Attack that compromises a trusted supplier or dependency so downstream targets are affected indirectly.
A supply chain attack is an attack that compromises a trusted supplier, dependency, update path, or related upstream relationship so downstream targets are affected indirectly. In plain language, it abuses trust in something the organization already depends on rather than attacking the final target in isolation.
Supply chain attacks matter because trust is central to how modern organizations operate. Software libraries, service providers, deployment pipelines, managed platforms, and vendor relationships all create paths where one upstream compromise can affect many downstream environments.
They also matter because these attacks can bypass assumptions that focus only on the direct perimeter. An organization may have strong internal controls but still inherit risk from a trusted source it relies on.
Supply chain attacks appear in dependency governance, software distribution, vendor assessment, update-signing trust, CI/CD protection, and incident response. Security teams connect them to Software Composition Analysis, Digital Signature, Compliance Framework, and Risk Assessment because both technical and governance controls are required to manage this kind of risk.
Teams also use supply-chain scenarios to test how well they can validate software sources, review vendor trust, and respond when an upstream dependency becomes suspect.
| Entry point | Why it is risky |
|---|---|
| Third-party libraries | Hidden malicious changes can propagate to many apps |
| Update channels | Trusted delivery paths distribute compromised code |
| Build pipelines | Compromised build systems affect all outputs |
| Managed service providers | Upstream access can reach many clients |
A company relies on a widely used third-party component or update channel for its internal applications. If that upstream source is compromised, the downstream organization may receive harmful changes through a relationship it already trusted, even though the initial breach occurred elsewhere.
A supply chain attack is not limited to open-source libraries. It can involve vendors, managed services, update pipelines, build systems, or other trusted upstream relationships.
It is also different from a direct Trojan delivered to one user. The defining feature is abuse of trusted upstream dependency or supplier relationships that affect downstream targets more broadly.