by Peter Machat, Senior Director EMEA Central at Armis

Supply chains: Why cybersecurity must extend beyond your own IT

Recent attacks on software supply chains show how vulnerable and intertwined digital infrastructure has become. The incident involving the Shai-Hulud worm in the npm ecosystem, the foundation of many modern web and enterprise applications, has already compromised over 500 packages. The malware collected cloud access data from AWS, GCP and Azure environments as well as GitHub access tokens and spread independently by injecting infected code into other modules. Shai-Hulud is one example of a growing number of security incidents in software supply chains. Gartner reports that by 2026, nearly one in two companies will be affected, three times as many as in 2021. For companies in Europe, this means that the attack surface now extends far beyond their own IT systems. Once an open-source library is compromised, the damage can spread across supply chains and partner networks, increasing compliance and data protection risks and compromising customer data, production processes or services. This development makes it clear that selective security measures and traditional patch strategies are no longer sufficient. In an increasingly networked IT landscape, holistic approaches such as Continuous Threat Exposure Management (CTEM) are needed to create transparency and the ability to act across the entire digital supply chain.

The digital supply chain as a weak point in modern IT

94 per cent of all applications today use open-source components, and 84 per cent of companies have been affected by attacks on their software supply chain in the past twelve months. Campaigns such as Shai-Hulud show how quickly threats can spread when just a single dependency is compromised. Since modern development processes rely heavily on package registries such as npm, an infected module can affect thousands of organisations at once. This means that a company’s security no longer depends solely on whether internal systems are regularly patched or monitored. It is also crucial that the code libraries, APIs and partner integrations used are secure and trustworthy.

How to achieve holistic security in a networked ecosystem

Continuous Threat Exposure Management (CTEM) must cover a company’s entire digital environment, from internal resources and supply chains to external service providers. A modern CTEM programme goes beyond a one-time inventory or regular scans and requires:

Transparency across all connected systems:

Whether it’s a developer’s laptop, an unmanaged IoT device or a third-party SaaS integration, every connection expands the attack surface. Research by Armis Labs shows that around 40 per cent of connected assets in companies are unmanaged or unknown. As a result, many risks remain undetected.

Assessing risks in a business context:

Not every vulnerability poses the same threat. CTEM means looking at risks in the context of business-critical processes. It must be clear which systems process customer data or are linked to sensitive services. This allows threats that could have the greatest impact on business operations to be prioritised.

• Early detection and responsiveness along the supply chain: Attacks such as Shai-Hulud take effect within hours. Early warnings, continuous monitoring of software dependencies and the correlation of anomalies across the entire digital ecosystem are therefore crucial. Traditional vulnerability scanners are no longer sufficient.
• Targeted risk mitigation instead of blind reaction: No company can keep track of every single vulnerability. An effective CTEM programme therefore focuses on the truly critical areas: systems with sensitive data, developer pipelines, and publicly accessible assets.

Lessons learned from Shai-Hulud

The incident highlights several hard truths for companies:

• Developers are part of the attack surface: Credentials and tokens as primary targets
• Nested dependencies hide major risks: A single vulnerable library can put the entire company at risk.
• Extended and comprehensive transparency is essential: Without continuous monitoring, you cannot detect when your supply chain becomes the starting point for attacks.

Securing the extended digital landscape

Companies must go beyond reactive patches and establish proactive management of their attack surfaces. This includes building a dynamic, always-up-to-date inventory of all digital assets, linking vulnerabilities to business-critical systems, and extending CTEM to third-party vendors, APIs, and cloud ecosystems. Equally critical is the implementation of early warning mechanisms that detect threats before they can spread. Securing a business today means securing the entire extended digital space – from every single device in your own environment to every dependency within the supply chain. CTEM provides businesses with the visibility, prioritisation and early warning they need to stay one step ahead of potential threats such as Shai-Hulud.