Threat Intelligence / Identity Security
The security world often fixates on what’s new. AI-driven attacks. Post-quantum cryptography. Zero-trust frameworks. Yet when you step back and look at what’s actually working for attackers in 2025, the picture is far less futuristic.
Most successful breaches still rely on the same methods attackers used a decade ago. The difference is scale, speed, and efficiency. Threat actors haven’t reinvented their playbook. They’ve refined it.
Supply Chain Attacks Are Still Spreading Fast
Recent npm incidents, including the Shai-Hulud campaign, reinforce a familiar lesson: software supply chains remain fragile. Compromising a single dependency can ripple through thousands of projects downstream. This isn’t a new tactic, but attackers are now far better at identifying high-impact targets and exploiting them quietly.
AI has lowered the cost of entry. Just as solo developers can now build complex software faster, individual attackers or very small teams can run operations that once required large, coordinated groups. Some recent npm attacks show signs that they may have been carried out by a single person rather than an organized syndicate.
There is also a growing trend toward patience. Attackers increasingly publish legitimate-looking packages, maintain them over time, and build trust within the ecosystem. Then, when the timing is right, malicious code is introduced and pushed to every dependent project at once. The XZ Utils incident showed how effective this long-term strategy can be.
Phishing Remains the Easiest Way In
Phishing continues to succeed for the same reason it always has: people make mistakes. What has changed is the blast radius. One compromised developer account can now impact software used by millions.
In one recent supply chain incident, a developer was phished, credentials were stolen, and widely used packages were altered. Even after the breach was reported, there was a delay before the malicious versions were fully removed. During that gap, the attack continued to spread.
The technical sophistication of the attack was low. The consequences were massive.
Official Platforms Still Let Malware Through
Another persistent problem is the false sense of safety around official distribution platforms. Browser extensions, like mobile apps before them, regularly slip past automated checks and human review processes.
Research into malicious Chrome extensions shows that attackers understand how to work within existing review systems. Permission models play a major role here. Users are often forced into all-or-nothing decisions, such as granting an extension access to data on every website they visit.
Granular permission controls already exist in other ecosystems. Mobile platforms allow users to limit access based on context, such as only while an app is in use. Browser extensions could follow the same approach, but implementation has lagged behind the threat.
When an extension requests broad, unrestricted access, that permission is frequently abused later, even if the initial version appears harmless.
Attackers Focus on What Works
Threat actors did not abandon proven techniques when AI entered the scene. They automated them. Supply chain compromise, phishing, and malicious extensions remain effective because the underlying weaknesses still exist.
Defenders often rush to adopt new security strategies while foundational problems remain unresolved. Weak permission models, poor dependency visibility, and fragile authentication systems continue to undermine defenses.
The reality is simple. The basics matter more now than ever. Attackers have optimized them. Defenders need to do the same.