Key Takeaways
- China’s sophisticated hacking groups, known as typhoon APTs, pose a significant threat to data-rich commercial firms, universities, government agencies, and owners of critical infrastructure.
- The success of these attacks often relies on weaknesses in the attacked infrastructure, such as hidden software flaws and avoidable weaknesses in IT infrastructure.
- The increasing use of cloud computing, SaaS applications, and open-source software has created new risks and vulnerabilities.
- Regulations, such as the European Union’s Cyber Resilience Act and the US Department of Defense’s Software Fast Track Initiative, are emerging to prioritize software security and technology resilience.
- Organizations need to adopt new tools and capabilities, such as software bills of materials (SBOMs) and complex binary analysis, to identify and isolate supply chain risks.
Introduction to Typhoon APTs
The cybersecurity landscape has seen a significant shift in recent years, with the emergence of sophisticated hacking groups, known as typhoon APTs, which have been granted broad portfolios by China’s government to target data-rich commercial firms, universities, government agencies, and owners of critical infrastructure. These groups have been responsible for several high-profile campaigns, including the Salt Typhoon APT’s attack on telecommunications providers, which exploited flaws in Cisco’s IOS XE software. The success of these attacks often relies on weaknesses in the attacked infrastructure, such as hidden software flaws and avoidable weaknesses in IT infrastructure, including routers, switches, firewalls, and wireless devices.
The Evolution of Cyber Risks
The evolution of cyber risks has been driven by the increasing use of cloud computing, SaaS applications, and open-source software. The near-universal embrace of cloud computing and SaaS applications has upended traditional security tools and architectures, creating new risks and vulnerabilities. As JPMorgan Chase CISO Patrick Opet noted, the growing reliance on cloud infrastructure, APIs, and "opaque fourth-party vendor dependencies" gives third-party firms "privileged access to customer systems without explicit consent or transparency." Furthermore, the open-source software ecosystem has emerged as a critical, but highly-vulnerable building block for all applications, with a 73% increase in detections of malicious open-source packages in 2025.
The Growing Risks of Open-Source and AI
The open-source software ecosystem has also emerged as a critical, but highly-vulnerable building block for all of our applications. Our latest annual Software Supply Chain Security Report for 2026 found a 73% increase in detections of malicious open-source packages in 2025. We also saw a jump in the scope of such attacks, with compromises of some of the most influential open-source maintainer accounts and the widely-used packages they manage. Moreover, the growing popularity of AI-powered coding agents has created new risks, as malicious actors adapt their techniques to target AI development pipelines and vibe-coding tools.
The Need for Comprehensive Understanding and New Tools
Organizations now need a comprehensive understanding of their IT inventory and the risks that lurk in both open-source and commercial software. They need new tools and capabilities to achieve that, such as software bills of materials (SBOMs), which offer end-user organizations a critical software "list of ingredients" that teams can use to identify and isolate supply chain risks. Additionally, technologies such as complex binary analysis can expose threats, including evidence of tampering, malware hiding in commercial software binaries, critical security flaws, and outdated and end-of-life commercial and open-source modules.
The Role of Regulations in Software Security
The need for regulations to prioritize software security and technology resilience has become increasingly evident. The passage of regulations such as the European Union’s Cyber Resilience Act and Digital Operational Resilience Act, which contain explicit requirements for secure design, vulnerability, and lifecycle management, marks a significant shift in the approach to software security. The US Department of Defense’s Software Fast Track Initiative, which aims to modernize and accelerate the procurement, testing, and authorization of secure software for the US military, is another example of the emerging regulatory landscape. These regulations will compel changes in the way software is built, deployed, and managed, and will hold organizations accountable for their role in ensuring software security and technology resilience.
Conclusion and Future Outlook
In conclusion, the emergence of typhoon APTs and the growing risks of open-source and AI-powered coding agents have created a critical need for comprehensive understanding and new tools to identify and isolate supply chain risks. The regulatory landscape is shifting to prioritize software security and technology resilience, with regulations emerging to hold organizations accountable for their role in ensuring software security and technology resilience. As we look to the future, it is clear that 2026 will see significant changes in the way software is built, deployed, and managed, with a focus on security and resilience. With the emergence of an international regulatory landscape that prioritizes software security and technology resilience, we can hope that the cyber weather will shift, with fewer typhoons that leave chaos and destruction in their wake.
