The information technology sector has a peculiar cybersecurity problem: it is both the industry that builds the defenses and the industry most surgically targeted through the supply chain that makes those defenses possible. Supply chain attacks against the IT sector have accelerated dramatically, with the number of monthly incidents more than doubling from an average of 13 per month in early 2024 to more than 28 per month by mid-2025, according to Cyble's tracking data. IT vendors are not targeted randomly; they are targeted because compromising one managed service provider, one widely-used software package, or one trusted update mechanism can cascade into thousands of downstream customer environments simultaneously. The 2024 CrowdStrike software update incident, which disrupted approximately 8.5 million Windows systems globally, demonstrated that even well-resourced security-focused vendors can inadvertently become a vector for catastrophic disruption.
TL;DR
- Monthly software supply chain incidents more than doubled from ~13 per month to 28+ per month between early 2024 and mid-2025.
- 512,847 malicious packages were detected in 2024, a 156% year-over-year increase.
- Supply chain compromises account for ~15% of all breaches and doubled in prevalence year-over-year.
- The global annual cost of software supply chain attacks is forecast to reach $138 billion by 2031.
- SBOMs (Software Bills of Materials) are becoming a baseline requirement driven by federal procurement rules and NIST SSDF.
Malicious packages in public software repositories represent a growing and underappreciated dimension of IT sector risk. A 2024 report recorded over 512,847 malicious packages detected in a single year, a 156% year-over-year increase, as attackers deploy typosquatting, dependency confusion, and name-hijacking techniques to slip malicious code into developer workflows. Third-party and supply chain compromises now account for approximately 15% of all breaches and doubled in prevalence year-over-year, according to breach data aggregators. For IT companies, this means that the security of their products is only as good as the security of every open-source library, cloud API, and build pipeline they depend on. Cybersecurity Ventures estimates that the global annual cost of software supply chain attacks will reach $60 billion in 2025 and climb to $138 billion by 2031. IT firms that ship software are therefore both potential victims and potential vectors for their own customers.
"Managing supply chain risk is still one of the, if not the biggest, problem for CISOs. It's the greatest area of unmanaged or hard-to-manage risk."
Philip Reitinger President and CEO, Global Cyber Alliance; former Deputy Under Secretary for Cybersecurity, U.S. Department of Homeland Security, as quoted in Cybersecurity Ventures: Software Supply Chain Attacks To Cost The World $60 Billion By 2025
The IT sector's response to this threat is evolving from reactive patching toward proactive supply chain governance. Software Bills of Materials (SBOMs), which catalogue every component and dependency in a software product, are increasingly required by government procurement rules following Executive Order 14028 on Improving the Nation's Cybersecurity. NIST's Secure Software Development Framework (SSDF) provides a practical set of practices for integrating security into the software development lifecycle. IT companies that can demonstrate rigorous SBOM practices, code signing, and repeatable build integrity processes are differentiating themselves in a market where enterprise buyers scrutinize vendor security postures with increasing precision. In a sector that builds trust for everyone else, the ability to demonstrate your own trustworthiness has become a core product attribute, not an afterthought.
Pro Tip: Generate and Publish SBOMs for Your Software Releases
An SBOM (Software Bill of Materials) is a machine-readable inventory of every open-source and third-party component in your software. CISA has published guidance on SBOM formats, with SPDX and CycloneDX as the leading standards. Publishing SBOMs for your releases does two things: it gives your customers the visibility to assess their own exposure when a new CVE is disclosed, and it signals a level of supply chain maturity that increasingly differentiates vendors in enterprise procurement evaluations. CISA's SBOM resources are available at cisa.gov/sbom.
Key Takeaways
- Supply chain attacks doubled: Monthly software supply chain incidents grew from ~13 per month to 28+ per month between early 2024 and mid-2025.
- Malicious packages exploded: Over 512,847 malicious packages were detected in 2024, a 156% year-over-year increase.
- Third-party risk is growing: Supply chain compromises now account for ~15% of all breaches and doubled in prevalence year-over-year.
- Costs are escalating: The annual cost of software supply chain attacks is forecast to reach $138 billion by 2031.
- SBOMs are becoming table stakes: NIST SSDF and federal procurement rules are accelerating SBOM adoption as a baseline security requirement.
Sources: Cyble: Supply Chain Attacks Surge In 2025, Securelist: Review of Supply Chain Attacks in 2024, CISA: Software Bill of Materials (SBOM), NIST Secure Software Development Framework (SSDF), Cybersecurity Ventures: Software Supply Chain Attacks To Cost The World $60 Billion By 2025
