In software development, a supply chain attack is typically performed by inserting malicious code into a code dependency or third-party service integration. Unlike typical cyber attacks, supply chain attacks provide two major advantages to attackers.
Firstly, a single supply chain attack can target multiple companies at once (since multiple companies use the same code dependencies and third-party scripts); as such, the potential return of investment of the attack is higher. Secondly, and unlike common cyber attacks, supply chain attacks can remain undetected by perimeter defenses, as they are often initiated by a change to a component of the system which is trusted by default; then, an approved delivery mechanism such as a software update delivers the supply chain attack without arising any suspicion by network defenders.
In 2018, supply chain attacks became a common occurrence in headlines after successfully attacking high-profile companies.