The walls around tech companies are holding, but the floors beneath them — their supply chains — are being pulled out from under. As attackers shift focus to third-party suppliers, a surge in breaches and leaked data is turning the Dark Web into a full-blown black market for stolen infrastructure.
Cyberattacks aimed at key pieces of the software and cloud ecosystems are rising fast, with criminals increasingly bragging and bargaining over the stolen goods online. From GitHub repositories to Oracle servers, recent incidents show no layer of tech is too small or too buried to be spared.
Oracle Cloud and GitHub Breaches Put the Spotlight on Supply Chain Weak Points
Back in March, a hacker going by the alias “rose87169” made a bold post on BreachForums, claiming they had access to Oracle Cloud systems. At first, Oracle denied anything had happened. But not long after, the company quietly admitted to customers that two servers had been breached — servers storing usernames and passwords.
That’s not the kind of news a cloud giant wants to send out.
In a similar time frame, a different attacker used a compromised GitHub personal access token to hijack the tj-actions/changed-files automation. That move impacted over 23,000 repositories. Coinbase’s repo was one of them — possibly the main target. And just like that, a tiny crack in one GitHub Action cascaded into chaos across multiple organizations.
These aren’t one-off flukes. They’re warning shots. And the message is clear.
Cybercriminals Are Now Trading More Than Just Data Dumps
Hackers aren’t just stealing credentials anymore. They’re marketing them.
Trustwave’s June 25 report revealed how attackers on Dark Web forums now openly sell:
-
Credentials with access to internal tools and systems
-
Undocumented APIs
-
Remote management portals
-
Developer environments
-
Cloud infrastructure keys
They’re not being subtle. Many listings explicitly explain how buyers can use the access to leapfrog into connected systems downstream. It’s not just about breaking into one place — it’s about how far you can go once you’re in.
A single stolen credential could give attackers a pathway into dozens of vendors, clients, and users. Like dominoes, one weak link in the chain sends the rest tumbling.
Insurance Claims Reveal the True Cost of Supply Chain Breaches
The financial side of all this? It’s catching up.
At-Bay Security’s “2025 InsureSec Report” showed a massive jump in cyber-insurance claims tied to third-party breaches. In 2021, they were a rounding error. In 2024? They made up 11% of claims.
That number may seem small, but in insurance terms, it’s a flashing red light. Insurers track what hurts their bottom line — and third-party ransomware attacks are starting to bite.
These claims include:
-
Business disruptions from suppliers getting locked out of their own systems
-
Leaks of confidential data posted to Dark Web leak sites
-
Legal costs and penalties for mishandled customer data
That’s not just someone else’s problem anymore.
Dark Web Deals Are Growing More Brazen and Structured
That’s straight from Trustwave’s report.
Attackers are thinking like sellers. They’re bundling access rights with usage instructions. Some listings even pitch access to key vendors as a launching pad for broader attacks.
It’s not wild speculation — it’s organized crime meeting enterprise strategy.
Here’s how these listings typically play out:
| Type of Access | What’s Offered | Potential Risk |
|---|---|---|
| Admin credentials | Privileged access to vendor dashboards | Lateral movement into downstream client systems |
| API keys | Undocumented or unmonitored endpoints | Data theft or backdoor setup |
| Remote management portals | Access to IT tools | Malware injection, ransomware deployment |
| Build systems | Dev environments with CI/CD control | Code tampering, software supply chain poisoning |
And in case it wasn’t clear — none of this is theoretical. It’s all already happened.
What Security Experts Say Needs to Happen Next
So what can be done?
For starters, experts say companies need to stop pretending this is someone else’s problem. Kory Daniels, CISO at Trustwave, put it plainly: the first step is identifying your critical third-party dependencies.
“You can’t protect what you don’t know exists,” he says.
From there, organizations should look at a few essentials:
-
Mandate multifactor authentication for all accounts, not just internal ones
-
Monitor vendors with threat intelligence tools or outsource to firms that do
-
Include security checks in vendor contracts — such as due-diligence audits
-
Keep tabs on the Dark Web — not just for your company, but for your partners too
Still, most companies don’t even know if their own employees are using MFA. So it’s no surprise they have zero visibility into their vendors.
Supply Chains Are Now Prime Real Estate for Cybercriminals
Supply chain attacks have ripple effects. A breach at a single provider can hit hundreds of clients. And the more attackers realize this, the more they aim for those entry points.
Laurie Iacono at At-Bay summed it up: “These are incidents where our insureds suffer losses that are attributable to the security failures of another company.”
It’s no longer about who gets hit first. It’s about who’s connected to who — and how fast the infection spreads.
Sometimes, the vendor doesn’t even know they’ve been compromised until their clients start calling.
“We need to get deeper insights into our supply chain so that we don’t get caught flatfooted and reactive.”
Flatfooted is where a lot of companies still are. And the clock’s ticking.
