Research

How big is the CI/CD supply-chain problem — and who's behind it?

2026 · ~9 min read · sourced, with caveats noted inline

Short version: it's the fastest-growing breach vector, it's the slowest to detect, and the most damaging campaigns increasingly trace back to nation-states. Here's the data.

The volume is compounding

The clearest signal is in the open-source registries that every modern build pulls from. Malicious-package volume isn't creeping up — it's compounding year over year.

+75%

Open-source malware grew 75% in 2025 — on top of a 156% surge the year before. Sonatype counts 454,600 new malicious packages in 2025 and ~1.23 million cumulatively. (Sonatype 11th State of the Software Supply Chain, Jan 2026. Counting methods vary — ReversingLabs, using analyst-confirmed detections, reports a smaller absolute count but a near-identical +73% growth.)

Over 99% of that 2025 malware landed on npm — the JavaScript ecosystem is where the volume is. Not all of it is targeted; a chunk is registry spam. But the targeted slice is exactly the slice that ends up in a real build.

Most companies have already been hit

75%+

More than three in four organizations reported a software supply-chain attack in the prior 12 months. (BlackBerry / Coleman Parkes, n=1,000, 2024. Self-reported; "supply chain" is defined broadly. Checkmarx put it at 63% over two years; Synopsys/Ponemon at 54% in a year — different windows, same direction.)

30%

Third-party involvement in breaches doubled to 30% in a single year — the largest jump in the history of the Verizon DBIR. One in three breaches now reaches you through someone else's code or credentials. (Verizon 2025 DBIR. "Third-party" is broader than pure software supply chain.)

It's the costliest and slowest vector to catch

267 days

A supply-chain breach takes 267 days to detect and contain — longer than any other initial vector — and costs an average of $4.91M. (IBM / Ponemon Cost of a Data Breach 2025.)

That 267-day figure is the whole ballgame. The attack doesn't fail because the controls are absent — it succeeds because no one connects the dots until the damage is months old. Independent projections put the global annual cost of these attacks around $60B for 2025 (Cybersecurity Ventures — an extrapolated estimate, not a measurement; treat as directional).

The CI/CD layer is leaking credentials

The pipeline is where stolen access turns into stolen secrets. The numbers on credential sprawl are staggering — and getting worse, fast, with AI in the loop.

~29M

~29 million secrets were leaked on public GitHub in 2025 (+34% YoY, the largest jump on record) — and 64% of secrets exposed back in 2022 are still not revoked. AI-assisted commits leak secrets at roughly double the baseline rate. (GitGuardian State of Secrets Sprawl 2026.)

Two 2025 GitHub Actions campaigns show how this plays out in CI specifically:

tj-actions/changed-files (CVE-2025-30066, Mar 2025): a workflow used by 23,000+ repositories was backdoored to dump secrets into build logs. The full chain began ~4 months earlier with a single stolen token. (Confirmed secret exposure was limited to ~218 repos — the 23,000 was the exposure surface, not confirmed theft. Sources: Unit 42, CISA, Wiz.)
GhostAction (Sep 2025): 327 developer accounts compromised across 817 repositories, 3,325 secrets stolen — caught by secrets-scanning days after the fact, not by anything watching the accounts. (GitGuardian.)

Who's behind it: the nation-states

Most malicious packages are opportunistic crime. But the campaigns that do real damage — the ones that empty wallets, steal source code, and pre-position inside thousands of downstream customers — increasingly trace to four governments. Espionage-motivated breaches rose 163% year over year in the 2025 Verizon DBIR.

DPRK North Korea — the package factory

North Korea runs the only industrial-scale, cross-ecosystem malicious-package operation on record: 1,700+ malicious packages across npm, PyPI, Go, Rust, and PHP since 2024 (Socket). Its "fake IT worker" program infiltrated 320+ companies in the year to mid-2025 — a 220% YoY surge, roughly one new case a day (CrowdStrike); Mandiant says nearly every Fortune 500 CISO has unknowingly hired at least one. The payoff: $2.02B in crypto stolen in 2025, including the $1.5B Bybit hack — itself a supply-chain compromise of the Safe{Wallet} interface (Chainalysis, FBI).

PRC China — the downstream multiplier

Microsoft documented Silk Typhoon pivoting to IT supply-chain attacks (Mar 2025): steal API keys from a PAM or cloud-management vendor, then reach that vendor's downstream customers without ever touching them directly. China-nexus espionage rose 150% in 2024 (CrowdStrike). And in a category-defining first, a Chinese group weaponized an AI coding agent (GTG-1002) to run 80–90% of an attack autonomously against ~30 targets (Anthropic, Nov 2025).

RU Russia — the source-code play

APT29 / Midnight Blizzard breached Microsoft and exfiltrated source code for Azure, Intune, and Exchange — entry via a single legacy account with no MFA, then identity-first lateral movement, no malware (Microsoft, 2024). It also breached TeamViewer's corporate network. The doctrine, per CISA: tech vendors as stepping stones to their customers.

IR Iran — the vendor-compromise route

Iran's MuddyWater compromised 100+ government networks in a single Aug–Oct 2025 campaign (The Register), and Iranian custom-malware families grew 35% YoY (Mandiant). Iran's signature move isn't poisoning npm — it's compromising the software and IT vendors that serve high-value targets, then riding the trust relationship inward.

And who else: Vietnam's APT32 shipped a backdoored Visual Studio plugin on GitHub to hit security researchers on compile; the China-aligned PlushDaemon compromised a South Korean VPN provider as a stepping stone. The bench is deepening.

The pattern under all of it

Read those four playbooks again and the shape repeats: compromise an identity (a developer, a maintainer, a vendor's API key, a fraudulent insider) → act through the pipeline (publish a package, inject a workflow, pull source) → exfiltrate. Identity tools watch the first step. Pipeline tools watch the second. Almost nothing watches the hand-off — which is why the median dwell time is 267 days.

That seam is the entire reason Sentinel exists: correlating the identity anomaly, the unlinked workflow change, and the novel egress into one same-hour incident instead of three blind tools and a quarter-year head start for the attacker.

See how Sentinel watches the seam →

Sources

Sonatype — 11th State of the Software Supply Chain (Jan 2026); ReversingLabs 2026 SSC report.
BlackBerry/Coleman Parkes (2024); Checkmarx (2024); Synopsys/Ponemon (2024) supply-chain surveys.
Verizon 2025 Data Breach Investigations Report (third-party 30%, espionage +163%).
IBM / Ponemon — Cost of a Data Breach 2025 ($4.91M, 267 days).
GitGuardian — State of Secrets Sprawl 2026 (~29M secrets, 64% unrevoked).
Unit 42 / CISA / Wiz — tj-actions CVE-2025-30066; GitGuardian — GhostAction.
Socket (Apr 2026), CrowdStrike Threat Hunting Report (Aug 2025), Chainalysis (Dec 2025), FBI IC3 — DPRK.
Microsoft Security Blog (Mar 2025) — Silk Typhoon; Anthropic (Nov 2025) — GTG-1002; CrowdStrike GTR 2025.
Microsoft MSRC (2024) — APT29; The Register (Oct 2025) & Mandiant M-Trends 2025 — Iran/MuddyWater.

Figures are best-available as of mid-2026. Survey percentages use different definitions and look-back windows; cost projections are estimates. Where counts differ by source, we note the methodology gap rather than pick the bigger number.