Third-party vendors and external identities now form your primary security boundary. Threat actors have shifted away from exploiting software vulnerabilities. Today, they target the identity perimeter.
The traditional network perimeter is gone. It has mutated into a distributed network of identities encompassing employees, vendors, and third-party integrations. Trust now relies entirely on verified credentials rather than physical location.
This shift is driven by a systemic crisis in credential management. Attackers exfiltrated over 1.8 billion credentials globally in the first half of 2025. This represents an 800% increase over the previous six months.
This explosion of compromised data empowers Initial Access Brokers (IABs). These specialists infiltrate third-party entities to auction corporate access to ransomware syndicates and state-sponsored actors.
This article explores the mechanics of modern supply chain attacks. We analyze recent breaches to demonstrate how compromised vendor credentials lead to massive corporate exposure. Finally, we outline actionable strategies to continuously monitor and secure your external identity perimeter.
Quick Facts: Third-Party Cyber Risk and Credential Theft
|
Why Are Supply Chains the Primary Threat Vector for 2026?
The connection between leaked credentials and supply chain attacks is the primary threat vector for 2026 because it makes things a lot easier for attackers. They no longer need to infiltrate your network, they simply gain access to systems using compromised vendor logins.
In these attacks, a third party acts as a key intermediary. Once an adversary obtains valid credentials from a supplier, they inherit that supplier’s trusted permissions within the customer’s environment. This bypasses traditional security perimeters using ‘identity blind spots’. This upward movement allows a localized intrusion at one service provider to become an exposure to multiple customers, triggering cascading impacts across entire industries.
The One-to-Many architecture of modern business makes a single supplier a force multiplier target. One successful compromise yields a massive haul of potential victims. Because of this, a static, annual security audit of your vendors is no longer sufficient. To truly evaluate the risk of a commercial relationship, organizations must implement continuous monitoring of provider credential behavior and external leak telemetry.
To illustrate the seriousness of this change, we can analyze the recent wave of leaks originating from failures in the supply chain.
Case 1: How Did the Axios Breach Expose the Software Supply Chain?
The Axios compromise proved that the greatest vulnerability in the software supply chain is the mismanagement of maintainer identities. On March 31, 2026, the Node Package Manager (npm) registry became the epicenter of one of the most sophisticated supply chain attacks recorded to date.
Axios is a widely used JavaScript library for making HTTP requests with over 100 million weekly downloads. This incident serves as the definitive case study for the new identity perimeter.
Microsoft Threat Intelligence attributed the attack to Sapphire Sleet, a North Korean state actor. Unlike historical compromises that relied on software flaws, the Axios breach was the result of a targeted social engineering operation. The goal was to steal a maintainer’s ‘keys to the kingdom’.
The threat actors impersonated a legitimate company and built a convincing infrastructure. This included a cloned Slack workspace. They then prompted a lead maintainer to install a ‘security update’. This update was actually a credential-harvesting payload.
Case 2: How Did the ZYGHT Incident Threaten the Chilean Industrial Supply Chain?
The suspected ZYGHT compromise threatened the Chilean industrial supply chain by targeting the identity infrastructure of regional service providers. On March 27, 2026, security researchers including @1ZRR4H (Germán Fernández) flagged a suspected critical compromise. This event involved infrastructure vulnerabilities that reportedly bypassed security enhancements implemented following a 2025 breach. Preliminary findings suggest adversaries targeted the Citrix Gateway VPN and identity systems associated with these providers.
If confirmed, this incident could have enabled adversaries to:
- Exfiltrate Configuration Secrets: Indications show attackers targeted system configuration files. The goal was potentially to gain ‘nsroot’ access to grant full administrative control.
- Expose Industrial User Data: Internal network secrets and user details may have been compromised. This poses a theoretical threat to the Operational Technology (OT) environments of major organizations like SQM and Pluspetrol through their service provider, ZYGHT.
An analysis of the ZYGHT ecosystem reveals a broad blast radius across critical industries in Chile and the Andean region. Impacted sectors include major operators in Mining, Energy, Oil & Gas, Commerce and Logistics, and the Salmon Industry.
This incident aligns with a broader, confirmed trend in Chile. Data leak attacks in the region surged by 188% between late 2025 and early 2026. This spike is largely attributed to the professionalization of infostealers like Lumma and RedLine. These tools have streamlined the path from initial infection to full-scale infrastructure compromise.
Case 3: How Did the Emergia BPO Breach Expose the Colombian Financial Sector?
The Emergia data breach exposed the Colombian financial sector by demonstrating how a single localized intrusion at a shared service provider can rapidly escalate into a massive multi-tenant exposure. In March and April 2026, the industry faced a watershed moment in supply chain vulnerability following this major security incident.
Emergia is a prominent Business Process Outsourcing (BPO) and customer experience (CX) provider. Details of the entry point remain unclear, however, this incident serves as the definitive case study for supply chain risk. The breach, which has been linked to the threat actor NyxarGroup, compromised millions of records across an entire national banking ecosystem.
The attack targeted the internal Content Management System (CMS) of the BPO. Customer service advisors use this system to assist bank clients. Threat actors compromised valid administrative credentials to gain the following capabilities:
- Capture Real-Time Interactions: Cybercriminals took screenshots of advisor screens showing live client data and support sessions.
- Exfiltrate Massive PDF Datasets: Attackers downloaded sensitive internal files containing records such as insurance plans.
- Capture Confidential User Data: The exposed information includes names, phone numbers, addresses, and credit profiles.
- Impersonate Legitimate Staff: The leak included the names of specific advisors. This enables highly credible social engineering scams where fraudsters use employee names to build trust with victims.
Emergia has not issued any advisory confirming or denying the information. The security breach impacted no fewer than fourteen major financial institutions, including Bancolombia, BBVA, Nu Bank, Banco Agrario, and Banco de Bogotá. This illustrates the catastrophic multiplier effect of vulnerabilities within the BPO supply chain. The primary infrastructures of the banks remained uncompromised. However, the breach at the provider level resulted in the mass exposure of sensitive client information and granular business activity data.
Case 4: How Did the Zestix Campaign Exploit Corporate File-Sharing Portals?
The Zestix campaign exploited corporate portals because attackers bypassed traditional perimeters using valid credentials from the dark web instead of sophisticated malware.
In early 2026, a threat actor known as Zestix or Sentap demonstrated that poor credential management can breach major corporations. The attacker specialized in auctioning access to file-sharing platforms like ShareFile, Nextcloud, and OwnCloud. These portals belonged to over fifty global enterprises across aviation, defense, and healthcare.
The attacker relied entirely on valid usernames and passwords sourced from infostealer logs. These logs came from malware variants like RedLine, Lumma, and Vidar. A lack of Multi-Factor Authentication (MFA) allowed attackers to easily breach sensitive sectors. They simply logged in using harvested credentials.
This infostealer-to-portal pipeline resulted in massive data exposures across multiple industries:
- Critical Utilities and Infrastructure: Pickett & Associates suffered a 139.1 GB leak. This data contained classified LiDAR files of transmission line corridors and infrastructure maps suitable for physical sabotage planning.
- Aviation and Logistics: Iberia Airlines lost 77 GB of data. The exfiltrated files included detailed aircraft safety manuals and maintenance plans.
- Defense and Robotics: Intecro Robotics had 11.5 GB of restricted defense data and military UAV designs stolen.
- Healthcare and Military Police: Maida Health faced a massive 2.3 TB breach. The incident exposed military police health records and highly sensitive patient information.
- Mass Transit: CRRC MA had an entire server compromised. The breach exposed transit signaling schematics and security data.
- Government and Standards: CiberC lost 103 GB of government contract data. Attackers also advertised a 3.6 TB dataset from the American National Standards Institute (ANSI).
- Legal and Corporate: Burris & Macomber had 18.3 GB of data stolen. This included Mercedes-Benz litigation files and confidential client records.
These incidents prove the threat landscape has shifted toward direct identity abuse. Attackers bypass complex networks using single compromised passwords. Business leaders must fundamentally rethink how they manage vendor trust.
How Should Organizations Secure the New Perimeter?
Organizations must secure the new perimeter by replacing static trust with continuous compromise assessment. In this nonlinear era, attacks move from a single infected device to full cloud administration in minutes.
How Do You Monitor the New Perimeter Surface?
You monitor the new perimeter surface by shifting your focus from network boundaries to the identity control plane. Lumu Discover provides all of the following required features:
- Exposed Credential Tracking: Implement dark web monitoring and Primary Source Collection (PSC) to capture raw logs from infostealer marketplaces. Identify corporate email accounts and session tokens before attackers weaponize them.
- Dynamic Third-Party Risk Scoring: Transition from annual questionnaires to real-time risk scores. These scores must incorporate live technical signals. Examples include active credential leaks at the vendor or sudden drops in their patching cadence.
- Vulnerability Correlation: Utilize automated vulnerability discovery systems to map third-party vulnerabilities like Citrix or VMware flaws. These vulnerabilities indicate potential breaches within vendor environments and facilitate escalation into your internal production systems.
Why Is Identity Behavior and Trust Validation Critical?
Identity-based monitoring is critical because it detects attackers who log in rather than break in.
- Behavioral Anomaly Detection: Implement identity threat detection to identify unusual login behavior. Watch for administrator accounts connecting at abnormal times.
- Brute-Force and Spray Attack Detection: Monitor for high volumes of failed login attempts. Track attempts to access individual accounts from multiple IP addresses. These are clear indicators of industrial-scale credential abuse.
- Non-Human Identity Audits: Establish a real-time inventory of all service accounts, API keys, and CI/CD tokens. These identity blind spots often lack multi-factor authentication (MFA). They also maintain excessive privileges. This makes them high-value targets for supply chain attacks.
Stop relying on static trust and outdated network perimeters. Uncover what adversaries know about your external attack surface, secure your third-party ecosystem, and detect identity-based threats in real time with Lumu Discover. Request your free attack surface assessment here.