--- Software Supply Chain Resilience in 2025: A Comparative Analysis of Major Incidents Using OSINT Methodologies
Author(s): STĂNCIULESCU, Adelaida; BACIVAROV, Ioan
Author(s) keywords: CI/CD compromises, cyber incidents 2025, open-source security, OSINT, SBOM, software supply chain
Reference keywords: incidents, OSINT, software security
Abstract:
The year 2025 marked a significant increase in software supply attacks chain, highlighting a strategic shift in the way the malicious actors operate. Unlike previous years, the 2025 incidents demonstrated a clear focus on compromising critical development infrastructures, cloud service providers, and open -source ecosystems with global impact. This article performs a comparative analysis of the main major software supply incidents chain reported in 2025, examining attack vectors, propagation mechanisms, operational impact, and implications for current software security models.
References:
[1]. CW Ten, “Software supply chain attacks: taxonomy and analysis," in Proc. IEEE Symposium on Security and Privacy, San Francisco, CA, USA, 2022, pp. 112-126.
[2]. SE Simion and R. Chinchani, "Trends in software supply chain threats," IEEE Security & Privacy, vol. 21, no. 3, pp. 28-37, 2024.
[3]. Microsoft Security, “CI/CD supply chain attacks observed in 2025," 2025. Online. Available: https://www.microsoft.com/security.
[4]. Google Security Team, “Build system compromise and mitigations," 2025. Online. Available: https://security.googleblog.com.
[5]. J. Cappos et al., "On the security of modern software distribution,” ACM CCS, New York, NY, USA, 2023, pp. 85-99.
[6]. ENISA, ”Threat landscape for supply chain attacks," 2025. Online. Available: https://www.enisa.europa.eu.
[7]. M. Kuppinger, ”Abuse of enterprise software updates,” Computers & Security, vol. 131, pp. 103-118, 2025.
[8]. CISA, “Software supply chain incident response guidance," 2025. Online. Available: https://www.cisa.gov.
[9]. AZ Wang, "Comparative study of supply chain compromises," in Proc. NDSS, San Diego, CA, USA, 2024, pp. 201-215.
[10]. NIST, Secure Software Development Framework (SSDF), SP 800-218, Gaithersburg, MD, USA, 2025.
[11]. B. Kitchenham et al., ”Governance challenges in secure software supply chains," IEEE Software, vol. 41, no. 1, pp. 52-60, 2025.
[12]. ISO/IEC 27005, Information technology - Security techniques - Information security risk management, International Organization for Standardization, 2018.
[13]. MITRE, Common Vulnerabilities and Exposures (CVE) and CVSS v3.1 Specification, MITRE Corporation, 2019.
Article Title: Software Supply Chain Resilience in 2025: A Comparative Analysis of Major Incidents Using OSINT Methodologies
Author(s): STĂNCIULESCU, Adelaida; BACIVAROV, Ioan
Date of Publication: 2025-12-24
Publication: International Journal of Information Security and Cybercrime
ISSN: 2285-9225 e-ISSN: 2286-0096
Digital Object Identifier: 10.19107/IJISC.2025.02.03
Issue: Volume XIV, Issue 2, Year 2025
Section: Studies and Analysis of Cybercrime Phenomenon
Page Range: 32-38 (7 pages)
Copyright ©2012-2026
The International Journal of Information Security and Cybercrime (IJISC)
All rights reserved
The International Journal of Information Security and Cybercrime is a trademark of the Romanian Association for Information Security Assurance (RAISA).
No part of this publication may be reproduced, stored in a retrieval system, photocopied, recorded or archived, without the written permission from RAISA. When authors submit their papers for publication, they agree that the copyright for their article be transferred to the Romanian Association for Information Security Assurance, if the articles are accepted for publication. The copyright covers the exclusive rights to reproduce and distribute the article, including reprints and translations.