AJay Strong, Information Security Analyst, TraceSecurity
Many organizations rely heavily on an array of external tools, software, and services to operate efficiently. This growing dependence has expanded the attack surface beyond what’s traditionally considered “internal infrastructure.” Today, attackers are increasingly targeting what’s known as the digital supply chain. These supply chain attacks don’t always require a contractual relationship or even a known vendor. Instead, they exploit the simple fact that many external components are trusted by default and deeply integrated into systems.
Take browser extensions, for example. Many users regularly install extensions from the Chrome Web Store or Edge Add-ons catalog. Accessories such as ad blockers, productivity tools, and VPN utilities are downloaded without much scrutiny. These tools enhance functionality but also embed themselves deeply into browser behavior. If a trusted extension is compromised, it can serve as a direct pathway into user sessions, corporate credentials, or other sensitive workflows.
This is not a theoretical risk. In July 2025, a major browser hijacking campaign was discovered involving 18 formerly benign Chrome and Edge extensions. These included seemingly harmless utilities like emoji keyboards, color pickers, and lightweight VPNs. After silently receiving malicious updates, the extensions began hijacking web sessions, redirecting users to phishing pages, and stealing session cookies and clipboard content. The truly insidious aspect of this attack was that these extensions had earned user trust, accumulating millions of installations and positive reviews before being weaponized. Investigators believe some of these extensions were either sold to malicious actors or the original developers were compromised.
To prevent falling victim to browser-based supply chain attacks, users and IT administrators should regularly audit installed extensions and remove any that are unnecessary or untrusted. Extension permissions should be scrutinized, especially those requesting access to “all sites” or clipboard contents. In enterprise environments, browser policies can restrict installations to vetted lists. Additionally, privacy-first browsers like Brave or hardened versions of Firefox can provide another layer of protection.
Another case of supply chain compromise emerged via SEO poisoning and spoofed download sites. Attackers mimicked the websites of popular tools like PuTTY, WinSCP, and FileZilla. These fake but convincing sites appeared at the top of Google search results due to clever search engine optimization. When users clicked the top results and downloaded the provided installers, they unknowingly installed a malware loader called Oyster. This loader maintained persistence through scheduled tasks and could download secondary payloads, including credential stealers and ransomware.
This form of attack is particularly effective because many users search for software names via Google instead of navigating directly to the official vendor site. The remedy lies in technical safeguards and user behavior. Users should confirm that they are downloading from legitimate vendor domains or trusted repositories like GitHub. Services like VirusTotal or URLScan can be used to validate URLs before clicking. Organizations can deploy DNS filtering to block known malicious domains and implement layered security controls to reduce risk.
Mac users were also targeted in 2025 through a resurgence of the Atomic Stealer malware. Distributed primarily through cracked software on torrent sites and forums, this malware infiltrated systems by masquerading as desirable apps. Once installed, Atomic Stealer requested elevated permissions like screen recording and accessibility controls. From there, it quietly harvested iCloud Keychain entries, browser autofill data, document files, and cryptocurrency wallet contents. The new variant also featured sandbox evasion and anti-analysis techniques, which made it difficult to detect using standard anti-virus tools.
To defend against such threats, users should avoid pirated software altogether. macOS users can rely on built-in features like Gatekeeper and XProtect to flag unsigned or known-malicious apps. Advanced users may benefit from additional tools like Objective-See’s BlockBlock, which monitors for persistence mechanisms, or LuLu, which alerts on unauthorized outbound traffic. It’s also important to periodically review app permissions and revoke those that seem excessive or outdated.
Mobile users faced their own supply chain threat when a malicious app named “Document Manager - File Reader” appeared on the Google Play Store. With over 50,000 downloads, this app was, in fact, a dropper for the Anatsa banking trojan. Once installed, it requested accessibility permissions and could then overlay fake login screens on top of real banking apps, intercept credentials, hijack SMS-based two-factor authentication, and exfiltrate data. Anatsa’s delayed activation made it even more dangerous, as it remained dormant for several days after installation, slipping past initial malware scans and avoiding user suspicion.
Mobile users should be cautious about installing new apps with few or no reviews. Always examine permissions carefully, especially those requesting Accessibility Services. While Google Play Protect provides a baseline defense, it’s often not enough. Tools like Lookout, Zimperium, Norton Mobile Security, Trend Micro, and Sophos Intercept X offer behavior-based anomaly detection that can flag suspicious activity even when no known malware signatures are triggered. Enterprises can further mitigate mobile risk using mobile device management (MDM) tools that enforce strict app policies and monitor for suspicious activity.
Another cross-platform malware strain that gained traction in 2025 is ClickFix, which spreads primarily through drive-by downloads. Victims are often redirected to malicious domains simply by visiting compromised websites or clicking on shortened URLs. These malicious redirects are typically powered by JavaScript injection. Users are then prompted to install fake browser updates or cleaner tools, which deliver infostealers, miners, or ad fraud apps. ClickFix is especially dangerous because it mimics legitimate notifications, often tricking users into clicking without suspicion.
To reduce the likelihood of drive-by downloads, users can install content blockers like uBlock Origin, which filter malicious domains. Advanced users might deploy NoScript or uMatrix to disable JavaScript by default. It is also wise to avoid clicking on shortened URLs unless they are previewed through services like Unshorten.me. Keeping browsers and OS platforms up to date is another essential layer of protection.
All of these examples underscore a central truth: modern cybercriminals are increasingly targeting the tools and conveniences that users implicitly trust. Whether it’s a browser extension, a mobile app, or a free download, attackers know the easiest path into a system is often through our everyday habits.
This trend highlights the importance of a broader definition of supply chain risk. During IT audits, organizations often focus solely on vendors with formal agreements or contracts. However, many of the most dangerous threats come from unaffiliated third parties: open-source libraries, app store listings, or widely used browser tools that have no contractual oversight. These tools still enter your environment. They still operate with significant access. And they are very much part of your supply chain.
Organizations must shift their mindset to include these uncontracted dependencies in their risk models. That means tracking what extensions and third-party tools are being used, applying the principle of least privilege across every integration, and maintaining strong policies around software sourcing. Supply chain attacks don’t just happen to large enterprises or government agencies; they affect everyone who installs, trusts, or integrates third-party code and services.
Security today is about habits as much as it is about tools. It is not just which antivirus or firewall you use, but how you manage what gets installed, where it comes from, and who maintains it. Vigilance, layered defenses, and continuous education are our best tools to fight back against supply chain threats that now lurk in every corner of the digital landscape.
In most cybersecurity scenarios, we encourage proactivity. We tell our clients to patch early, train often, and plan. But when it comes to supply chain attacks, the landscape is more complex. Small and medium-sized institutions often don’t have the budget or capacity to evaluate the security practices of every vendor or developer behind every tool or dependency they use. And since supply chain threats often originate from entities outside the organization’s direct visibility, it becomes extremely difficult to prevent them proactively.
The best approach is being “reactively prepared.” That means being ready to respond quickly and effectively when something goes wrong. One of the most important steps is to ensure that third-party vendors, whether formally contracted or not, are factored into your incident response plans. Institutions should know in advance who to contact, how to escalate, and what steps to take in the event of a supply chain-related breach. This includes cloud providers, SaaS vendors, extension developers, and app ecosystem maintainers.
Maintaining open communication channels with vendors, subscribing to their security advisories, and periodically reviewing their security documentation can also help. While you may not be able to prevent the next attack, you can reduce its impact by responding with clarity and speed.
Connect with TraceSecurity to learn more.