You don’t have to be a developer to be hit by a supply chain attack — you just have to use software somebody else built. A software supply chain attack is when criminals slip malicious code into a trusted product, or one of its ingredients, so it lands on your systems through the front door looking completely legitimate. Think of someone tampering with a tin at the factory rather than breaking into your kitchen.

It’s back in the news this week. Researchers at JFrog found booby-trapped packages on npm — a giant code library that developers pull building blocks from — disguised as a popular tool with more than 100 million weekly downloads, as reported by The Hacker News. Install one and it quietly drops malware that steals saved browser passwords. Your website, your accounting add-ons, your line-of-business apps — they’re all built on stacks of this third-party code.

Why it matters for your business

The practical lesson isn’t to stop using software. It’s that “trusted vendor” doesn’t mean “no risk”. Keep an inventory of the plugins, apps and integrations you actually use, switch off the ones you don’t, apply updates promptly, and make sure someone is watching for vendor breach notifications. Most supply chain compromises get caught and fixed quickly — but only if someone is paying attention.

Knowing what’s installed, what’s patched, and what has quietly gone end-of-life is part of managed cybersecurity. If you’re not sure who keeps that list for your business, that’s a conversation worth having.