3rd Party Software Hacks Fueling Health Data Breaches

Welcome to the latest edition of Chainmail: Software Supply Chain Security News, which brings you the latest software security headlines, curated by the team at ReversingLabs (RL).

This week: A string of healthcare-focused data breaches have a common theme: third-party software weaknesses. And: JPMorganChase CISO Pat Opet calls out SaaS and third-party software risk.  

This Week’s Top Story

Third-party hacks fuel healthcare breaches

A string of incidents in recent weeks highlight a clear trend in the cybersecurity landscape: the link between vulnerable third-party providers and healthcare-related data breaches. Just in the last week, two UK-based hospitals, University College London Hospitals (UCLH) and University Hospital Southampton NHS Foundation Trust, revealed that they had fallen victim to cyberattacks exploiting a vulnerability in Ivanti Endpoint Manager Mobile (EPMM), a third-party mobile device management tool. The flaw, discovered on May 15 and subsequently patched, allowed unauthorized access to staff mobile device data, including phone numbers and IMEI numbers, a report in IT Pro exposed.

On the other side of the Atlantic, the University of Chicago Medicine Medical Group revealed that sensitive information belonging to approximately 38,000 patients of the University of Chicago Medicine Medical Group was exposed in a July data breach at Nationwide Recovery Services, a third-party debt collection agency. The compromised data includes names, birthdates, addresses, Social Security numbers, financial information, and medical details, SC World reported. 

The incidents highlight the vulnerabilities associated with third-party service providers in the healthcare sector, as healthcare organizations increasingly rely on third-party software solutions. Experts advocate for comprehensive risk assessments and stringent security protocols when integrating third-party applications into healthcare systems. So-called "silent breaches," in which threat actors capitalize on systemic vulnerabilities to hijack trusted vendor relationships as gateways to larger campaigns, is a growing trend within the healthcare sector. A 2024 analysis of public breach disclosures and regulatory filings by researchers at Black Kite researchers, for example, concluded that silent breaches created disruption and had cascading effects that wreaked havoc on industries such as health care, retail, and logistics.

Learn more about how RL helps healthcare organizations by providing threat intelligence, file, and software analysis to ensure all digital assets are secure and prevent malware, tampering, and other threats.

This Week’s Headlines

Top CISO calls out SaaS — Enter the SaaSBOM

Organizations face a growing risk of cyber attack as a result of the growing reliance on third party software as a service (SaaS) providers, JPMorganChase CISO Pat Opet laid out in a recent open letter. In "An open letter to third-party suppliers," Opet warned of rapidly escalating risks related to SaaS offering as many SaaS vendors prioritize speedy feature delivery over robust security practices. Managing the security of SaaS products and improving third-party software risk management (TPSRM) is essential to enterprises’ security.

Opet wrote that the presumption of SaaS delivery for software is a “dangerous default” and that SaaS magnifies the impact of security weaknesses, as well as outages and breaches, creating “single points of failure with potentially catastrophic systemwide consequences."

Opet's warning comes amid growing concern over enterprise exposure to SaaS risks. Just this week, researchers at Google warned that APT41, a Chinese state-sponsored hacking group, has been observed leveraging Google Calendar as a command-and-control (C2) mechanism in a recent cyber-espionage campaign, The Record reported. And researchers at Oasis Security disclosed an issue with OAuth permissions tied to a Microsoft OneDrive feature that basically allows third-party web applications to access the entire contents in a user's OneDrive storage.

The growth in attacks on SaaS applications had prompted the creation of a SaaS bill of materials (SaaSBOM) as part of CycloneDX's extended bill of materials (xBOM). SaaSBOMs provide critical details about networking services used by a software application and an inventory of external services — with details such as service name, specific API endpoints, data classifications, directional flow of data, and authentication requirements.

"SBOMs have been part of the mainstream for some time, offering valuable insight into the components included in a software package. However, they don’t provide complete visibility into all dependencies — particularly external services," wrote Dave Ferguson of ReversingLabs recently. "That’s where SaaSBOMs come in, offering a deeper layer of transparency by identifying third-party services in use. (Source: RL Blog)

Three, malicious npm packages discovered: designed for data theft

ReversingLabs researchers this week called out three newly discovered packages on the npm package manager that appeared to be malicious and engineered to exfiltrate data from systems that install the packages.

In a post on X on Tuesday, ReversingLabs researchers called out the npm packages eslint-format, react_code_format, and @okdev/boiler_plate describing them as "simple" packages that are capable of exfiltrating sensitive file content using WebSocket. According to RL researchers, the malicious npm packages execute a postinstall script following installation at that executes a malicious payload that uploads the contents of a local directory over a WebSocket. It then monitors the affected directories for any changes. If a file is created in them, deleted or modified, that information and a new copy of the file is exfiltrated.

Since discovering and reporting the malicious files, the packages have been removed from npm, RL said. (Source: x.com/ReversingLabs)

Checkmarx uncovers malicious packages on PyPI and npm

Security firm Checkmarx identified malicious software packages uploaded to the Python Package Index (PyPI) and the npm repositories. These packages, mimicking popular libraries like Colorama, were designed to deceive developers into incorporating them into their applications. Once integrated, the malicious code could bypass endpoint security measures, exfiltrate data, and provide persistent remote access to compromised systems.

The attackers employed techniques such as typosquatting and name confusion to trick developers into downloading the malicious packages. Although the compromised packages have been removed, the incident underscores the ongoing threats to software supply chains. Developers are urged to exercise caution when sourcing packages from public repositories and to implement stringent security checks within their development pipelines.

This event serves as a reminder of the importance of securing the software development lifecycle against supply chain attacks. (Source: DevOps.com)

Adidas data breach highlights supply chain weaknesses

Adidas has disclosed a data breach resulting from unauthorized access to customer information via a third-party customer service provider. The compromised data includes personally identifiable information (PII), though payment details were reportedly not affected. This breach places Adidas among several major retailers, including Dior, Marks & Spencer, Harrods, and Co-Op, that have experienced similar incidents in recent weeks.

Cybersecurity experts emphasize that this breach highlights the inherent risks within interconnected supply chains. Attackers often target third-party vendors with weaker security measures to gain access to larger organizations' data. The incident serves as a stark reminder for companies to thoroughly vet and continuously monitor the cybersecurity practices of their suppliers and partners.

Adidas has urged customers to remain vigilant for suspicious communications and to report any unauthorized account activity. The company is working with cybersecurity professionals to investigate the breach and enhance its security protocols to prevent future incidents (Source: SecurityBrief)

Learn how RL Spectra Assure provides early and actionable feedback on software supply chain risks like malware, tampering, and exposed secrets — without slowing down development.

The Best of RL

Report | 2025 Gartner® Market Guide for SSCS

This latest guide from Gartner covers three critical use cases for software supply chain security (SSCS) to improve visibility, protect the integrity of the SDLC, and meet regulatory and government mandates. (Download Today)

Webinar | AI Meets SSCS

Wednesday, June 4 at 12pm ET

In this webinar, industry experts—including Daniel Miessler, cybersecurity thought leader and host of Unsupervised Learning—will unpack what AI means for the future of software supply chain security and how to prepare for what’s next. (Save Your Seat)

Webinar Replay | SSCS Market Guide Insights

Wednesday, May 28 at 12pm ET

Join RL for insights and real-world examples of the visibility gaps outlined by the Market Guide for Software Supply Chain Security from Gartner, and get an overview and demonstration of the capabilities needed to address them. (Watch Replay)

For more insights on software supply chain security, see the RL Blog.