The State of Software Supply Chain Attacks: Mid-2022 Report

As we crossed the midpoint of 2022, the data was unequivocal: software supply chain attacks were not just growing — they were accelerating at a pace that outstripped most organizations' defensive capabilities. Sonatype's annual State of the Software Supply Chain report documented a 742% average annual increase in supply chain attacks over the previous three years. Gartner predicted that by 2025, 45% of organizations worldwide would have experienced a supply chain attack.

This mid-year assessment examines the major incidents, emerging trends, and defensive gaps that defined the first half of 2022.

The Numbers

By September 2022, several data points painted a clear picture:

• Over 37,000 malicious packages had been identified across npm, PyPI, and RubyGems registries in the first half of 2022 alone
• Dependency confusion attacks accounted for roughly 40% of observed supply chain attacks
• The average time to detect a supply chain compromise remained above 250 days
• Open source vulnerabilities increased 33% year-over-year in commercial codebases

These numbers only tell part of the story. Many supply chain compromises go undetected or unreported, meaning the actual scope of the problem is likely significantly larger than any public dataset captures.

Major Incidents: First Half 2022

The Lapsus$ Okta Compromise (January - March 2022)

The Lapsus$ group compromised a third-party support engineer's account at Sitel, a customer support contractor for Okta. Through this access, they could view and modify customer data for approximately 366 Okta customers. The incident demonstrated how outsourcing arrangements create supply chain vulnerabilities that are difficult to monitor and control.

The node-ipc Protestware Incident (March 2022)

The maintainer of node-ipc, a popular npm package with millions of weekly downloads, deliberately added malicious code that targeted users with Russian and Belarusian IP addresses, overwriting files with heart emojis as a protest against the Russian invasion of Ukraine. This "protestware" incident raised fundamental questions about the trust model of open source software.

Heroku/Travis CI OAuth Token Theft (April 2022)

Attackers used stolen OAuth tokens from Heroku and Travis CI to access private GitHub repositories belonging to npm. This supply chain attack targeted the infrastructure used to build and distribute npm packages, potentially affecting the entire npm ecosystem. GitHub revoked all Heroku and Travis CI OAuth tokens as a precaution.

Ctx and PHPass Package Hijacks (May 2022)

A researcher gained control of the ctx Python package and the PHPass PHP package by exploiting expired maintainer email domains. By registering the expired domains and resetting passwords, they could publish new versions with credential-harvesting code. These incidents highlighted the fragile trust chains in package registries.

Emerging Patterns

Several trends emerged from analyzing the first half of 2022's supply chain attacks:

Typosquatting Became Industrial

Attackers moved from manual typosquatting (creating packages with names similar to popular ones) to automated campaigns that generate hundreds of malicious packages simultaneously. In one March 2022 campaign, over 200 malicious npm packages targeting Azure developers were published in a single burst.

CI/CD Systems Became Primary Targets

The Heroku/Travis CI incident was part of a broader trend of attackers targeting CI/CD infrastructure. CI/CD systems hold credentials for package registries, cloud environments, and deployment systems — making them incredibly high-value targets. Codecov (2021) blazed this trail, and 2022 saw the approach mature.

Maintainer Compromise Shifted Upstream

Rather than targeting packages directly, attackers increasingly targeted the infrastructure and accounts of package maintainers. This included phishing campaigns, credential theft, and exploitation of account recovery mechanisms.

The Rise of Dependency Confusion

Since Alex Birsan's 2021 disclosure of the dependency confusion technique, attackers adopted it widely. Organizations using private package registries without proper namespace controls remained vulnerable, and the steady stream of dependency confusion attacks showed that many organizations hadn't implemented fixes.

Defensive Gaps

The first half of 2022 revealed several systemic weaknesses in the ecosystem's defenses:

Registry security remained inconsistent. Despite improvements, package registries still lacked consistent enforcement of MFA for maintainers, package signing, and provenance verification. npm made MFA mandatory for top-100 packages in February 2022, but the vast majority of packages remained unprotected.

SBOM adoption was slow. Despite the Executive Order 14028 mandate, most organizations still couldn't generate accurate SBOMs for their software. Without knowing what's in your software, you can't assess your exposure to supply chain compromises.

Vulnerability management didn't account for exploitability. Organizations continued to drown in vulnerability alerts without the context to prioritize effectively. A critical CVE in a dependency that's never actually invoked in your application is a different risk than one in an actively used code path.

Build provenance was nearly nonexistent. While projects like Sigstore and SLSA were making progress, the vast majority of software packages still had no verifiable build provenance. Users had to trust that the package on the registry was built from the claimed source code.

The Regulatory Response

Governments accelerated their response to supply chain risks in the first half of 2022:

• NIST SP 800-161 Rev. 1 (May 2022) provided comprehensive C-SCRM guidance
• OMB Memorandum M-22-18 (September 2022) required federal agencies to obtain self-attestation from software producers
• The EU Cyber Resilience Act proposal (September 2022) introduced supply chain security requirements for the European market
• The Open Source Software Security Act was introduced in the U.S. Senate (September 2022)

These regulatory moves signaled that supply chain security was moving from voluntary best practice to mandatory requirement.

What the Data Told Us About the Rest of 2022

Based on the trends from the first half, several predictions were supported by the data:

1. Malicious package volumes would continue to accelerate. The economics favor attackers: creating malicious packages is cheap, and the ecosystem's defenses are still catching up.
2. Major incidents would involve chained compromises. Simple one-step attacks would give way to multi-stage campaigns that pivot through supply chain relationships.
3. Regulatory pressure would drive adoption of security tools. Organizations that hadn't invested in SBOM generation, dependency scanning, and supply chain risk management would face increasing pressure from customers, regulators, and insurers.

What Organizations Should Have Been Doing

For organizations assessing their supply chain security posture at the midpoint of 2022, the priority list was clear:

1. Generate SBOMs for all software products. You can't defend what you can't see.
2. Implement dependency scanning with exploitability context. Not all vulnerabilities are equal — focus on the ones that matter.
3. Secure your CI/CD pipelines. Treat build systems as critical infrastructure, with appropriate access controls, monitoring, and credential management.
4. Adopt lockfiles and pin dependencies. Prevent automated dependency updates from introducing malicious versions.
5. Evaluate package provenance. Where available, verify that packages were built from their claimed source code.
6. Monitor for supply chain indicators. Watch for unusual dependency changes, new maintainers on critical packages, and unexpected network connections from build systems.

How Safeguard.sh Helps

Safeguard.sh provides the comprehensive supply chain visibility that the mid-2022 landscape demands. Our platform automates SBOM generation, continuously monitors dependencies for vulnerabilities and malicious packages, and provides exploitability context to help teams prioritize effectively. With policy enforcement across the development lifecycle and real-time alerts on supply chain threats, Safeguard.sh turns the overwhelming challenge of supply chain security into a manageable, measurable program.