Old strategy, new scale: While defenders chase trends, attackers optimize fundamentals.
The security industry loves to talk about “new” threats. Attacks using AI. Quantum-resistant encryption. Zero Trust Architecture. But if you look around, it seems like the most effective attacks in 2025 will be pretty much the same as in 2015. Attackers are exploiting the same entry points that have worked before, only with improved methods.
Supply chain: still cascading downstream
As the Shai Huld NPM campaign has shown, supply chains remain a major issue. If a single package is compromised, it can cascade down the entire dependency tree, impacting thousands of downstream projects. The attack vector has not changed. What has changed is how effectively attackers can identify and exploit opportunities.
AI has broken down barriers to entry. Just as AI has made it possible for one-man software projects to build sophisticated applications, the same is true for cybercrime. What used to require large-scale, organized work can now be done by individuals or lean teams. We believe that some of these NPM package attacks, including Shai-Hulud, may actually be a one-person operation.
As software projects become easier to develop and attackers demonstrate the ability to play the long game (as in the XZ Utils attack), we may see more cases where attackers publish legitimate packages that build trust over time and one day inject malicious functionality into all downstream users with the click of a button.
Phishing: One-click solution
Phishing still works for the same reasons it always did. It’s that humans are still the weakest link. But the stakes have changed dramatically. The recent npm supply chain attack shows the ramifications. A developer clicks on a malicious link and enters his credentials, resulting in his account being compromised. Packages that are downloaded tens of millions of times each week were compromised. Although the developer publicly reported the incident to npm, mitigation took time, during which time the attack spread at scale.
Official store: Not yet safe
Perhaps most frustratingly, the malware continues to bypass official gatekeepers. Our investigation into malicious Chrome extensions that steal ChatGPT and DeepSeek conversations reveals what we already know from mobile app stores. That means automated reviews and human moderators haven’t kept up with the sophistication of attackers.
This should sound familiar since the permissions issue has already been resolved. Android and iOS give users more control. You can allow access to your location and block your microphone, or allow access to your camera only when the app is open and not in the background. Chrome can implement the same model for extensions. The technology exists. It’s a matter of prioritization and execution.
Instead, users are faced with a binary choice where the extension requests permission to “read information from all websites.” If an extension requests that level of access, it will most likely be used for malicious purposes or later updated to do so.
Attackers do not have Shiny Tool Syndrome
When AI came along, attackers didn’t abandon their playbooks, they automated them. They still exploit supply chains, phish developers, and sneak malware past reviewers. They’re just doing it with 1/10th the resources.
Don’t chase shiny new defensive strategies while the basics aren’t working yet. Fix the permission model. Strengthen supply chain verification. Make phishing-resistant authentication the default. Fundamentals are becoming more important, not less.
The attacker has optimized the basics. What should defenders prioritize? Join OX for an upcoming webinar: Threat Intelligence Latest: What are hackers doing and what are the good guys doing?
Learn about the attack techniques that are gaining traction, what’s actually stopping attacks, and what to prioritize when resources are limited. Please register here.
Please register here.
Note: This article was written and contributed solely by Moshe Siman Tov Bustan, Security Research Team Leader at OX.
Source link
