The Year Supply Chain Security Became a Board-Level Issue
If 2020 ended with SolarWinds as a wake-up call, 2021 was the year that proved it wasn't an isolated incident. Software supply chain attacks increased by over 300% compared to 2020, according to Sonatype's State of the Software Supply Chain report. Every month brought new incidents, new techniques, and new victims.
Here's the complete timeline — and the patterns it reveals.
Q1 2021: The Aftershocks
January 2021: SolarWinds Investigation Deepens
The SolarWinds investigation continued to reveal the scope of compromise. Microsoft confirmed that attackers accessed some of their source code repositories. The U.S. government formally attributed the attack to Russia's SVR (APT29). SolarWinds disclosed that the breach likely began in October 2019 — the attackers had access for over a year before deploying SUNBURST.
February 2021: Dependency Confusion Research Published
Alex Birsan published his dependency confusion research on February 9, demonstrating how internal package names could be exploited through public registries. The research affected Apple, Microsoft, PayPal, Shopify, Netflix, Tesla, and Uber, earning over $130,000 in bug bounties. The technique was immediately replicated by other researchers and, less responsibly, by attackers.
March 2021: PHP Git Server Compromised
On March 28, attackers compromised the git.php.net server and pushed two malicious commits to the PHP source code repository, disguising them as typo fixes. The commits would have introduced a backdoor in the PHP interpreter. The compromise was detected quickly, and PHP moved to GitHub as its primary repository.
March 2021: Microsoft Exchange ProxyLogon
While not a supply chain attack in the traditional sense, the ProxyLogon vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) affected Exchange servers globally. Chinese threat actor HAFNIUM exploited these before the patch was available, compromising an estimated 250,000 Exchange servers. The incident highlighted the risk of widely-deployed software with critical vulnerabilities.
Q2 2021: The Pipeline Attacks
April 2021: Codecov Bash Uploader Compromise
Disclosed on April 1, the Codecov compromise had been active since January 31. Attackers modified Codecov's bash uploader script to steal environment variables from CI/CD pipelines. Thousands of organizations were affected, including Twitch, HashiCorp, and Monday.com. The attack demonstrated how CI/CD tools are high-value targets with access to credentials and secrets.
May 2021: Colonial Pipeline Ransomware
The Colonial Pipeline attack (May 7) shut down the largest fuel pipeline in the eastern United States for six days. While primarily a ransomware event (DarkSide group), it demonstrated the cascading impact of software-dependent infrastructure. Colonial paid $4.4 million in ransom, though the FBI later recovered $2.3 million.
May 2021: Executive Order 14028
On May 12, President Biden signed EO 14028, "Improving the Nation's Cybersecurity." The order mandated SBOM requirements for federal software vendors, directed NIST to publish secure software development guidelines, and set aggressive timelines for implementation. It was the most significant U.S. government action on software supply chain security ever.
Q3 2021: Scale and Sophistication
July 2021: Kaseya VSA Ransomware
On July 2 (Independence Day weekend), REvil ransomware group exploited zero-day vulnerabilities in Kaseya's VSA platform to push ransomware to managed service providers and their downstream customers. Up to 1,500 businesses were affected. REvil demanded $70 million for a universal decryptor. The attack demonstrated the MSP-chain amplification effect — compromising one vendor to reach thousands of end victims.
July 2021: NTIA SBOM Minimum Elements Published
NTIA published "The Minimum Elements for a Software Bill of Materials" on July 12, defining the baseline data fields, automation support, and practices required for SBOMs under EO 14028.
August 2021: npm Malware Campaigns
Throughout August, researchers detected multiple campaigns publishing hundreds of malicious packages to npm. Sonatype identified packages targeting Roblox developers with credential-stealing payloads. JFrog discovered packages designed to steal Discord tokens. The campaigns were automated and industrial in scale.
September 2021: Travis CI Secrets Exposure
Researchers discovered that Travis CI exposed environment variables from public repositories through its API, potentially leaking GitHub tokens, AWS keys, and other secrets from thousands of open-source projects. The exposure affected projects that had used Travis CI between 2013 and 2021.
Q4 2021: The Crescendo
October 2021: ua-parser-js Compromised
The ua-parser-js npm package (8 million weekly downloads) was hijacked on October 22 through a maintainer account takeover. Malicious versions included cryptominers and credential stealers. The compromise lasted approximately 6 hours but affected hundreds of thousands of installations.
October 2021: coa and rc Packages Compromised
Days after ua-parser-js, the npm packages coa (9 million weekly downloads) and rc (14 million weekly downloads) were similarly hijacked. The maintainer accounts were compromised, and malicious versions were published containing credential-stealing malware. npm responded by requiring 2FA for maintainers of top packages.
November 2021: CISA KEV Catalog Launched
CISA published Binding Operational Directive 22-01 and the Known Exploited Vulnerabilities catalog on November 3, providing a curated list of vulnerabilities confirmed to be actively exploited in the wild. Federal agencies were required to remediate cataloged vulnerabilities within specified timelines.
December 2021: Log4Shell
CVE-2021-44228 (Log4Shell) was disclosed on December 10, immediately becoming the most critical vulnerability in years. The remote code execution flaw in Apache Log4j 2 affected virtually every Java application. Active exploitation began within hours. Multiple additional Log4j CVEs followed within weeks.
Patterns and Trends
1. Build and CI/CD Targeting
SolarWinds, Codecov, PHP git server — attackers increasingly target the development and build infrastructure rather than the deployed application. These attacks are harder to detect because they operate within trusted processes.
2. Package Ecosystem Attacks
ua-parser-js, coa, rc, dependency confusion, typosquatting campaigns — the open-source package ecosystem is under sustained attack. Account takeover, name squatting, and malicious publishing are now industrial-scale operations.
3. Cascading Impact
Kaseya demonstrated the MSP-chain effect. Log4Shell demonstrated the transitive dependency effect. A single compromise can reach thousands of organizations through trust relationships and dependency chains.
4. Government Response
EO 14028, NIST SSDF, NTIA SBOM elements, CISA KEV — the U.S. government's response in 2021 was unprecedented. Regulation is coming, and the direction is clear: transparency, attestation, and accountability.
How Safeguard.sh Helps
The 2021 timeline demonstrates that software supply chain security isn't a single problem — it's a continuous challenge requiring visibility, monitoring, and rapid response across every layer of your software stack. Safeguard.sh was built for exactly this reality: providing unified supply chain security that addresses dependency risks, vulnerability management, and compliance requirements in a single platform.
Every incident on this timeline would have been mitigated by better component visibility. Safeguard.sh provides that visibility through automated SBOM generation, continuous vulnerability monitoring, and real-time alerting when your dependencies are affected by new disclosures, compromises, or malicious activity.
As the threat landscape continues to evolve in 2022 and beyond, Safeguard.sh evolves with it — integrating new vulnerability feeds, new compliance frameworks, and new detection capabilities to keep your software supply chain secure against the attacks that haven't happened yet.