Supply chain attacks: what IAM and DevOps teams miss

TL;DR: Supply chain attacks exploit trusted dependencies, packages, and third-party services to distribute malicious code and steal secrets downstream, according to Orca Security. The real problem is not just compromise, but the trust assumptions built into build pipelines, integrations, and least-privilege boundaries.

NHIMG editorial — based on content published by Orca Security: supply chain attacks and how they exploit trusted dependencies

Questions worth separating out

Q: How should security teams reduce supply chain risk in CI/CD pipelines?

A: Security teams should limit the privilege of build, test, and deployment identities, isolate pipelines by environment, and verify upstream artifacts before they execute.

Q: Why do supply chain attacks so often become identity incidents?

A: They become identity incidents because attackers frequently target the credentials that automation already uses.

Q: What do organisations get wrong about trusting signed packages and tools?

A: They often treat a signature or popular package as proof that runtime execution is safe.

Practitioner guidance

• Tighten build-time secret scope Issue tokens and API keys only to the job that needs them, with the shortest viable lifetime and no reuse across pipelines or repositories.
• Isolate pipeline identities Separate runner, deployment, and registry credentials so compromise in one repository cannot automatically reach unrelated workloads or environments.
• Verify upstream execution before install Check package provenance, maintainer trust, and signing status, but also block unapproved execution paths in CI/CD and developer workstations.

What's in the full article

Orca Security's full blog covers the operational detail this post intentionally leaves for the source:

• Walkthroughs of the SolarWinds, npm, XZ Utils, and GitHub Actions cases with the full attack chain.
• Specific examples of how malicious scripts, post-install hooks, and build-time execution harvested secrets.
• Orca's recommended monitoring approach for cloud workloads, repositories, and CI/CD telemetry.
• The vendor's explanation of how agentless side scanning is positioned across code-to-cloud workflows.

👉 Read Orca Security's analysis of supply chain attacks across code and cloud →

Supply chain attacks: what IAM and DevOps teams miss?

Explore further

View Full Forum →  |  NHI Foundation Course →