SOCRadar published its Top 10 Supply Chain Attacks of 2025 roundup on January 6, 2026. The piece looks across incidents that affected retailers, distributors, SaaS platforms, open-source ecosystems, public sector vendors, and infrastructure software, showing how a single upstream compromise can ripple through many downstream organizations.
This is not a single-breach postmortem. It is a pattern report. The article connects incidents such as the UK retail attacks, the Ingram Micro ransomware outage, Salesforce-related breaches, the Salesloft-Drift token theft, the npm ecosystem attacks, Miljödata’s ransomware event, the Oracle E-Business Suite exploitation campaign, the F5 source code theft, the Shai-Hulud npm worms, and the Gainsight connected app incident.
The common thread is trust. Attackers did not need to break every target directly. They abused trusted integrations, shared platforms, package distribution, and identity pathways so that one compromise could affect many organizations at once.
For security and operations leaders, the business problem is clear: supply chain risk is now an availability and workflow problem as much as a security problem. SOCRadar notes that third-party-linked breaches have risen sharply, and that supply chain incidents can be far more expensive to remediate than first-party incidents, especially when downtime stalls ordering, logistics, support, or payroll.
The Common Pattern Behind the Incidents
Across the list, the repeated techniques were stolen credentials, social engineering, OAuth abuse, malicious packages, and compromised vendor infrastructure. The Salesforce, Salesloft-Drift, and Gainsight cases are especially important because they show how a trusted integration can become an access path without a conventional login break-in.
The npm incidents tell the same story in software delivery. Once a maintainer account or package release process is compromised, the malicious content travels through normal update workflows and reaches many applications quickly. That makes package integrity and release governance central controls, not optional safeguards.
- Trusted identity and permissions were abused more often than raw exploit chains.
- Many downstream victims learned of the issue only after business disruption had already started.
- A single shared service, package, or distribution platform expanded the blast radius across many organizations.
What Operations Teams Should Change
The practical takeaway is that annual vendor reviews are not enough. Organizations need continuous visibility into integrations, access tokens, package provenance, and vendor exposure, because the threat surface changes between review cycles.
Teams also need alerting that maps technical signals to business impact. If a SaaS connector is compromised, an operations team should be able to see which sites, customers, or workflows depend on it, and which actions require immediate revocation, isolation, patching, or communication.
This is where integrated dashboards and automation matter. When incident data flows into a single operational view, teams can prioritize what to isolate, revoke, patch, or communicate first instead of relying on spreadsheets, ticket queues, and ad hoc email chains.
Why This Matters for Connected Products
For companies building connected devices, platform software, or service tooling, the article is a reminder that reliability depends on the whole chain, not just the endpoint. Firmware updates, cloud APIs, telemetry services, and third-party libraries all need to be treated as part of the product surface.
Paw Partners’ work around electronic prototyping, IoT systems, workflow automation, dashboards, and integration design fits this reality. Systems should be designed so teams can trace dependencies, surface exceptions early, and keep operations running even when a supplier or integration fails.
The main lesson from SOCRadar’s roundup is straightforward: trust needs ongoing verification. Teams that combine monitoring, integration control, and operational automation can reduce both the security risk and the business disruption when a vendor gets compromised.
Source: SOCRadar® Cyber Intelligence Inc., Top 10 Supply Chain Attacks of 2025