The widespread campaign of software supply chain hacks that were behind the attack on SolarWinds began in 2020, and unofficially elevated software supply chain security to the top echelon of cyber risks to both government and the private sector. Subsequent events, like the emergence of the Log4Shell vulnerability in the Log4j2 open source library, underscored that software supply chain risk is for real.

However, if you are thinking that supply chain threats and attacks as a new problem plaguing software producers and their customers, you are wrong. In fact, software supply chain attacks have been with us for years — decades even — though they haven’t always demanded the kind of attention and response they now receive.

Below is a list of known software supply chain attacks, compiled from public records and reporting. This list is — of course — incomplete. First: it is likely that there have been supply chain attacks in which the details have not been made public. Second, these attacks are happening all the time, making any accounting of software supply chain attacks incomplete. Finally, opinions on what constitutes a software supply chain attack can differ from expert to expert. 

[ Get the new report: The State of Software Supply Chain Security 2024 | Join the conversation: Webinar: State of Software Supply Chain 2024 ]

A chronology of software supply chain attacks

Below is a list of known (documented, reported) attacks involving compromises of software supply chains (from latest to oldest). 

*** This is a Security Bloggers Network syndicated blog from ReversingLabs Blog authored by Paul Roberts. Read the original post at: https://www.reversinglabs.com/blog/a-partial-history-of-software-supply-chain-attacks