2023 was the year supply chain security moved from "emerging concern" to "existential threat" in the minds of CISOs and boards. The attacks were bigger, faster, and more diverse than ever. The defenses improved, too—but not fast enough. Here's what the year taught us.
The Major Incidents
3CX Supply Chain Attack (March)
The year started with a supply chain attack nested inside another supply chain attack. North Korean threat actors compromised the 3CX desktop application—a VoIP client used by 600,000 organizations—by first compromising Trading Technologies' X_TRADER application. An employee at 3CX had installed the compromised X_TRADER app, which gave the attackers access to 3CX's build environment.
The 3CX attack was significant because it demonstrated supply chain attack chaining: compromising Vendor A to reach Vendor B to reach the actual targets.
MOVEit Transfer (May-June)
The Cl0p ransomware group exploited CVE-2023-34362 in Progress Software's MOVEit Transfer application, ultimately affecting over 2,500 organizations and 67 million individuals. The attack was notable for its scale, its use of a zero-day in a file transfer application, and Cl0p's mass exploitation strategy—compromising hundreds of organizations before anyone knew the vulnerability existed.
JumpCloud (July)
North Korea's Lazarus Group compromised JumpCloud's infrastructure to target cryptocurrency companies through a supply chain vector. The precision of the targeting—fewer than five customers—showed that supply chain attacks could be surgically targeted.
Okta Support System (October)
Okta's second major breach in two years exposed customer session tokens, highlighting the risk of identity provider compromise and the importance of customers monitoring their own identity infrastructure.
Codecov Redux: CircleCI Breach (January)
CircleCI disclosed a security incident where an engineer's laptop was compromised through malware that stole session tokens, giving attackers access to customer data including environment variables and secrets. The incident echoed the 2021 Codecov breach and underscored that CI/CD platforms are high-value supply chain targets.
Trends That Defined 2023
Zero-Day Exploitation Accelerated
The MOVEit, Citrix NetScaler, Ivanti EPMM, Cisco IOS XE, and WinRAR campaigns all involved zero-day exploitation. The time between vulnerability discovery and mass exploitation shrank to days—sometimes the exploitation came first.
This puts organizations in an impossible position: you can't patch a vulnerability that hasn't been disclosed. The answer lies in defense in depth, network segmentation, and detection capabilities—not just patching speed.
Package Registry Attacks Scaled Up
PyPI, npm, and other registries faced hundreds of malicious package uploads throughout the year. The attacks used typosquatting, dependency confusion, and compromised maintainer accounts. PyPI temporarily suspended new registrations in May—an unprecedented step that reflected the overwhelming volume.
Identity Providers Became Prime Targets
The Okta breach, the MGM Resorts attack (via Okta social engineering), and the Microsoft Storm-0558 incident all targeted identity infrastructure. Attacking the identity layer provides access to everything behind it, making identity providers arguably the highest-value targets in the supply chain.
Regulatory Pressure Increased
CISA's Secure by Design campaign, the EU Cyber Resilience Act progress, NIST's updated Cybersecurity Framework, and the SEC's new cyber disclosure rules all added regulatory pressure. SBOM requirements moved from "recommended" to "expected" for government suppliers.
AI Introduced New Supply Chain Risks
The explosion of LLM-powered applications created a new attack surface. Malicious models on Hugging Face, prompt injection attacks, and AI supply chain risks joined the threat landscape. The OWASP Top 10 for LLM Applications provided the first standardized framework for these risks.
Defensive Progress
It wasn't all bad news. The defensive side made real progress:
SBOM adoption accelerated. More organizations generated and consumed SBOMs than ever before. Tooling matured, formats stabilized, and use cases expanded beyond compliance to active vulnerability management.
Sigstore reached general availability. Sigstore's keyless signing makes it easier for open source projects to sign their releases, improving supply chain integrity verification.
npm, PyPI, and other registries improved security. Mandatory 2FA for critical packages, malware scanning, trusted publishers, and provenance attestations all improved the baseline security of package registries.
OpenSSF investment continued. The Open Source Security Foundation funded security audits, maintained critical tools like Scorecard and SLSA, and coordinated industry-wide improvements.
Vendor response times improved. While not universal, many vendors responded to zero-day disclosures faster than in previous years, and CISA's KEV catalog provided clear prioritization signals.
What 2024 Needs
Better detection for supply chain attacks. We're good at patching known vulnerabilities. We're not good at detecting unknown compromises in our supply chain. Investment in behavioral analysis, anomaly detection, and provenance verification needs to increase.
Supply chain security for AI. The AI supply chain is where the software supply chain was five years ago—largely undefended. SBOMs for models, provenance for training data, and security scanning for model files need to become standard practice.
Maintainer sustainability. Many critical open source projects are maintained by one or two people. Their burnout is our security risk. Industry needs to fund maintainer compensation, security audits, and succession planning.
Identity resilience. Given the concentration of risk in identity providers, organizations need strategies for identity provider compromise—including detection, containment, and recovery capabilities that don't depend on the compromised provider.
How Safeguard.sh Helps
Safeguard.sh was built for exactly the threat landscape that 2023 revealed. Our platform provides comprehensive supply chain visibility—from code dependencies to container images to AI models—with continuous monitoring, vulnerability tracking, and compliance reporting. As supply chain attacks grow more sophisticated, Safeguard.sh gives organizations the tools to understand their exposure, prioritize remediation, and demonstrate security posture to regulators and customers. The lessons of 2023 are clear: supply chain security is no longer optional, and Safeguard.sh makes it achievable.