The cyber threat no one sees coming

 

Hidden supply chain dependencies have become the weakest link in security, despite improvements in frontline defences such as MFA, EDR, segmentation, and zero trust. In 2025, the main difference is scale: AI-driven development, automated code reuse and rapid integration of third-party modules mean most companies rely on thousands of components they do not control or fully understand. This has created a vast, mostly hidden attack surface that security teams can no longer ignore.

 

 The vast majority – 96 per cent – of open-source downloads contain known vulnerabilities, according to Sonatype’s 2024 State of the Software Supply Chain report. The risk is escalating as organisations adopt AI tools that accelerate code generation but bypass security reviews. GitHub’s Octoverse report further found that modern applications rely on dozens of transitive dependencies for every direct one, amplifying exposure each time an unseen maintainer pushes an update.

 

Attackers know this better than anyone. In 2024 and 2025, security researchers found several campaigns where attackers uploaded fake packages that closely copied real libraries, sometimes changing just one letter. These “typosquatting” attacks increased on npm, PyPI, and RubyGems. Checkmarx researchers found over 1,000 malicious packages uploaded in just a few months, many aimed at financial institutions and crypto exchanges

 

Faster AI development is creating deeper, harder-to-detect software risks

 

The problem is getting worse as AI tools change how software is built. Developers now often use automated code-suggestion systems, which can accidentally suggest libraries that are vulnerable or no longer maintained. A Stanford study found that programmers using AI coding assistants were more likely to add insecure dependencies, partly because these tools focus on making things work rather than on security.

 

Unlike traditional vulnerabilities, supply chain failures can go unnoticed for months. Attackers take advantage of the huge number of dependencies: if one library is compromised, it can affect thousands of applications. The XZ Utils backdoor found in early 2024 was a major warning. This backdoor was planted over several years and spread through Linux distributions worldwide before a single engineer noticed “odd performance issues” in SSH logins

 

The situation is even more complicated because of the abandonment crisis. The Linux Foundation says about 70 per cent of open-source projects are maintained by just one or two unpaid volunteers. This leaves important components unsupported and open to attack.

 

In several cases between 2023 and 2025, attackers offered to help maintain neglected libraries, then later added malicious updates that were used by thousands of downstream users.

 

To address this, organisations need to make dependency visibility a key part of their cyber-security practices. Software Bills of Materials (SBOMs), now required by US federal supply chain rules, help track what organisations rely on, but they need to be updated regularly. Tools such as OSV-Scanner, Snyk, DependencyTrack and GitHub Dependabot can help automate vulnerability checks across large codebases.

 

However, tools are not enough. Security teams need to set strict rules for third-party code, such as version pinning, required security reviews before adding new libraries, automated policy checks and monitoring key maintainers. AI governance is also important. Organisations should ensure their coding assistants use trusted sources rather than random repositories where attackers might upload fake packages.

 

The supply chain blind spot is already being widely exploited in 2025. Every new dependency, AI-generated suggestion or outdated library increases organisational exposure. The crucial question for security leaders is not whether they use vulnerable components, but whether they even know which ones their organisation relies on.

 

Until supply chain visibility becomes a standard practice, attackers will continue to operate in the shadows of our dependencies, taking advantage of trust where organisations least expect it.