Top 10 Supply Chain Attacks of 2025

Supply chain attacks enable a single compromise to impact multiple organizations simultaneously, making them among the most damaging threats in 2025 and beyond. According to industry data, breaches involving third parties have doubled year over year, with roughly 30 % of all data breaches now linked to a third-party or supply chain issue.

These incidents are costly and disruptive. A typical supply chain breach now costs significantly more to remediate than a first-party breach, often exceeding USD 4.9 million on average, and many organizations lose over $300,000 per hour of downtime due to operational outages caused by these attacks.

This list presents the ten most impactful supply chain cyber incidents of 2025, selected based on their reach, downstream impact, and associated security risks, and listed in chronological order. Most incidents involved digital supply chains, including open-source software, SaaS platforms, cloud services, and enterprise tools. In several cases, digital attacks triggered physical or operational disruptions, underscoringthe close connection between digital systems and real-world operations once again.

1. UK Retailers Hit by Coordinated Cyber Attacks

• Date of incidents:April–May 2025
• Affected organizations: Marks & Spencer, Co-op Group, Harrods, Dior
• Attack type: Ransomware and extortion
• Impact: Disruption to retail operations, payments, online ordering, and logistics across multiple UK retailers. Some companies reported significant financial losses and short-term supply and inventory issues.
• Attribution: Activity was linked to the Scattered Spider cybercriminal group and DragonForce Ransomware affiliates.

Between April and May 2025, several major UK retailers were targeted by a coordinated wave of cyberattacks aimed at the retail sector. Marks & Spencer suffered a ransomware attack that encrypted VMware ESXi systems, forcing the shutdown of online orders and Click & Collect services across more than 1,000 stores. The Co-op detected a similar intrusion and took systems offline as a precaution, which disrupted stock management and logistics in some locations.

Harrods and Dior were also impacted during the same period, reinforcing concerns that attackers were deliberately targeting large, high-profile retailers. The campaign highlighted how ransomware attacks against shared retail technologies and centralized IT systems can quickly spread disruption across the sector.

2. Ingram Micro Ransomware Attack

• Date of incident:Early July 2025 (disclosed July 9–10)
• Affected organization: Ingram Micro (global IT distributor and supply chain services provider)
• Attack type: Ransomware and extortion
• Impact: Widespread disruption to distribution, licensing, and ordering systems used by resellers and vendors worldwide. Shipments, transactions, and partner operations were delayed for several days.
• Attribution: The attack was claimed by the SafePay Ransomware group.

Ingram Micro suffered a ransomware attack that forced the company to take multiple core systems offline. The SafePay ransomware group infiltrated Ingram Micro’s network in early July, stealing 3.5 TB of sensitive data and encrypting systems. The attack triggered a multi-day global outage of Ingram’s core distribution platforms.

Threat actor card of SafePay Ransomware

The outage affected its global distribution platforms, including systems used for product ordering, licensing, and partner integrations. Because Ingram Micro sits at the center of the technology supply chain, the disruption quickly affected downstream resellers, managed service providers, and vendors until systems were gradually restored.

3. Salesforce-Related Data Breaches Affecting Multiple Companies

• Date of incidents:July–August 2025 (public disclosures in late August)
• Affected platforms: Salesforce (Service Cloud, connected apps, OAuth integrations)
• Attack type: SaaS supply chain abuse via credential theft, social engineering, and OAuth token misuse
• Impact: The campaign targeted multiple high-profile companies across sectors (technology, retail, luxury, aviation, insurance). Threat actors claimed to have compromised data from 91 organizations. Attackers gained API-level access and exported large volumes of Salesforce records.
• Attribution: Activity linked to the ShinyHunters and Scattered Spider.

Telegram post of a threat actor collective. As 2025 progressed, reporting increasingly described collaboration between Scattered Spider actors and ShinyHunters as operating in a looser collective named Scattered LAPSUS$ Hunters.

Multiple organizations disclosed unauthorized access to Salesforce environments during July and August 2025. Attackers did not exploit Salesforce infrastructure directly. Instead, they abused trusted access paths, including stolen credentials, social engineering, and compromised third-party integrations. The intrusions relied on voice phishing and abuse of Salesforce Connected Apps.

Attackers posed as internal IT staff and called employees, urging them to complete “urgent” troubleshooting steps. Victims were directed to Salesforce’s app authorization page and asked to enter a connection code provided during the call. By entering the code, victims unknowingly approved a malicious OAuth application controlled by the attackers, often a trojanized version of Salesforce’s Data Loader or an app disguised with legitimate-sounding names.

4. Salesloft-Drift OAuth Token Theft (Downstream Impact Across Salesforce Customers)

• Date of incident:Aug 8–18, 2025 (campaign window; reported publicly in late August and September)
• Affected vendors/platforms: Salesloft Drift integration and downstream Salesforce customer instances
• Attack type: SaaS supply chain abuse via stolen OAuth tokens tied to a trusted third-party integration
• Impact: Unauthorized access to Salesforce data at scale through API access enabled by compromised tokens. More than 700 organizations across diverse sectors were affected.
• Attribution: Attributed to a threat actor tracked as UNC6395.

The campaign began in early August 2025, when UNC6395 gained unauthorized access to OAuth tokens issued by the Drift chatbot. These tokens enabled Drift to connect to customer systems, most notably Salesforce, on behalf of users. By stealing them, attackers inherited trusted access and bypassed standard login controls.

The breach was first believed to affect only Salesforce. On August 20, Salesloft revoked all Drift tokens and removed the app from the Salesforce marketplace. On August 28, the Google Threat Intelligence Group (GTIG) confirmed that the compromise had extended further. Tokens tied to other Drift integrations, including Google Workspace (Drift Email), Slack, and cloud storage services, were also stolen.

Attackers stole trusted OAuth tokens at the integration layer, reused them via APIs, and accessed CRM and email data across multiple customer organizations without exploiting Salesforce itself.

Why are there so many seemingly related breaches around Salesforce environments?

Several 2025 incidents clustered around Salesforce because it sits at the center of sales and support workflows and is widely connected to third-party apps like Salesloft and Drift. These apps often have broad OAuth permissions, which attackers exploited through social engineering and vishing to steal access tokens. Once obtained, the tokens acted as reusable keys, enabling API access to CRM data without normal logins or MFA.

Salesforce data is especially valuable, as it includes customer contacts, case histories, and internal notes that support phishing, fraud, and extortion. The TransUnion breach, which affected 4.4 million people, showed how compromise of a connected environment can scale quickly. Later activity involving Gainsight reinforced the same pattern. Together, over-trusted integrations and token theft created a domino effect across connected companies, making separate breaches appear closely related.

SOCRadar Supply Chain Intelligence, Third-Party Companies

5. 2025 npm Ecosystem Supply Chain Attacks (Nx / s1ngularity, Shai-Hulud, Maintainer Hijacks, Chalk/Debug)

• Date range: August–September 2025
• Affected ecosystem: npm (JavaScript open-source packages used across CI/CD and production apps)
• Attack type: Software supply chain attacks via malicious package releases, CI/CD abuse, and maintainer account compromise
• Impact: Credential theft, exposure of private repositories, and risk to downstream applications at scale due to high-download packages and trusted dependencies.
• Attribution: Multiple, separate actors; not a single coordinated campaign

Between late summer 2025 and early fall 2025, multiple distinct attacks targeted the npm ecosystem. In the Nx / “s1ngularity” incident, attackers published malicious Nx package versions that stole developer secrets and exfiltrated them via attacker-created GitHub repositories, followed by automated exposure of victims’ private repos. Separately, maintainer hijack campaigns employed phishing and account takeover tactics to distribute malicious updates to popular packages.

The Shai-Hulud campaign was a broader, automated compromise affecting numerous packages and accounts. The Chalk/Debug package compromise demonstrated how attackers could exploit long-trusted, high-usage libraries to distribute malicious code.

While these incidents were not coordinated, they shared a common outcome: the abuse of npm’s trust model to reach a large downstream audience.

6. Miljödata Ransomware Supply Chain Incident (Swedish Municipalities)

• Date of incident:Late August 2025 (incident onset reported around the Aug 23 weekend)
• Affected organization: Miljödata (HR and case-management software provider for Swedish municipalities)
• Attack type: Ransomware and data exfiltration targeting a third-party service provider
• Impact: Disruption across hundreds of public-sector customers, including municipalities and government-linked organizations. HR systems handling employee data, medical certificates, and case records were taken offline. Stolen data was later leaked, affecting both public entities and private companies that relied on Miljödata’s services.
• Attribution: The attack was claimed by the DataCarry ransomware group.

Miljödata was hit by a ransomware attack that compromised its cloud-hosted HR platforms used by a large share of Sweden’s municipalities. Because the vendor operated as a shared service provider, the incident immediately spread downstream, forcing numerous public-sector organizations to suspend HR and administrative processes. The case highlighted how a single vendor breach can cascade across government customers when critical services are centralized.

Alleged data leaked in the data leak site(DLS) of the threat actor and subsequently in hacker forums.

The compromise had a far-reaching impact, forcing over 200 Swedish municipalities (including Stockholm) to take critical HR and payroll systems offline. At least 25 private companies were affected. Local governments were unable to process employee health data or salary documentation, resulting in administrative chaos. A Swedish civil contingency agency reported approximately 70 incident notices from affected entities. By mid-September, DataCarry had leaked Miljödata’s stolen dataset on the Dark Web, roughly 870,000 unique records including names, contact information, government IDs, dates of birth, employee IDs, and confidential HR details.

7. Oracle E-Business Suite Zero-Day Exploitation and Extortion Campaign (CVE-2025-61882)

• Date of incident:Intrusion activity observed from July 2025, exploitation as early as Aug 9, 2025, and a high-volume extortion wave in early October 2025
• Affected technology: Oracle E-Business Suite (EBS)
• Attack type: Zero-day exploitation leading to data theft and extortion (CL0P)
• Impact: Large-scale targeting of EBS customer environments, with confirmed data exfiltration in some cases and extortion emails sent to executives.
• Attribution: CLOP/CL0P Ransomware

Details of CVE-2025-61882 (SOCRadar Labs, CVE Radar)

Attackers exploited CVE-2025-61882 against Oracle EBS customer environments for weeks, then shifted into a branded extortion phase. The threat actor ran intrusion activity, stole data from some victims, and later sent high-volume extortion emails threatening the public release of the stolen information. Oracle confirmed that customers had received extortion emails and advised them to upgrade and apply updates, while national cyber agencies issued alerts urging immediate mitigation.

Cl0p’s extortion email (Source: Google Mandiant)

8. F5 BIG-IP Source Code Theft: A Potential Supply Chain Disaster

• Date of incident:Intrusion detected in August 2025; public disclosure in October 2025 
• Affected organization: F5
• Attack type: Data theft and long-term unauthorized access (suspected espionage-oriented intrusion)
• Impact: Theft of BIG-IP source code and information related to undisclosed vulnerabilities. While no customer environments were directly breached, the exposure increased the risk of future exploit development against widely deployed BIG-IP systems.
• Attribution: F5 stated that the activity was consistent with a nation–state–linked threat actor; however, no specific group was publicly named.

F5 disclosed that nation-state actors maintained unauthorized access to its internal systems and exfiltrated sensitive materials, including portions of BIG-IP source code. Although no immediate customer breaches were confirmed, the incident posed a significant supply chain risk. BIG-IP is widely deployed across enterprise and government environments, and access to its source code and vulnerability details could enable the development of future exploits. The breach highlighted how compromise of a core infrastructure vendor, even without direct customer impact, can represent a potential supply chain disaster.

9. Shai-Hulud and Shai-Hulud 2.0 npm Worm Campaigns

• Date of incidents:September–October 2025
• Affected ecosystem: npm (JavaScript open-source packages and developer accounts)
• Attack type: Worm-like software supply chain attacks with automated propagation
• Impact: Compromise of hundreds of npm packages and developer accounts, creating downstream risk for applications consuming affected dependencies through normal update workflows.
• Attribution: Tracked by vendors and government advisories as the Shai-Hulud campaigns; no single actor publicly confirmed.

Campaign illustration (created by Gemini)

The Shai-Hulud campaign represented one of the most automated npm supply chain attacks observed in 2025. Attackers compromised developer accounts and published malicious packages designed to self-propagate, allowing access and credentials to spread rapidly across the ecosystem. Public advisories warned that the activity could cascade quickly due to npm’s dependency model and widespread package reuse.

Although Shai-Hulud activity falls within the broader npm ecosystem supply chain attacks discussed earlier, its worm-like behavior, scale, and follow-on “Shai-Hulud 2.0” phase set it apart. Later reporting showed adapted techniques continuing after initial disruption efforts, reinforcing why the campaign warranted separate treatment. Together, these phases demonstrated how supply chain attacks can shift from targeted compromise to automated, ecosystem-wide propagation.

10. Gainsight Salesforce Connected App Incident

• Date of incident:November 2025
• Affected organization: Gainsight (Salesforce AppExchange partner)
• Attack type: Abuse of trusted Salesforce Connected App and OAuth tokens
• Impact: The impact may include exposure of customer and activity data stored in Salesforce through Gainsight. Gainsight confirmed attackers used valid OAuth tokens and made API calls from unexpected locations, rather than brute-forcing accounts. Because Gainsight is widely used, the impact scaled quickly, with over 200 Salesforce organizations reportedly affected.
• Attribution: The incident was claimed by the threat group described as Scattered LAPSUS$ Hunters.

Threat actor card of Scattered Lapsus$ Hunters

Salesforce disclosed that it identified unusual behavior involving Gainsight-connected applications and took action by disabling the affected integrations and revoking the associated tokens. While public reporting did not confirm large-scale data theft, the response highlighted the same supply chain risk observed earlier in the year: third-party apps with broad permissions can serve as an entry point into customer Salesforce environments.

Telegram post announcing the supposedly forthcoming data leak site(DLS)

While threat actors publicly claimed responsibility and announced a planned leak timeline, no independently verified large-scale data dump tied specifically to Gainsight has been observed in public sources to date, and no confirmed follow-through by the actors has been reported.

Conclusion

The attacks of 2025 share one critical lesson: your security is only as strong as your weakest vendor.

Whether through stolen OAuth tokens, compromised npm packages, or ransomware targeting shared platforms, attackers exploited trust without verification. Traditional vendor assessments—such as annual questionnaires and compliance checklists—can’t defend against threats that evolve in real-time. The Salesloft-Drift breach affected 700+ organizations through a single compromised integration. The npm campaigns propagated faster than teams could respond. Shared infrastructure created shared risk.

Defense requires a new approach:

• Continuous monitoring of SaaS integrations, dependencies, and vendor security postures
• Threat-informed prioritization that correlates active exploits with your specific exposures
• Automated detection of anomalous OAuth activity, suspicious packages, and vendor compromises

SOCRadar Supply Chain Intelligence, Comprehensive Risk Assessment Reporting

SOCRadar’s Supply Chain Intelligence module delivers real-time visibility into third-party risks and emerging threats across your digital supply chain. Combined with Attack Surface Management and Digital Risk Protection, it provides comprehensive defense for your extended enterprise.

Every organization is part of someone else’s supply chain. Those that invest in continuous intelligence and proactive monitoring won’t just prevent breaches, they’ll set the standard for trust in the digital economy.