A year-end security analysis “Securing the Software Supply Chain in 2026,” released by CleanStart highlights an emerging systemic risk in modern software development Drawing on multiple industry research sources, the report shows that software supply chain attacks more than doubled globally during 2025. It further notes that over 70% of organisations reported experiencing at least one third-party or software supply chain-related security incident. Upstream compromise is becoming a persistent and structural risk rather than an isolated threat.
Global losses from software supply chain attacks are projected to touch the $60 billion mark by year-end. October 2025 recorded the highest concentration of incidents, confirming sustained rather than episodic threat activity.
The attack surface has fundamentally changed. Threat actors are not targeting traditional security perimeters. Instead, they are compromising software at the source. In 2025, attacks entered organisations primarily during software assembly rather than deployment, shifting risk earlier in the lifecycle and challenging conventional security assumptions.
Key findings from the CleanStart report:
● 35% of attacks originated through compromised software dependencies
● 22% targeted CI/CD pipelines and build environments
● 20% involved poisoned or unverified container images
● 18% resulted from maintainer account takeovers
Dependencies, build pipelines and container images now represent 75% of all supply chain attack entry points. The report highlights that once a malicious component enters a base container image, it can propagate across 100% of downstream services that reuse it, significantly amplifying blast radius across environments.
Among organisations impacted by software supply chain incidents, the report found that the business consequences of upstream compromise varied significantly by sector. Banking and financial services face regulatory penalties and audit failures due to traceability gaps. E-commerce firms reported checkout outages and revenue loss from dependency issues.
Media and entertainment companies experienced IP theft and content manipulation through compromised AI-driven pipelines. While vulnerabilities are shared, the report notes that BFSI carries the highest regulatory exposure, e-commerce faces the greatest revenue risk due to deployment velocity, and media and entertainment bears disproportionate IP and legal risk.
Nilesh Jain, CEO and Founder of CleanStart said, “2025 was the year software supply chain risk became measurable. For years, enterprise software conversations have been shaped by delivery speed and scale. What 2025 made clear is that velocity without verifiable foundations carries systemic risk. As organisations move into 2026, the focus will increasingly shift to proof: the ability to demonstrate where software comes from, how it is assembled, and whether its integrity can stand up to regulatory, operational and commercial scrutiny.”
The report identified a critical visibility gap. Fewer than 50% of enterprises currently monitor more than 50% of their extended software supply chain, leaving organisations exposed to upstream compromise. Runtime security controls consistently detected threats too late, highlighting the urgent need for build-time validation rather than post-deployment fixes. Despite rising attack volumes, the report places overall industry maturity between Level 1 and Level 2, characterised by scan-only approaches and limited operational control.
As a result of these gaps, the report warns that most enterprises are entering 2026 without meeting basic supply chain security readiness benchmarks.
Looking ahead to 2026, the report outlines readiness benchmarks that most enterprises currently fail to meet, including the ability to locate compromised components in under one hour and rebuild affected workloads in less than four hours. Supply chain security is also increasingly influencing procurement, audit and insurance decisions, with software provenance and SBOM disclosures emerging as commercial requirements rather than best practices.