNBURST — compromised the Orion build environment and distributed trojanized updates to 18,000+ customers |
| Lazarus Group | North Korea (RGB) | 3CX double supply chain compromise via trojanized X_TRADER; cryptocurrency-targeting supply chain campaigns |
| Sandworm Team | Russia (GRU) | Staged compromised software installers on forums to achieve initial access; NotPetya (2017) spread through compromised M.E.Doc accounting software in Ukraine |
| Ember Bear / Cadet Blizzard | Russia | Compromised IT service providers and software developers to build access to downstream targets of interest |
| OilRig / APT34 | Iran | Leveraged compromised organizations to conduct supply chain attacks against government entities in the Middle East |
| Scattered Spider / UNC3944 | Cybercriminal | Social engineering against third-party contractors to compromise UK retail supply chains (M&S, JLR); DragonForce ransomware deployment |
| UNC6395 | Unattributed | Salesloft/Drift OAuth token theft affecting 700+ downstream Salesforce customers |
| Evasive Panda / APT41 | China | Delivered malware through updates for popular Chinese software applications; compromised update mechanisms of legitimate tools |
Defensive Recommendations
- Implement Software Bill of Materials (SBOM): Maintain a comprehensive inventory of every software component, library, and dependency in your environment. When a supply chain compromise is disclosed, an SBOM enables rapid identification of whether your organization is affected. Without one, you are searching blind.
- Verify software integrity beyond vendor signatures: Digital signatures from the vendor are necessary but not sufficient — SolarWinds' trojanized updates were legitimately signed. Implement independent hash verification against known-good baselines, use binary analysis tools to detect anomalous code in updates, and consider delaying deployment of non-critical updates by 24-48 hours to allow the security community time to identify compromises.
- Lock dependencies and audit them continuously: Pin open-source packages to specific versions rather than pulling the latest. Use tools like Socket, Snyk, or ReversingLabs to scan for known-malicious packages and behavioral anomalies in dependencies. Monitor for unexpected version bumps and maintainer account changes in packages you depend on.
- Enforce least privilege for software and integrations: Limit the permissions granted to third-party applications, SaaS integrations, and OAuth tokens to the minimum required for functionality. Audit all existing third-party access grants. The Salesloft incident demonstrated that a single over-privileged OAuth token can grant access to an entire CRM.
- Segment update infrastructure: Isolate software update processes from production systems where possible. Monitor update channels as a distinct network zone with its own anomaly detection rules. If an update mechanism is compromised, network segmentation limits the attacker's ability to move laterally.
- Monitor for behavioral anomalies in trusted software: Deploy EDR rules that detect trusted applications spawning unexpected processes, making unexpected network connections, or accessing files and registry keys outside their normal behavioral profile. This is the primary detection mechanism for supply chain payloads that bypass signature-based controls.
- Revoke certificates and credentials for retired products: The 3CX attack chain began with a decommissioned product that still had a valid code-signing certificate. Audit all certificates associated with retired, end-of-life, or deprecated software and revoke them immediately. Apply the same discipline to API keys, OAuth tokens, and service accounts associated with decommissioned integrations.
- Assess third-party risk beyond questionnaires: Traditional vendor risk assessments based on questionnaires and compliance attestations did not prevent any of the major supply chain compromises described in this article. Supplement assessments with continuous monitoring of vendors' externally observable security posture, enforce contractual requirements for incident notification timelines, and implement technical controls (network segmentation, access restrictions, log forwarding) that limit the blast radius if a vendor is compromised.
MITRE ATT&CK Mapping
| Field | Value |
|---|---|
| Technique ID | T1195 |
| Technique Name | Supply Chain Compromise |
| Tactics | Initial Access |
| Platforms | Windows, Linux, macOS, SaaS |
| Sub-Techniques | T1195.001 Compromise Software Dependencies and Development Tools, T1195.002 Compromise Software Supply Chain, T1195.003 Compromise Hardware Supply Chain |
| Data Sources | File (Modification), Sensor Health (Host Status), Network Traffic (Network Connection Creation, Network Traffic Content) |
| Mitigations | Application Developer Guidance (M1013), Boot Integrity (M1046), Limit Software Installation (M1033), Update Software (M1051), User Account Management (M1018), Vulnerability Scanning (M1016) |
| MITRE Reference | attack.mitre.org/techniques/T1195 |
Sources and References
- MITRE ATT&CK — T1195 Supply Chain Compromise: attack.mitre.org
- Mandiant / Google Cloud — SolarWinds SUNBURST Backdoor Analysis: cloud.google.com
- Mandiant — 3CX Cascading Supply Chain Compromise: mandiant.com
- Unit 42 / Palo Alto Networks — Shai-Hulud npm Worm Analysis: unit42.paloaltonetworks.com
- Microsoft Security Blog — Shai-Hulud 2.0 Detection and Defense Guidance: microsoft.com
- Cyble — Supply Chain Attacks Surge in 2025: cyble.com
- SOCRadar — Top 10 Supply Chain Attacks of 2025: socradar.io
- CISA — Software Supply Chain Security Guidance: cisa.gov