The New Cyber Threat Landscape: Key Insights from Canada’s 2025-2026 Cyber Threat Assessment
The Canadian Centre for Cyber Security’s National Cyber Threat Assessment 2025-2026 warns of escalating risks to software ecosystems. From state-sponsored attacks to supply chain compromises, the report emphasizes the urgency for organizations to secure their software development pipelines. As attackers evolve their methods, proactive security strategies are no longer optional—they’re essential.
This article explores some of the findings from the National Cyber Threat Assessment (NCTA) and provides actionable advice for developers, DevOps, and security professionals. It also highlights how Safety CLI helps teams safeguard their software supply chains by detecting vulnerable and malicious dependencies at every stage of development.
Emerging Threats to Software Supply Chains
The NCTA identifies several key trends that are shaping the future of cyber threats:
1. Double Supply Chain Attacks:
These cascading attacks occur when an initial supply chain breach enables further downstream compromises. A vulnerability in one package or service can expose entire ecosystems to attackers.
2. Shrinking Exploitation Timelines:
Attackers are moving faster than ever and the speed of exploitation has become particularly worrying. The report reveals that vulnerabilities are now being exploited within days or even hours after disclosure, leaving an increasingly narrow window for organizations to detect and patch vulnerabilities before they're exploited.
3. Vendor Concentration Risks
A particularly noteworthy finding involves the risks associated with dominant vendors. The report warns that "Cyber threat actors target dominant vendors seeking to steal customer data or demand ransom payments." This concentration of risk in major service providers means that "a cyber incident impacting a single dominant service provider can impact an entire sector."
An example from early 2024 illustrates this trend when state-sponsored actors exploited two zero-day VPN vulnerabilities. The Chinese advanced persistent threat (APT) group Volt Typhoon was specifically identified, using these exploits to establish footholds within government networks and critical infrastructure, particularly in North America. These attacks took advantage of newly discovered or zero-day vulnerabilities in VPN appliances that had not been patched in time, allowing attackers to conduct espionage and pre-positioning activities—potentially for future disruptive operations.
Organizations must address these growing risks by monitoring dependencies continuously and integrating security directly into their development workflows.
Practical Scenarios: How Software Supply Chains Can Be Compromised
- Compromised Open-Source Packages:
Developers often install open-source libraries from pip, npm, and other package indexes. While these libraries may initially be secure, vulnerabilities can emerge over time (as in this example in the popular machine learning package TensorFlow). Without visibility into installed packages, organizations are at risk unless packages are upgraded as soon as new patches are available.
- Intentionally Malicious Open-Source Packages and Typosquatting:
A developer installs - accidentally or intentionally - a dependency that has known vulnerabilities or has been identified as malicious. Attackers exploit simple errors, such as spelling mistakes in install commands, to trick developers into downloading malicious packages. These so-called “typosquatting” attacks are increasingly common and can lead to data exfiltration or unauthorized system control.
- Tampered SDKs and APIs:
Nation-state actors are known to compromise software vendors’ development tools, inserting backdoors into SDKs that developers unknowingly embed into their apps, creating espionage risks in production environments.
These scenarios underscore the importance of early detection, continuous monitoring, and rapid remediation to prevent attackers from gaining a foothold in your software ecosystem.
Best Practices for Securing Software Supply Chains
A proactive security strategy requires a combination of tools and processes. Here’s a practical checklist to guide teams in building resilient software supply chains:
- Continuous Vulnerability Detection and Monitoring at Every Stage of Development:
- Automate scanning to detect vulnerabilities across your entire software stack.
- Shift security left by scanning early in the development lifecycle, including on developer machines—not only in CI/CD stages.
- Monitor open-source dependencies for newly disclosed risks. Leverage threat intelligence tools to be aware of emerging threats.
- Comprehensive Dependency Visibility and SBOM:
- Map all direct and transitive dependencies to uncover hidden vulnerabilities.
- Use tools like pip-tools, npm shrinkwrap, and pip freeze for visibility and pinning dependencies to known secure versions.
- Rapid Response Protocols:
- Implement automated alerts that trigger immediate action when vulnerabilities are detected.
- Develop incident response plans to address threats before they escalate.
- Regular Security Audits:
- Conduct security reviews to ensure your practices remain aligned with the latest threats.
- Engage in threat-modelling exercises to identify potential vulnerabilities within your systems.
- Foster Collaboration Across Teams:
- Align development, security, and operations teams by embedding security practices within your CI/CD pipelines.
- Promote a DevSecOps culture, where security is everyone’s responsibility.
These steps, when implemented consistently, reduce the likelihood of attacks and help organizations respond effectively when threats arise.
How Safety CLI Aligns with the NCTA’s Recommendations
Safety CLI offers a suite of tools designed to address the software supply chain challenges outlined in the NCTA. Here’s how it supports secure software development. Safety CLI allows teams to perform scans in development, CI/CD and production to detect dependencies with known vulnerabilities and malicious packages, delivering alerts when new vulnerabilities are discovered. This approach reduces the window of opportunity for attackers and provides developers and DevOps with actionable recommendations for remediation.
With the most comprehensive database of vulnerable and malicious packages available, Safety CLI provides full visibility of direct and transitive dependency risks, making it easier to identify hidden risks in complex supply chains. Easily integrated directly into CI/CD pipelines, Safety CLI can be used to prevent vulnerabilities from reaching production, ensuring only secure components are deployed. Safety CLI’s reporting features offer prioritized remediation recommendations, helping teams focus on the most critical risks. By providing detailed impact analysis, Safety CLI ensures resources are allocated effectively.
Key Metrics for Tracking Security Success
To maintain a strong security posture, organizations should track key metrics that align with supply chain security goals. These metrics provide insight into how well processes are working and where improvements are needed.
- Time to Remediate (TTR):
Measure the average time it takes to patch vulnerabilities after they’re identified. Faster remediation reduces the risk of exploitation.
- Blocked Vulnerable Packages:
Track how many risky dependencies are identified by using tools like Safety CLI.
- CI/CD Pipeline Security Health:
Monitor how many builds or deployments are flagged for security issues, indicating where vulnerabilities were identified before they reached production.
These metrics ensure continuous improvement, helping organizations stay ahead of evolving threats.
Addressing State-Sponsored Threats
State-sponsored attacks represent some of the most dangerous cyber threats. As noted in the NCTA, nation-state actors target critical infrastructure and intellectual property to achieve geopolitical goals. These actors exploit zero-day vulnerabilities and compromised software dependencies to conduct espionage and disrupt operations.
Safety CLI equips organizations with the tools to counter these threats. By automating vulnerability detection and integrating security into development workflows, Safety CLI minimizes the window of exposure.
Call to Action: Strengthen Your Software Supply Chain Security Today
The findings of the National Cyber Threat Assessment 2025-2026 highlight the urgent need for proactive security. Developers, DevOps teams, and security professionals must adopt tools and practices that protect their software ecosystems from increasingly sophisticated threats.
Explore the full report here and visit Safety CLI’s website to learn how you can secure your software supply chain today.
Conclusion: Proactive Security for a Resilient Future
As the NCTA makes clear, cyber threats to software supply chains are accelerating in both speed and complexity. Organizations that fail to adopt proactive security measures risk falling victim to cascading attacks, state-sponsored threats, or service disruptions caused by compromised vendors.
By following best practices and integrating tools like Safety CLI into their workflows, organizations can mitigate these risks, build more resilient supply chains, and protect their operations from future threats. With the right strategies and tools in place, staying ahead of the evolving threat landscape is within reach.
This article was written by David Lacho, Senior Python Full Stack Engineer.