If 2021 was the year that software supply chain attacks entered public consciousness — driven by SolarWinds and capped by Log4Shell — then 2022 was the year the industry was forced to actually do something about it. The attacks kept coming, the regulations accelerated, and the tools to defend against supply chain threats matured significantly. Here's the definitive look back at a transformative year.
The Threat Landscape: By the Numbers
The statistics for 2022 paint a clear picture of a problem that's accelerating, not stabilizing:
- Software supply chain attacks increased 742% over the previous three years (Sonatype)
- Over 137,000 malicious packages were identified across major registries (npm, PyPI, RubyGems, Maven)
- 88% of organizations experienced at least one software supply chain risk event (Gartner)
- The average cost of a supply chain breach reached $4.46 million (IBM)
- Time to detect supply chain compromises averaged 235 days
The Major Incidents
Q1 2022: The Lapsus$ Rampage
The year opened with the Lapsus$ group tearing through major technology companies. The group, reportedly led by teenagers, compromised NVIDIA (February), Samsung (March), Microsoft (March), and Okta (March, via contractor Sitel). Their methods were almost insultingly simple: social engineering, MFA fatigue, and insider recruitment. The Okta compromise was particularly significant as a supply chain event, affecting 366 downstream customers.
Q1 2022: The Protestware Controversy
In March, the maintainer of node-ipc deliberately sabotaged their own package to protest the Russian invasion of Ukraine, adding code that overwrote files on systems with Russian or Belarusian IP addresses. This "protestware" incident forced the open source community to confront uncomfortable questions about maintainer trust and the potential for politically-motivated sabotage.
Q2 2022: Heroku/Travis CI Token Theft
In April, attackers used stolen OAuth tokens from Heroku and Travis CI to access private GitHub repositories, including those belonging to npm. This attack targeted the CI/CD infrastructure layer — the tools that developers use to build and deploy software — and demonstrated that compromising developer tooling could cascade to affect entire ecosystems.
Q3 2022: The 0ktapus Wave
August saw the 0ktapus phishing campaign compromise over 130 organizations, including Cloudflare and Twilio. The campaign demonstrated supply chain pivoting: the Twilio compromise gave attackers access to Twilio's customer data, which they used to attack downstream services like Signal.
Q3 2022: LastPass (First Breach)
Also in August, LastPass disclosed that an attacker had compromised a developer environment and stolen source code. The initial disclosure minimized the impact, but the stolen information would enable a far worse breach months later.
Q3 2022: Uber's MFA Fatigue Breach
In September, an 18-year-old attacker breached Uber through MFA fatigue against a contractor, then found hardcoded PAM credentials on a network share that gave access to virtually every internal system.
Q4 2022: OpenSSL Pre-Announcement Drama
Late October brought the OpenSSL vulnerability pre-announcement, which sent security teams scrambling to inventory their OpenSSL 3.x deployments. The eventual downgrade from critical to high severity was a relief, but the incident exposed how few organizations could quickly answer "where is component X in our environment?"
Q4 2022: Dropbox GitHub Repositories
November saw Dropbox lose 130 private GitHub repositories to a phishing attack impersonating CircleCI, continuing the pattern of CI/CD platforms being weaponized as social engineering lures.
Q4 2022: LastPass (Second Breach)
The year's most devastating supply chain incident: using knowledge from the August breach, attackers compromised a LastPass engineer's home computer through a third-party media software vulnerability, then used stolen credentials to exfiltrate encrypted customer vaults from cloud storage. Millions of users' credential databases were now in attacker hands.
Regulatory Milestones
2022 saw an unprecedented pace of regulatory activity around software supply chain security:
NIST SP 800-161 Rev. 1 (May) provided comprehensive Cyber Supply Chain Risk Management guidance, becoming the definitive reference for organizations building C-SCRM programs.
NIST SP 800-218 SSDF (February) published the Secure Software Development Framework, establishing practices for secure development that federal suppliers would need to attest to.
OMB M-22-18 (September) required software producers selling to the federal government to self-attest to secure development practices aligned with the SSDF, with a timeline for compliance beginning in 2023.
The EU Cyber Resilience Act (September) was proposed, introducing mandatory cybersecurity requirements for products with digital elements sold in the EU, including open source software in commercial products.
The Securing Open Source Software Act (September) advanced through the U.S. Senate, directing CISA to play a more active role in open source security.
Technology Advances
The defensive technology landscape advanced significantly:
Sigstore reached general availability (October). The free software signing service became production-ready, enabling developers to sign artifacts using their existing identities without managing long-lived signing keys.
SLSA framework matured. The Supply Chain Levels for Software Artifacts framework continued to gain adoption, providing a graduated approach to supply chain security for build systems.
SBOM tooling improved. Tools for generating SBOMs in SPDX and CycloneDX formats became more accurate and widely integrated into build systems. The quality gap between generated SBOMs and manually-maintained ones narrowed.
VEX gained traction. The Vulnerability Exploitability eXchange format provided a mechanism for software producers to communicate which vulnerabilities actually affect their products, helping reduce alert fatigue.
Package registry security hardened. npm, PyPI, and other registries implemented mandatory MFA for high-impact packages, improved malware detection, and began supporting package provenance verification.
Lessons of 2022
Several themes emerged from the year's events:
Human Factors Dominated
The biggest breaches of 2022 — Uber, Cloudflare/Twilio, Dropbox, Okta — were all driven by social engineering, not technical exploits. MFA fatigue, phishing, and insider recruitment were the primary attack vectors. Technical controls matter, but they fail when the human layer is compromised.
Development Infrastructure Became a Primary Target
CI/CD systems, developer accounts, and build infrastructure were explicitly targeted throughout 2022. The Heroku/Travis CI token theft, the Dropbox CircleCI phishing, and the LastPass developer environment compromise all targeted the development supply chain.
Cascading Compromises Were the Norm
Rarely did attacks stop at a single organization. The 0ktapus campaign chained from Twilio to Signal. LastPass's August breach enabled the November vault theft. Supply chain attacks are inherently cascading — one compromise enables the next.
Regulatory Momentum Is Irreversible
The pace and scope of regulatory action in 2022 made it clear that software supply chain security requirements are permanent. Organizations that haven't started their compliance journey are already behind.
Visibility Remains the Fundamental Challenge
From the OpenSSL pre-announcement scramble to the ongoing difficulty of detecting malicious packages, the most basic problem persists: most organizations don't know what's in their software. You can't patch, monitor, or govern what you can't see.
Looking Ahead to 2023
Based on 2022's trajectory, several predictions for 2023:
- Regulatory requirements will become enforceable, with real consequences for non-compliance
- SBOM adoption will accelerate as a business requirement, not just a technical exercise
- AI-generated code will introduce new supply chain considerations
- Package registry security will continue to improve but won't eliminate malicious packages
- The insurance industry will increasingly factor supply chain security into cyber insurance pricing
How Safeguard.sh Helps
Safeguard.sh was built for the supply chain security challenges that 2022 made undeniable. Our platform provides comprehensive SBOM generation and management, continuous vulnerability monitoring with exploitability context, policy enforcement across your development lifecycle, and real-time alerts on supply chain threats. Whether you're responding to the latest malicious package campaign or demonstrating regulatory compliance, Safeguard.sh gives you the visibility and control that 2022 proved is essential.