Security Experts:

Connect with us

Hi, what are you looking for?


Supply Chain Security

Software Supply Chain Attacks Tripled in 2021: Study

2021 can be described as the year of the software supply chain attack – the year in which SolarWinds opened the world’s eyes, and the extent of the threat became apparent.

2021 can be described as the year of the software supply chain attack – the year in which SolarWinds opened the world’s eyes, and the extent of the threat became apparent.

Apart from SolarWinds, other major attacks included Kaseya, Codecov, ua-parser-js and Log4j. In each case, the attraction for the attacker is that a single breach, compromise or vulnerability in distributed code can lead to multiple – even thousands – of victims.

Following a six-month analysis of customer security assessments conducted by Argon (an Aqua Security company), the 2021 Software Supply Chain Security Report highlights the primary areas of criminal focus: open-source vulnerabilities and poisoning; code integrity issues; and exploiting the software supply chain process and supplier trust to distribute malware or backdoors.

The common factor is open-source software – a source of code that is often inherently trusted and used automatically by in-house system developers.

“The number of attacks over the past year and the widespread impact of a single attack highlights the massive challenge that application security teams are facing,” comments Eran Orzel, a senior director at Argon. “Unfortunately, most teams lack the resources, budget, and knowledge to deal with supply chain attacks. Add to that the fact that to address this attack vector AppSec teams need cooperation from development and DevOps teams, and you can understand why this is a tough challenge to overcome.”

Argon’s analysis highlights three primary problem areas: vulnerabilities in open-source applications, compromised pipeline tools, and code/artifact integrity.

Vulnerable application supply chain attacks focus on two areas: abusing vulnerabilities in applications that are already widely distributed and installed, and poisoning packages at source prior to downloads. A 2021 example of the former is the Log4j attacks, while an example of the latter is the us-parser-js package poisoning.

Supply Chain Cybersecurity Virtual Conference

Learn More at SecurityWeek’s Supply Chain Security Summit

The second attack vector is compromised pipeline tools. “It enables attackers to change code or inject malicious code during the build process and tamper with the application (as was the case of SolarWinds),” says the report (PDF). “Attackers also use compromised package registries to upload compromised artifacts instead of legitimate ones. In addition, there are dozens of external dependencies connected to the pipeline that can be used to access it and launch attacks,” such as the Codecov attack.

The third risk area identified by the researchers is the upload of bad code to source code repositories. This impacts the artifact quality and security posture. In its research, the report notes, “In many cases, the number of issues discovered was overwhelming and required dedicated cleanup projects to reduce exposure, such as secret cleaning, standardizing container images, and other activities.”

Overall, Argon believes that the number of software supply chain attacks tripled in 2021 compared to 2020. This has not gone unrecognized. The May 2021 Biden executive order includes supply chain attacks as an area of concern. More recently, on January 13, 2022, a White House summit involving representatives of the U.S. government and major tech companies discussed open source software security.

The success of open-source software supply chain attacks in 2021 makes it almost certain that it will remain an important part of criminal activity – for both criminal gangs and nation-state actors – throughout 2022. “We should expect this trend to accelerate in the frequency and sophistication of supply chain attacks,” warns the report.

Argon recommends that security teams and DevSecOps practitioners need to work together to define and execute a new security strategy and initiatives that account for the risks inherent in the software supply chain. “They must bolster the security of their development environments to better protect their application infrastructure, processes, and deployed software to be ready for the next wave of these advanced attacks,” it says.

Aqua Security acquired Argon on December 1, 2021.

Related: Cyber Insights 2022: Supply Chain

Related: Cybersecurity Firms Partner on Open Source Security Technology Development

Related: Software Dependencies Exposed Microsoft, Apple to High-Impact Attacks

Related: Library Dependencies and the Open Source Supply Chain Nightmare

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...