The security tool built to protect you became the weapon used against you.

Software supply chain attacks have been a known threat for years. Security professionals have been worried. Investors have been worried. Anyone paying attention saw this coming.

Most business operators still don’t have an actionable plan.

Last month, attackers compromised Trivy, one of the most widely trusted open source security scanning tools. Developers use Trivy specifically to catch security vulnerabilities. The attackers turned it into the vulnerability.

The stolen credentials were then used to compromise the next target. And the next. And the next. Checkmarx got hit. LiteLLM got hit. Even the Bitwarden CLI tool got hit. Five ecosystems. Cascading failures.

As Gal Nagli, Head of Threat Exposure at Wiz, put it: “The open source supply chain is collapsing in on itself.”

The tool built to protect you became the weapon used against you.

If you run a business that depends on software, ask your team one question this week: what is our software supply chain risk exposure and what are we doing about it?