--- title: Supply chain attacks description: Learn about how supply chain attacks work, deliver malware do your devices, and what you can do to protect yourself keywords: security, malware ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium ms.author: ellevin author: levinec ms.date: 08/01/2018 --- # Supply chain attacks Supply chain attacks are an emerging kind of threat that target software developers and suppliers. The goal is to access source codes, build processes, or update mechanisms by infecting legitimate apps to distribute malware. ## How supply chain attacks work Attackers hunt for unsecure network protocols, unprotected server infrastructures, and unsafe coding practices. They break in, change source codes, and hide malware in build and update processes. Because software is built and released by trusted vendors, these apps and updates are signed and certified. In software supply chain attacks, vendors are likely unaware that their apps or updates are infected with malicious code when they’re released to the public. The malicious code then runs with the same trust and permissions as the app. The number of potential victims is significant, given the popularity of some apps. A case occurred where a free file compression app was poisoned and deployed to customers in a country where it was the top utility app. ### Types of supply chain attacks * Compromised software building tools or updated infrastructure * Stolen code-sign certificates or signed malicious apps using the identity of dev company * Compromised specialized code shipped into hardware or firmware components * Pre-installed malware on devices (cameras, USB, phones, etc.) To learn more about supply chain attacks, read this blog post called [attack inception: compromised supply chain within a supply chain poses new risks](https://cloudblogs.microsoft.com/microsoftsecure/2018/07/26/attack-inception-compromised-supply-chain-within-a-supply-chain-poses-new-risks/). ## How to protect against supply chain attacks * Deploy strong code integrity policies to allow only authorized apps to run. * Use endpoint detection and response solutions that can automatically detect and remediate suspicious activities. ### For software vendors and developers * Take steps to ensure your apps are not compromised. * Maintain a secure and up-to-date infrastructure. Restrict access to critical build systems. * Immediately apply security patches for OS and software. * Require multi-factor authentication for admins. * Build secure software update processes as part of the software development lifecycle. * Develop an incident response process for supply chain attacks. For more general tips on protecting your systems and devices, see [prevent malware infection](prevent-malware-infection.md).