Invisible Threats: Navigating Supply Chain Crises

The foundation of banking is Trust. Customers entrust financial institutions with their most sensitive personal and business information and funds. Similarly, banks extend that trust to their own technology partners and vendors. This essential "Chain of Trust" underpins the entire financial ecosystem. Yet, as is well known, this chain is only as strong as its weakest link. Recent global events show a dramatic acceleration in malicious parties exploiting these very trust relationships, leading to widespread and problematic impacts for financial institutions and their customers.

When a breach occurs anywhere in the supply chain, reputational damage is never equally distributed. Headlines almost always attribute a breach to the larger consumer-facing institution rather than the underlying third or fourth-party application, plugin, or AI tool that was the actual source of the data leak.

The Conduent breach is an example of a supplier of secondary services for public agencies. Most of the 26 million consumers (as of February 2026) affected by the breach have no direct relation with Conduent, but they did have business with an organization that did use Conduent via payment services, office management, or health benefits.

Conversely, consider Salesloft Drift, the AI agent that was responsible for high-profile breaches of hundreds of publicly traded companies via their Salesforce instances. While Drift itself was covered in trade news outlets, the client companies – including information security and web infrastructure stalwarts – were highlighted when they disclosed their own compromises throughout August and September of 2025.

Organizations of all sizes and in all industries frequently lack the insight or direct access required to audit the vendor’s vendors. These fourth parties are, for various reasons, usually not highlighted by an organization. Yet it’s these ancillary relationships that are frequent causes of serious security incidents.

Patience is an Unseen Threat

Current security tools and systems strive to achieve real-time detection, analysis, and remediation, looking for anomalous changes as they happen. However, the contemporary threat landscape is characterized less by immediate attacks and more by indirect channels involving more parties. Attackers with specific targets and objectives beyond simple infiltration are frequently able to exhibit a hunter’s patience and extend the timeline for action. This strategy requires minimal effort and often a less-considered path for exploitation, while both the trust relationship with users and the potential pool of targets continue to grow.

 Some examples of this include:

• Code repository access – There is no better way to spread malicious code than putting it directly into a trusted application. This applies to both closed source and closed projects. The SolarWinds compromise was a six-month project once access to the repo was gained. The attempt to insert an exploitable backdoor via XZUtils was a three-year campaign of the malicious maintainer posting benign but legitimate updates to the repository, creating a long chain of trust for other project maintainers.
• Malware is increasingly found in previously trusted tools. For example, Google Chrome extensions have been known to operate safely for years before a malicious update is deployed. Less malicious is the feature creep of trusted locally run apps, plugins, and extensions. New tools and services, most recently embodied by AI tooling everywhere, can introduce unwanted functions and effectively bypass existing security controls that an organization implemented.
• Fraudsters capable of cultivating personal relationships with targets of opportunity – Fraudsters will patiently cultivate an emotional relationship with a target before attempting to take money or credentials for elevated access. These relationships are often exploited on a personal level, but there have been instances where institutional embezzlement spurred by these long-term connections managed to have a devastating impact on a financial institution. 

Proactive Mitigation and Transparency

It is difficult to point to a single solution or strategy that could thwart supply chain attacks. Every organization is vulnerable whenever assets go outside of its control domain. With industries heavily dependent on a few key vendors, it can be difficult to inoculate a whole ecosystem. National and global outages are becoming more frequent with the subsequent impacts growing across more businesses and organizations.

Humans remain a critical line of defense when dealing with long-term attack scopes. As technology expert Bruce Schneier defines, the human capability to spot anomalous behavior, which he calls “hinky,” is best for identifying unusual activity in the moment. However, even this sense can be blunted. Over a period of weeks or months, unusual behavior can become normalized and virtually disappear. 

To combat these evolving risks, banks must demand and implement a proactive and transparent security posture. For partners like Narmi, this means moving beyond reactive defense to continuous vigilance.

• Scanning: Employing continuous scanning of all packages and libraries to identify and mitigate vulnerabilities the moment they emerge.
• Contingency Planning: Maintaining robust plans for the rapid reversion or replacement of affected tools in the event of seriously impactful events, ensuring service continuity for financial services.
• Human-Centric AI Governance: While using AI for code assistance and automation is common practice, all critical decisions must be performed by humans. All actions must be auditable, traceable, and repeatable. Furthermore, AI agents should be limited in function, scope, and size with strict guardrails for users and systems to avoid creating a self-inflicted security problem.
• Regular Review: Conducting regular monitoring and review of both internal business processes and the practices of critical outside vendors. A proper assessment of due diligence materials can give a skilled reviewer insight into whether an organization is checking boxes on a task list or is capable of handling an event or incident.
• Building Against Compromise: Narmi’s system provides powerful tools for managing consumer information and accounts. Not all functions are available to all users. Some are not available to customers due to risk. Designing and testing with scenarios involving compromised privileged users ensures a full defense-in-depth implementation.
• Security Culture: Users should know the stakes of any security issue, what their role or involvement may be, know practices and behaviors to avoid, and be clear and supported when reporting observations or findings. 

By prioritizing transparency, continuous vigilance, and human oversight, financial institutions can better safeguard the trust they are built upon, even as the invisible threat of the supply chain continues to evolve.

‍