Hackers are hitting more than just their primary targets—they’re striking through the backdoor, and they’re not even trying to hide it anymore.
From breached cloud platforms to compromised automation tools, threat actors are expanding their reach by turning supply chains into attack vectors. And increasingly, they’re bragging about it online. In forums lurking on the Dark Web, they’re advertising stolen data like it’s an open-air market—complete with usernames, passwords, access credentials, and even calls for “partners” in crime.
Oracle Breach Exposes a Worrying Trend
Back in March, a hacker going by “rose87169” posted something that sparked a lot of chatter: alleged access to Oracle Cloud systems. At first, Oracle brushed it off. Then came the customer notifications.
Turns out, two internal servers were hit—exposing usernames and passwords stored within them. It wasn’t just some one-off exploit, either. The hacker posted evidence on BreachForums and even asked others to help decrypt what they snagged. It had the feel of a startup pitch—just instead of venture capital, it was encrypted credentials.
It’s the kind of event that used to stay under wraps. Not anymore.
Trustwave’s June 25 report laid it bare. The Oracle breach is just one of three major incidents showing how hackers are turning supply chains into launchpads—and advertising it all online to anyone willing to pay or pitch in.
GitHub Attack Proves This Isn’t Just Bad Luck
And it’s not just the big-name cloud vendors. Even tools that developers rely on daily aren’t safe.
In March, an attacker managed to slip into a GitHub Action known as tj-actions/changed-files through a stolen personal token. The twist? That token had been compromised from another GitHub Action. Dominoes fell. Over 23,000 repositories were affected, including Coinbase’s.
For a lot of devs, it felt like the ground shifted beneath them. Who do you trust when your build tools get hijacked?
This wasn’t just random targeting. According to security experts, it’s a sign of how threat actors are prioritizing leverage over noise. Attack one node, and maybe you get access to dozens—or thousands—of others downstream.
And here’s the kicker: attackers want people to know. It boosts their status. It opens up collaboration. And on the Dark Web, reputation matters as much as skill.
The Supply Chain Is a Soft Underbelly
Kory Daniels, CISO at Trustwave, says the trend is picking up steam—and it’s not just replacing old-school attacks. It’s growing in addition to them.
He puts it bluntly: “We see an increase in the trend of utilizing third-party suppliers to be the injection point.”
It makes sense. Supply chains are riddled with smaller, often underfunded companies. And where there’s less security, there’s more opportunity.
Ransomware claims provide a window into how this plays out:
-
In 2021, supply chain-linked claims were basically nonexistent.
-
By 2024, they made up 11% of total claims, according to At-Bay Security’s 2025 InsureSec Report.
It’s not a fluke. Cybercriminals are zeroing in on suppliers and using them as stepping stones. They don’t need to knock on the front door if they can crawl in through the vents.
What’s Being Sold on the Dark Web?
Take a stroll through Dark Web listings (metaphorically, of course), and you’ll find a buffet of stolen access.
One post might offer:
-
Credentials to private Git repositories
-
Admin logins to vendor dashboards
-
Backdoor access to cloud containers
Others go even further, offering access to undocumented APIs or remote management tools. It’s not subtle. In fact, it’s shockingly blunt.
And it’s profitable. A listing that offers a clear path to pivot into another company’s network fetches more. Especially if it comes with proof—like screenshots or decrypted samples. Trustwave’s report spells it out: buyers are no longer just looking for data. They’re buying pathways. Routes into bigger targets.
Here’s a snapshot of what’s being peddled:
| Listing Type | Description | Value to Buyers |
|---|---|---|
| Cloud Platform Credentials | Access to AWS, Azure, Oracle, etc. | Infrastructure control |
| Developer Tools Access | GitHub tokens, CI/CD configs | Code injection, repo tampering |
| Management Portal Logins | Remote desktop, VPN, or API keys | Admin access and lateral movement |
| Supplier Logins | Entry point into larger client ecosystems | Indirect compromise potential |
Laurie Iacono from At-Bay puts it plainly: “These are incidents where our insureds suffer losses that are attributable to the security failures of another company.”
It’s a brutal cycle. Company A gets hacked, but Company B ends up offline. Or worse, their confidential data ends up on some leak site. Then clients lose trust. Then regulators come knocking.
And the hardest part? Victims often don’t know where the breach started. It might’ve been a vendor three layers deep. Maybe a subcontractor’s poorly secured laptop.
The result? Business interruptions. Embarrassing disclosures. Compliance headaches. Legal bills.
So… What Now?
It’s not hopeless, but it’s not simple either.
Daniels says the bare minimum is to secure your critical vendors. Start by knowing who they are. What software you depend on. What access they have.
And then—tighten up.
A few practical tips:
-
Make MFA non-negotiable for vendors.
-
Use contractual language to enforce cybersecurity standards.
-
Run risk assessments before onboarding suppliers.
-
Monitor the Dark Web (or pay someone who can).
-
Prioritize visibility over assumptions.
And one more thing—if you think “zero trust” sounds like marketing fluff, think again. It’s quickly becoming survival instinct.
