Supply Chain Attacks — When You Trust the Wrong Merchant | Nat20 InfoSec Ep. 15

You checked every visitor. Vetted every new employee. Locked every door. Filtered the email. Trained the staff. Then the update arrived. From the vendor you've used for three years. With the digital signature you verified. Through the automated channel you trusted. And it was already too late. In this episode: Supply chain attacks: the attack that arrives as something you asked for Why trust is the vector — you opened the gate yourself, and had reason to SolarWinds (2020) — a backdoor in the build environment, 18,000 organizations compromised through a signed update NotPetya (2017) — $10 billion in damage, started with an accounting software update XZ Utils (2024) — two years of patient social engineering into an open-source project, caught by accident The scope: every library, plugin, cloud service, vendor, and auto-update is supply chain Trust relationships are attack surfaces How the most sophisticated attackers reach hardened targets — through their vendors ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Nat20 InfoSec is an information security education series built for people who think in terms of kingdoms, adventuring parties, and campaigns. Arc 2 — The Monster Manual — studies how attacks actually work: the patterns, the players, and the techniques. The series is structured like a player's handbook. Every episode is a lesson. Every concept is a rule of the realm. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ #InfoSec #Cybersecurity #SupplyChainAttack #CybersecurityBasics #TTRPG #Nat20InfoSec