You don't need to break down the door if you can sneak in through the supplier's window. Supply-chain attacks have become the ultimate cybersecurity nightmare of 2026. Instead of attacking a company directly, hackers target its software suppliers — and through them, gain access to thousands of organizations simultaneously. They are invisible, devastating, and exponential.
📖 Read more: Cloud Security 2026: The 7 Settings You Must Check
🎯 What is a supply-chain attack
Imagine you use accounting software for your business. It updates automatically — it's safe, right? Wrong. If someone hacks the company that builds the software and inserts malicious code into the update, then thousands of customers will automatically download the “virus” along with the legitimate update. That's a supply-chain attack.
The most famous example was SolarWinds in 2020: hackers (likely state-sponsored) infected the Orion software and through it gained access to 18,000 organizations — including US government agencies. Since then, these attacks have increased by 742% according to ENISA.
742%
Increase in attacks 2020-2026
$60B
Annual cost worldwide
287 days
Average detection time
💥 Major incidents of 2025-2026
2025 was a record year for supply-chain attacks in Europe. In September, the "CodeFlow" attack infected a popular NPM library used by 50,000+ companies. In November, Russian hackers infected a network management update used by energy companies across 12 European countries — including Greece.
🔓 CodeFlow Attack (Sep 2025)
Infected NPM library. Affected 50,000+ projects. Theft of credentials and crypto wallets. $2.3 billion in damages worldwide.
⚡ GridShadow (Nov 2025)
Attack on energy infrastructure. 12 countries, 340 utilities. Backdoors in SCADA systems. Discovered only in January 2026.
🏥 MedTech Breach (Jan 2026)
Infected firmware in medical devices. 2,000+ hospitals. Patient data leaks and ransomware attacks.
📖 Read more: Smart Glasses AR 2026: Who Will Win?
⚠️ Why they are so dangerous
🕵️ 4 reasons supply-chain attacks are nightmarish
1. Trust: Updates come from “trusted” sources. Nobody expects an antivirus update to be infected.
2. Scale: One target = thousands of victims. The SolarWinds attack affected 18,000 organizations with a single breach.
3. Invisibility: Malicious code “hides” inside legitimate software. Average detection time: nearly 10 months.
4. Complexity: Modern software depends on hundreds of libraries. Who checks every dependency?
🇬🇷 Greece in the crosshairs
Greece is not immune. In December 2025, the National Cybersecurity Authority revealed that at least 45 Greek companies were affected by the GridShadow attack. Three were energy management companies, two were banks, and many were small and medium-sized businesses.
🏢 Businesses
45+ companies were affected in 2025. Most of them didn't even know.
🏛️ Public Sector
Mandatory SBOM audits for all public IT contracts starting 2026.
📋 NIS2
The NIS2 directive mandates supply chain risk assessment for critical infrastructure.
The new European directive NIS2, which came into full effect in October 2024, requires companies in critical sectors to audit their suppliers. In Greece, this means banks, energy companies, telecoms, and others must maintain a Software Bill of Materials (SBOM) — a complete list of all software components they use.
🛡️ How to protect yourself
Zero Trust: Don't trust anything or anyone by default — not even updates. Verify signatures, check checksums.
SBOM: Know exactly what's running on your systems. Every dependency, every library, every version.
Vendor Assessment: Evaluate your suppliers. What security practices do they follow? How do they manage their code?
Segmentation: Isolate critical systems. If a component is compromised, the damage should be contained.
Monitoring: Monitor anomalies in real-time. Unusual activity after an update = red flag.
