{"id":14262,"date":"2026-02-18T11:05:51","date_gmt":"2026-02-18T09:05:51","guid":{"rendered":"https:\/\/www.inprosec.com\/?p=14262"},"modified":"2026-02-18T11:06:27","modified_gmt":"2026-02-18T09:06:27","slug":"the-supply-chain-the-true-attack-vector-in-cybersecurity","status":"publish","type":"post","link":"https:\/\/www.inprosec.com\/en\/the-supply-chain-the-true-attack-vector-in-cybersecurity\/","title":{"rendered":"The Supply Chain: The True Attack Vector in Cybersecurity"},"content":{"rendered":"

In the cybersecurity ecosystem, we tend to focus our efforts on development security. We invest significant resources in auditing proprietary code, looking for programming flaws, misconfigurations, or technical vulnerabilities in our own systems. However, the reality of today\u2019s threats shows that the most critical incidents do not always occur due to a coding error, but because of something far more difficult to patch: <\/span>supply chain compromise and trust in third parties<\/b>.<\/span><\/p>\n

Recently, the compromise of the update infrastructure of <\/span>Notepad++<\/b> once again highlighted the fragility of this implicit trust model. Protecting the perimeter is no longer enough when we invite external actors into our network through automatic updates and software dependencies.<\/span><\/p>\n

Below, we analyze how these types of attacks are redefining corporate security and why international standards and the latest European regulations now require a strong focus on suppliers.<\/span><\/p>\n\n

The Notepad++ Case: Anatomy of a Trust Compromise<\/b><\/h2>\n

To understand the real scope of a supply chain attack, it is essential to analyze the recent incident that affected Notepad++.<\/span><\/p>\n

The attackers <\/span>did not exploit a vulnerability in the text editor itself<\/b>. The Notepad++ source code was not modified, nor were programming flaws identified in the main application. Instead, the attack focused on <\/span>the distribution mechanism<\/b>, specifically the <\/span>WinGUp<\/b> component, responsible for managing automatic software updates.<\/span><\/p>\n

What exactly happened<\/b><\/h3>\n

\"\"<\/p>\n

Between mid and late 2025, advanced threat actors compromised part of the infrastructure serving the project’s official updates. From that point on, a highly selective and stealthy <\/span>supply chain<\/i><\/b> attack was carried out:<\/span><\/p>\n

    \n
  1. The user requested a legitimate update from Notepad++.<\/span><\/li>\n
  2. The update component contacted a server that appeared to be official.<\/span><\/li>\n
  3. For specific selected targets, the server delivered a <\/span>malware-modified binary<\/b>, credibly signed and packaged.<\/span><\/li>\n
  4. The updated software continued to function correctly, avoiding immediate suspicion.<\/span><\/li>\n
  5. The deployed malware enabled <\/span>cyber espionage<\/b>, persistence, and communication with external command-and-control infrastructures.<\/span><\/li>\n<\/ol>\n

    The attack was not massive. Its danger lay precisely in its <\/span>targeted nature<\/b>: only specific profiles were attacked, allowing adversaries to maintain a low profile for months and delay detection.<\/span><\/p>\n

    The key lesson<\/b><\/h3>\n

    This incident illustrates one of the most critical risks of modern security:<\/span>
    \nsoftware can be functional, legitimate, and seemingly secure, yet its origin may be poisoned<\/b>.<\/span><\/p>\n

    Implicit trust in update channels \u2014 especially in widely used tools considered \u201csecure\u201d \u2014 has become a high-value strategic attack vector.<\/span><\/p>\n

    Why Is the Supply Chain the New Battleground?<\/b><\/h2>\n

    Supply chain attacks exploit a basic principle: <\/span>organizations trust their suppliers<\/b>. If we download a tool from an official website or integrate a widely used library, we assume the risk is minimal.<\/span><\/p>\n

    This assumption is no longer valid.<\/b><\/em><\/p>\n

    Current risks can be grouped into three major vectors that must be actively monitored:<\/span><\/p>\n

    Compromise of Distribution Infrastructure<\/b><\/h3>\n

    As in the Notepad++ case, where the update channel is hijacked and used as an entry point.<\/span><\/p>\n

    Dependency Contamination (<\/b>Dependency Confusion<\/i><\/b>)<\/b><\/h3>\n

    Injection of malicious code into open-source libraries (npm, PyPI, Maven, etc.) that developers automatically integrate into corporate software.<\/span><\/p>\n

    Compromise of the Build Environment (CI\/CD)<\/b><\/h3>\n

    Infiltration into the supplier\u2019s build systems, injecting malware <\/span>even before the software is digitally signed<\/b>, as occurred in the well-known SolarWinds case.<\/span><\/p>\n

    In all these scenarios, the attacker benefits from a key advantage: <\/span>they inherit the trust of the legitimate supplier<\/b>.<\/span><\/p>\n

    Regulatory Framework: Third-Party Security Is No Longer Optional<\/b><\/h2>\n

    The severity and recurrence of these incidents have not gone unnoticed by regulators. In Europe, the approach has radically changed: third-party risk management is no longer a recommendation \u2014 it is a <\/span>legal and auditable requirement<\/b>.<\/span><\/p>\n

    ISO\/IEC 27001:2022<\/b><\/h3>\n

    The latest version of the standard significantly strengthens controls over suppliers. Annex A (controls 5.19 to 5.22) requires:<\/span><\/p>\n

      \n
    • Formal supply chain security management.<\/span><\/li>\n
    • Supplier risk assessment.<\/span><\/li>\n
    • Continuous monitoring of compliance with security requirements.<\/span><\/li>\n<\/ul>\n

      NIS2 Directive<\/b><\/h3>\n

      The new European directive marks a turning point. <\/span>Article 21.2.d<\/b> explicitly states that essential and important entities must manage <\/span>supply chain-related risks<\/b>, considering the specific vulnerabilities of each supplier and service provider.<\/span><\/p>\n

      National Security Framework (ENS)<\/b><\/h3>\n

      In its updated version, the ENS reinforces the obligation to establish security conditions in the acquisition of ICT products and services, requiring guarantees proportional to the risk of the service provided.<\/span><\/p>\n

      Omnibus Package and Digital Transparency<\/b><\/h3>\n

      The Omnibus regulatory package, although primarily focused on consumer protection and digital services, reinforces a key principle:<\/span>
      \nthe obligation of transparency, integrity, and control in software update and distribution processes<\/b>.<\/span>
      \nThis directly impacts automatic update mechanisms and suppliers\u2019 responsibility over their supply chain.<\/span><\/p>\n

      Cyber Resilience Act (CRA)<\/b><\/h3>\n

      The <\/span>Cyber Resilience Act<\/b> introduces, for the first time, horizontal cybersecurity obligations for <\/span>products with digital components<\/b>, including software.<\/span><\/p>\n

      Its requirements include:<\/span><\/p>\n

        \n
      • Security <\/span>by design<\/span><\/i> & <\/span>by default<\/span><\/i>.<\/span><\/li>\n
      • Digital supply chain risk management.<\/span><\/li>\n
      • Secure and verifiable update mechanisms.<\/span><\/li>\n
      • Obligation to remediate vulnerabilities throughout the product lifecycle.<\/span><\/li>\n<\/ul>\n

        With the CRA, supply chain security ceases to be a \u201ctechnical best practice\u201d and becomes a <\/span>direct legal responsibility of manufacturers and suppliers<\/b>.<\/span><\/p>\n

        Defense Strategy: From \u201cTrust\u201d to \u201cVerify\u201d<\/b><\/h2>\n

        \"\"<\/p>\n

         <\/p>\n

        At Inprosec, we know that banning third-party software is not viable. The key is to <\/span>abandon blind trust<\/b> and adopt a continuous verification model aligned with current regulatory frameworks.<\/span><\/p>\n

        We propose a strategy based on three pillars:<\/span><\/p>\n

        Inventory and Visibility (SBOM)<\/b><\/h3>\n

        You cannot protect what you do not know.<\/span><\/p>\n

          \n
        • What it is:<\/b> a Software Bill of Materials (SBOM) detailing all components and dependencies of an application.<\/span><\/li>\n
        • What it\u2019s for:<\/b> it enables rapid identification of exposure in the event of a supplier or specific library compromise and facilitates compliance with NIS2, ISO 27001, and the CRA.<\/span><\/li>\n<\/ul>\n

          Hardening the Update Process<\/b><\/h3>\n

          Updates are necessary, but they are also one of the most critical attack vectors.<\/span><\/p>\n

            \n
          • Hash verification:<\/b> verifying the integrity of binaries (SHA-256) through independent and trusted channels.<\/span><\/li>\n
          • Sandbox environments:<\/b> testing critical software updates in isolated environments before mass deployment, analyzing anomalous behavior.<\/span><\/li>\n<\/ul>\n

            Zero Trust Network Principles<\/b><\/h3>\n

            Assuming compromise is possible means limiting its impact.<\/span><\/p>\n

              \n
            • Segmentation:<\/b> workstations and servers should not have unrestricted Internet access.<\/span><\/li>\n
            • Whitelisting:<\/b> allowing only strictly necessary communications to known update domains, blocking connections to unknown C2 infrastructures.<\/span><\/li>\n<\/ul>\n

              Conclusion: Origin Is as Critical as Code<\/b><\/h2>\n

              The Notepad++ incident is not an anomaly \u2014 it is a symptom of a deeply interconnected digital ecosystem.<\/span><\/p>\n

              Information security no longer ends at our firewall. It extends to our suppliers, their development processes, their distribution infrastructures, and their update mechanisms.<\/span><\/p>\n

              With the arrival of <\/span>NIS2, ENS, Omnibus, and the Cyber Resilience Act<\/b>, this reality is formalized: <\/span>digital supply chain management is a legal, technical, and strategic obligation<\/b>.<\/span><\/p>\n

              Adopting a proactive stance, demanding transparency from suppliers, and applying internal compensating controls is the only way to protect data and ensure operational resilience in an environment where trust must be <\/span>verified, never assumed<\/b>.<\/span><\/p>\n

              Does your organization comply with ISO 27001, NIS2, and CRA supplier management requirements? At <\/span>Inprosec<\/b>, we can help you audit and strengthen your digital supply chain.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

              In the cybersecurity ecosystem, we tend to focus our efforts on development security. We invest significant resources in auditing proprietary code, looking for programming flaws, misconfigurations, or technical vulnerabilities in our own systems. However, the reality of today\u2019s threats shows that the most critical incidents do not always occur due to a coding error, but…<\/p>\n","protected":false},"author":6,"featured_media":14271,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"categories":[97,52],"tags":[],"class_list":["post-14262","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-information-security","category-technical-article"],"acf":[],"yoast_head":"\nThe Supply Chain: The True Attack Vector in Cybersecurity - Inprosec<\/title>\n<meta name=\"description\" content=\"The supply chain is now the primary attack vector. We analyze the Notepad++ case and the impact of NIS2, ISO 27001, and the CRA on supplier risk management.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.inprosec.com\/en\/the-supply-chain-the-true-attack-vector-in-cybersecurity\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"The Supply Chain: The True Attack Vector in Cybersecurity\" \/>\n<meta property=\"og:description\" content=\"The supply chain is now the primary attack vector. We analyze the Notepad++ case and the impact of NIS2, ISO 27001, and the CRA on supplier risk management.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.inprosec.com\/en\/the-supply-chain-the-true-attack-vector-in-cybersecurity\/\" \/>\n<meta property=\"og:site_name\" content=\"Inprosec\" \/>\n<meta property=\"article:published_time\" content=\"2026-02-18T09:05:51+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-02-18T09:06:27+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.inprosec.com\/wp-content\/uploads\/2026\/02\/2-1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"630\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Fernando Mosquera\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Fernando Mosquera\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/the-supply-chain-the-true-attack-vector-in-cybersecurity\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/the-supply-chain-the-true-attack-vector-in-cybersecurity\\\/\"},\"author\":{\"name\":\"Fernando Mosquera\",\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/#\\\/schema\\\/person\\\/b05a40c0c3e81b819075dd95a10532e2\"},\"headline\":\"The Supply Chain: The True Attack Vector in Cybersecurity\",\"datePublished\":\"2026-02-18T09:05:51+00:00\",\"dateModified\":\"2026-02-18T09:06:27+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/the-supply-chain-the-true-attack-vector-in-cybersecurity\\\/\"},\"wordCount\":1131,\"commentCount\":0,\"image\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/the-supply-chain-the-true-attack-vector-in-cybersecurity\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.inprosec.com\\\/wp-content\\\/uploads\\\/2026\\\/02\\\/2-1.jpg\",\"articleSection\":[\"Information Security\",\"Technical Article\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.inprosec.com\\\/en\\\/the-supply-chain-the-true-attack-vector-in-cybersecurity\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/the-supply-chain-the-true-attack-vector-in-cybersecurity\\\/\",\"url\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/the-supply-chain-the-true-attack-vector-in-cybersecurity\\\/\",\"name\":\"The Supply Chain: The True Attack Vector in Cybersecurity - Inprosec\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/the-supply-chain-the-true-attack-vector-in-cybersecurity\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/the-supply-chain-the-true-attack-vector-in-cybersecurity\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.inprosec.com\\\/wp-content\\\/uploads\\\/2026\\\/02\\\/2-1.jpg\",\"datePublished\":\"2026-02-18T09:05:51+00:00\",\"dateModified\":\"2026-02-18T09:06:27+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/#\\\/schema\\\/person\\\/b05a40c0c3e81b819075dd95a10532e2\"},\"description\":\"The supply chain is now the primary attack vector. We analyze the Notepad++ case and the impact of NIS2, ISO 27001, and the CRA on supplier risk management.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/the-supply-chain-the-true-attack-vector-in-cybersecurity\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.inprosec.com\\\/en\\\/the-supply-chain-the-true-attack-vector-in-cybersecurity\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/the-supply-chain-the-true-attack-vector-in-cybersecurity\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.inprosec.com\\\/wp-content\\\/uploads\\\/2026\\\/02\\\/2-1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.inprosec.com\\\/wp-content\\\/uploads\\\/2026\\\/02\\\/2-1.jpg\",\"width\":1200,\"height\":630},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/the-supply-chain-the-true-attack-vector-in-cybersecurity\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"The Supply Chain: The True Attack Vector in Cybersecurity\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/#website\",\"url\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/\",\"name\":\"Inprosec\",\"description\":\"Information security is our priority.\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/#\\\/schema\\\/person\\\/b05a40c0c3e81b819075dd95a10532e2\",\"name\":\"Fernando Mosquera\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/199e6c54b14f5b5ddf7e11a9bb0b455c3bed7a9a1a738b7be5c2572878e69d1a?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/199e6c54b14f5b5ddf7e11a9bb0b455c3bed7a9a1a738b7be5c2572878e69d1a?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/199e6c54b14f5b5ddf7e11a9bb0b455c3bed7a9a1a738b7be5c2572878e69d1a?s=96&d=mm&r=g\",\"caption\":\"Fernando Mosquera\"}}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"The Supply Chain: The True Attack Vector in Cybersecurity - Inprosec","description":"The supply chain is now the primary attack vector. We analyze the Notepad++ case and the impact of NIS2, ISO 27001, and the CRA on supplier risk management.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.inprosec.com\/en\/the-supply-chain-the-true-attack-vector-in-cybersecurity\/","og_locale":"en_US","og_type":"article","og_title":"The Supply Chain: The True Attack Vector in Cybersecurity","og_description":"The supply chain is now the primary attack vector. We analyze the Notepad++ case and the impact of NIS2, ISO 27001, and the CRA on supplier risk management.","og_url":"https:\/\/www.inprosec.com\/en\/the-supply-chain-the-true-attack-vector-in-cybersecurity\/","og_site_name":"Inprosec","article_published_time":"2026-02-18T09:05:51+00:00","article_modified_time":"2026-02-18T09:06:27+00:00","og_image":[{"width":1200,"height":630,"url":"https:\/\/www.inprosec.com\/wp-content\/uploads\/2026\/02\/2-1.jpg","type":"image\/jpeg"}],"author":"Fernando Mosquera","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Fernando Mosquera","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.inprosec.com\/en\/the-supply-chain-the-true-attack-vector-in-cybersecurity\/#article","isPartOf":{"@id":"https:\/\/www.inprosec.com\/en\/the-supply-chain-the-true-attack-vector-in-cybersecurity\/"},"author":{"name":"Fernando Mosquera","@id":"https:\/\/www.inprosec.com\/en\/#\/schema\/person\/b05a40c0c3e81b819075dd95a10532e2"},"headline":"The Supply Chain: The True Attack Vector in Cybersecurity","datePublished":"2026-02-18T09:05:51+00:00","dateModified":"2026-02-18T09:06:27+00:00","mainEntityOfPage":{"@id":"https:\/\/www.inprosec.com\/en\/the-supply-chain-the-true-attack-vector-in-cybersecurity\/"},"wordCount":1131,"commentCount":0,"image":{"@id":"https:\/\/www.inprosec.com\/en\/the-supply-chain-the-true-attack-vector-in-cybersecurity\/#primaryimage"},"thumbnailUrl":"https:\/\/www.inprosec.com\/wp-content\/uploads\/2026\/02\/2-1.jpg","articleSection":["Information Security","Technical Article"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.inprosec.com\/en\/the-supply-chain-the-true-attack-vector-in-cybersecurity\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.inprosec.com\/en\/the-supply-chain-the-true-attack-vector-in-cybersecurity\/","url":"https:\/\/www.inprosec.com\/en\/the-supply-chain-the-true-attack-vector-in-cybersecurity\/","name":"The Supply Chain: The True Attack Vector in Cybersecurity - Inprosec","isPartOf":{"@id":"https:\/\/www.inprosec.com\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.inprosec.com\/en\/the-supply-chain-the-true-attack-vector-in-cybersecurity\/#primaryimage"},"image":{"@id":"https:\/\/www.inprosec.com\/en\/the-supply-chain-the-true-attack-vector-in-cybersecurity\/#primaryimage"},"thumbnailUrl":"https:\/\/www.inprosec.com\/wp-content\/uploads\/2026\/02\/2-1.jpg","datePublished":"2026-02-18T09:05:51+00:00","dateModified":"2026-02-18T09:06:27+00:00","author":{"@id":"https:\/\/www.inprosec.com\/en\/#\/schema\/person\/b05a40c0c3e81b819075dd95a10532e2"},"description":"The supply chain is now the primary attack vector. We analyze the Notepad++ case and the impact of NIS2, ISO 27001, and the CRA on supplier risk management.","breadcrumb":{"@id":"https:\/\/www.inprosec.com\/en\/the-supply-chain-the-true-attack-vector-in-cybersecurity\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.inprosec.com\/en\/the-supply-chain-the-true-attack-vector-in-cybersecurity\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.inprosec.com\/en\/the-supply-chain-the-true-attack-vector-in-cybersecurity\/#primaryimage","url":"https:\/\/www.inprosec.com\/wp-content\/uploads\/2026\/02\/2-1.jpg","contentUrl":"https:\/\/www.inprosec.com\/wp-content\/uploads\/2026\/02\/2-1.jpg","width":1200,"height":630},{"@type":"BreadcrumbList","@id":"https:\/\/www.inprosec.com\/en\/the-supply-chain-the-true-attack-vector-in-cybersecurity\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.inprosec.com\/en\/"},{"@type":"ListItem","position":2,"name":"The Supply Chain: The True Attack Vector in Cybersecurity"}]},{"@type":"WebSite","@id":"https:\/\/www.inprosec.com\/en\/#website","url":"https:\/\/www.inprosec.com\/en\/","name":"Inprosec","description":"Information security is our priority.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.inprosec.com\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.inprosec.com\/en\/#\/schema\/person\/b05a40c0c3e81b819075dd95a10532e2","name":"Fernando Mosquera","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/199e6c54b14f5b5ddf7e11a9bb0b455c3bed7a9a1a738b7be5c2572878e69d1a?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/199e6c54b14f5b5ddf7e11a9bb0b455c3bed7a9a1a738b7be5c2572878e69d1a?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/199e6c54b14f5b5ddf7e11a9bb0b455c3bed7a9a1a738b7be5c2572878e69d1a?s=96&d=mm&r=g","caption":"Fernando Mosquera"}}]}},"_links":{"self":[{"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/posts\/14262","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/comments?post=14262"}],"version-history":[{"count":2,"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/posts\/14262\/revisions"}],"predecessor-version":[{"id":14278,"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/posts\/14262\/revisions\/14278"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/media\/14271"}],"wp:attachment":[{"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/media?parent=14262"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/categories?post=14262"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/tags?post=14262"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}