Drawing lessons from the trials of 2025, some of the maturing methodologies behind those very considerable software supply chain attacks reveal failures in open-source software, cloud services, and third-party integrations. These incidents have left us contemplating how sophisticated fraudsters are becoming and how imminently businesses must make adjustments to their security plans. While cyberattacks that have rocked the industry, such as the aforementioned Oracle Cloud breach and GitHub Actions hack, have made SBOMs and ZTAs more relevant, are those security measures effective?
Among the more notorious instances of breaches, there was the Oracle Cloud, where threat actors leveraged an unknown vulnerability to exfiltrate 6 million records over 1,40,000 tenants. The information was then listed on dark web forums for sale, which raised question marks over the security of primary cloud infrastructure hosts.
Yet another alarming incident was about GitHub Actions when a popular third-party action, tj-actions/changed-files, got compromised. The attack, which has been monitored as CVE-2025-30066, revealed sensitive access keys and credentials, proving how dangerous it is to use third-party automation tools in the development of software.
The Holt Group breach also highlighted supply chain weaknesses. The construction and equipment giant reported a leak of data on 12,455 people, with sensitive material such as government IDs and financial information leaked into the wrong hands.
Government agencies were not exempted either. A cyberattack on the US Treasury Department, which was attributed to Chinese state actors, was blamed on weaknesses in a remote computer support product, demonstrating the risks that third-party software dependencies present in critical infrastructure.
At the same time, telecom company TalkTalk was in crisis management mode after a hacker asserted, he was selling records of 18 million customers with names, email addresses, and phone numbers. Even if no financial information was allegedly compromised by the company, the incident stoked controversy on whether consumer data is being well-protected.
A closer look at these violations indicates a discernible pattern: attackers are now more focused on open-source libraries, cloud systems, and automated software pipelines. Cybersecurity reports indicate that supply chain attacks have grown by 12 percent in 2025, with attackers using compromised libraries and malicious code injections in popular software packages.
A particularly troubling trend is the targeting of AI and cryptocurrency-related applications. As companies race to integrate AI-driven automation and digital assets into their ecosystems, attackers are exploiting gaps in these emerging technologies to infiltrate sensitive environments.
In response to these evolving threats, organisations have doubled down on Software Bills of Materials (SBOMs) and Zero-Trust Architectures (ZTA) as key defence mechanisms.
SBOMs serve as a catalog of all parts employed in software development, enabling firms to detect vulnerabilities in real time. Although regulatory agencies have been recommending the use of SBOMs on a broader scope, numerous organisations are still hampered by implementation as a result of the absence of standardised frameworks and automated tools.
Zero-Trust Architecture, based on the ‘never trust, always verify’ paradigm, has caught on with business enterprises. With ongoing authentication of users and devices, ZTA greatly minimises the attack surface. Its effectiveness, however, relies on relentless policy enforcement and smooth integration within an organisation's digital ecosystem.
While SBOMs and ZTA add layers of security, no one solution can be guaranteed when it comes to the fast-moving nature of cyber threats. The attackers are making more use of AI-based attacks, deepfake phishing, and automated exploitation tools to bypass conventional defences. This calls for serious questions regarding the requirement of AI-based security solutions and threat intelligence sharing in real-time across industries.
Additionally, regulatory loopholes are an urgent problem. Governments and industry associations need to step up the process of defining clear cybersecurity compliance rules, especially for software supply chain security. Absent strong enforcement, organisations are likely to continue to defer essential security investments until a breach makes them do so.
The high-profile incidents of 2025 have served to make one thing certain: the software supply chain is still a profitable target for cybercriminals. While businesses and governments rush to shore up their defences, the next few years will see more money spent on automated security tools, AI-powered threat detection, and more stringent supply chain risk management frameworks. For companies, the lesson is basic: active defence is no longer optional. Rolling out SBOMs, abiding by Zero-Trust regulations, and adopting forward-looking security advances will be of primary importance to staying one step ahead of the coming tide of cyber threats.