In late November 2025, attackers began planting the seeds of a supply chain attack in the cloud. Starting on Nov. 21, 2025, software packages were uploaded to Github repositories, disguised to look like normal Javascript packages, but poisoned with malicious code. The packages, which targeted widely-used tools to impact as many organizations as possible, spread, undetected for two days. Then early on Nov. 24, 2025, they struck. The worm was everywhere, scanning local environments, stealing credentials, publishing them, and spreading itself to do the same thing again. At its peak, it was generating 1,000 malicious repositories every half hour, or about 33 per minute. By the time the attack was contained, nearly 1,200 organizations had been impacted, 12,000 machines compromised, at least $8.5 million stolen, and tens of thousands of secrets revealed.
It wasn’t just small fry organizations either. Fortune 500 companies and major governments were impacted, and in many cases, it took days for them to revoke attacker access granted by the malicious code. So what happened? Why are supply chain attacks still compromising companies through their vendors, and what can procurement do to stop it?
Procurement is better than ever at verifying physical suppliers
When it comes to vetting and monitoring suppliers, there’s a lot that procurement teams should be proud of. Most businesses are thorough in how they verify physical suppliers, looking deep into reputation, security and compliance posture, financials, audits, and other areas to get a complete picture of a vendor’s risk profile. Agentic AI and more refined platforms are improving things still further, moving companies toward continuous vetting. Companies take less and less on their vendors’ word, and put more care into verifying that they can trust vendors to be reliable. Despite this rigor, procurement teams have an opportunity to do more when it comes to software.
Digital vendors get less scrutiny
The problem is, storage and software products and services largely lie outside of procurement workflow where companies don’t exercise the same level of oversight. Businesses typically rely on the self-reporting of software and platform vendors for security and stability. While vendors do typically offer strong SLAs and Tier 1 vendors may have strong auditing practices, these companies rely on complex and opaque chains of developers, hosting, service, and maintenance providers, whose security practices can’t be easily verified.
And while oversight is laxer, the hazards posed by poorly vetted software vendors are usually greater than physical suppliers. Whereas a single supplier’s failure can lead to costly delays or quality control issues, a digital supply chain attack can bring a whole company to a standstill, compromise IP and customer data, or even threaten continuity.
This leaves companies vulnerable to supply chain attacks
The Shai-Hulud 2.0 attack in November 2025 brought this problem into sharp relief. The self-replicating worm worked through the Node Package Manager (npm), a tool used to manage JavaScript libraries and apply routine software updates. Npm packages are reusable blocks of code that serve as building blocks of larger software projects, a bit like an I-beam, which can be used off the shelf in a range of building projects. Shai-Hulud 2.0 worked by poisoning npm packages. When the victim installed the package, the malicious code would run, scanning the victim’s machine for credentials, which it would publish in code repositories controlled by the attacker. These credentials would allow it to compromise more packages, spreading the attack further, and also give the attackers unsafe access to the victim’s system.
We may never know the full costs. The way the worm published stolen secrets also makes it very difficult and costly for companies to discover whether they’re impacted, since the secrets may be published on accounts unaffiliated with the victim. And with so much chaos caused by the attack, it’s quite possible that attackers used it to steal valuable information or gain heightened access in some environments which may be used to steal or compromise victims in the future.
What we do know is that supply chain compromises aren’t rare incidents anymore. Gartner predicted that by 2025, 45% of organizations would experience supply chain attacks. And as mass AI adoption introduces a new phase of digital transformation to supply chains, new attack vectors are likely to increase risk even more.
Supply chain attacks can cripple a company
While Shai-Hulud 2.0 was quickly launched and quickly contained, other supply chain attacks have proceeded slowly and patiently, causing far more damage to particular companies. Just settling state lawsuits, legal costs and remediation can cost retailers millions.
Some ransomware attacks can shut down port terminals and transportation hubs, forcing companies to temporarily revert to paper-driven processes while restoring their systems.
How procurement can help prevent supply chain attacks
Defending against supply chain attacks is a cross-functional project. Your company should already have processes in place through cybersecurity, privacy, and compliance stakeholders to evaluate and mitigate digital risks. That includes a lot of different measures, from hardening your own network against internal intrusions, to documenting and minimizing what risky information you share with third parties.
What they don’t have (or at least may not have) is the expertise in evaluating the vendor’s posture beyond its own attestations. That’s where procurement professionals come in, to work with other stakeholders to bring digital vendors into the vetting and monitoring process. Put together a working group to study how a company currently evaluates digital vendors and ensures compliance. Then, compare it to the system you use for physical vendors.
In that digital vendors are often more risky than physical ones, evaluate them to at least the same standards and with the same frequency. Monitor their security posture, using third-party security rating standards. Track reputation, look out for potentially compromised stakeholders. If possible, use third-party audits and look deeper into Tier 2-plus contractors to spot potential risks. Most importantly, maintain an ongoing workgroup to ensure your company doesn’t let its vetting practices slide. Supply chain attacks use many different tactics, but there’s one thing they all have in common: they prey on complacency.
