2025 didn’t deliver a single “SolarWinds moment.” It delivered many smaller ones—strung through supply chains, large language models, and the hyperscale clouds everything now runs on.
The pattern across them is ugly but clear: one compromise, many victims. That was true whether attackers slipped malicious code into open source packages, rewrote the long‑term memory of AI agents, or tripped a race condition inside Amazon’s DNS plumbing and took down chunks of the Internet for 15 and a half hours.
There was at least one genuine win: Signal’s quiet, technically impressive move to make its encrypted messaging protocol resistant to future quantum attacks.
Here’s the condensed security story of 2025.
Supply‑chain attacks became the default move
Attackers doubled down on the highest‑leverage target in software: the supply chain.
Compromise one component that everyone depends on, and you don’t have to phish or exploit each downstream victim individually. This year delivered a long list of examples:
Solana’s poisoned library
A late‑2024 incident bled well into 2025 and is worth revisiting.
Attackers quietly slipped a backdoor into a code library used across the Solana ecosystem. Security firm Socket said it believes accounts belonging to developers of Web3.js—an open source library used in Solana‑related software—were compromised. With that access, the attackers shipped a malicious update.
Developers building decentralized apps pulled in the update as usual. Once it landed, the backdoor propagated to individual wallets connected to smart contracts and could extract private keys. The campaign netted attackers up to $155,000 from thousands of smart‑contract parties on the Solana blockchain.
Typos, mirrors, and 8,000+ Go packages
Another attack abused a Google‑run mirror proxy for the Go programming language. A malicious package, given a name similar to a legitimate one, was seeded on the mirror. More than 8,000 other packages depended on the targeted one.
This is textbook “typosquatting”: developers mistype or mis‑click and pull the wrong package. The result is arbitrary attacker code running in build systems and production environments.
NPM’s 126 malicious packages
The JavaScript world didn’t escape either. The NPM repository was flooded with 126 malicious packages that, collectively, were downloaded more than 86,000 times.
The sting in the tail: many were pulled in automatically via NPM’s Remote Dynamic Dependencies feature, meaning developers didn’t even have to explicitly choose the bad package for it to land in their supply chain.
500+ backdoored e‑commerce sites
More than 500 e‑commerce companies—including one multinational worth about $40 billion—were backdoored after three software vendors in their supply chain were compromised.
Those vendors—Tigren, Magesolution (MGS), and Meetanshi—build software on top of Magento, the open source e‑commerce platform that powers thousands of online stores. Once their code was tainted, every merchant downstream became a potential victim.
Open source packages with 2 billion weekly downloads
Dozens of open source packages that collectively receive roughly 2 billion weekly downloads were also compromised. Attackers updated them with code to silently redirect cryptocurrency payments to wallets they controlled.
The individual packages here matter less than the reach: billions of downloads a week translates into an enormous blast radius.
CI pipelines, GitHub Actions, and talent platforms
Other notable supply‑chain hits included:
- tj-actions/changed-files: A component of the popular
tj-actionsproject, used by more than 23,000 organizations, was compromised. - Toptal‑linked npm packages: Multiple developer accounts on npm were breached, and 10 packages used with talent agency Toptal were backdoored. Those malicious packages were downloaded about 5,000 times.
The message from 2025 is simple: if you’re not treating your software supply chain—open source and commercial—as critical infrastructure, you’re already behind attackers.
Memory corruption, LLM‑style
Large language models didn’t just help defenders write better detection rules this year. They also became a new class of target.
The most worrying attacks didn’t just trick a chatbot once. They poisoned its long‑term memory so that it would keep doing the wrong thing indefinitely.
ElizaOS: rewriting an agent’s past
Researchers showed that ElizaOS—an open source framework for blockchain‑focused agents—could be pushed off course using nothing more than a prompt.
The agent accepted user input at face value and stored it as part of its long‑term memory. Academic researchers fed it fictional “events,” including a claim that ElizaOS’ own developers wanted it to swap the recipient wallet in all future transfers to one controlled by the attacker.
The agent complied. Even when a user explicitly provided a different wallet address, the poisoned memory caused ElizaOS to replace it with the attacker’s.
This proof‑of‑concept never hit production users, but the researchers warned that real‑world contract participants—already authorized to transact with such agents—could use the same technique to defraud others.
Gemini with false memories
Independent researcher Johan Rehberger pulled off a similar stunt against Google Gemini.
By planting false long‑term memories, he got the system to relax normally strict controls around calling sensitive tools like Google Workspace when handling untrusted data. Those memories persisted, meaning an attacker could benefit from the lowered defenses again and again.
Rehberger had demonstrated a related attack in 2024, underscoring how slowly these design problems are being resolved.
Code assistants turned code injectors
Two more proof‑of‑concepts pushed AI coding tools into dangerous territory:
- A prompt injection attack on GitLab’s Duo chatbot led it to insert malicious lines into otherwise legitimate code packages. A variant of the attack successfully exfiltrated sensitive user data.
- A separate issue in Google’s Gemini CLI coding tool allowed attackers to execute arbitrary shell commands—up to and including wiping a developer’s hard drive—on machines using the tool.
When your IDE can now execute tools, talk to the cloud, and modify infrastructure, its threat model starts to look a lot like a browser’s—without decades of hard‑won sandboxing experience.
Using AI as bait—and as a criminal tutor
Not all AI‑related incidents in 2025 targeted the models themselves. In several cases, AI tools simply made old‑school attacks more efficient.
- Government data theft: Earlier this month, two men were indicted for allegedly stealing and wiping sensitive government data. Prosecutors say one of them went to an AI assistant for help, asking, “how do i clear system logs from SQL servers after deleting databases,” followed by, “how do you clear all event and application logs from Microsoft windows server 2012.” Investigators were able to reconstruct what happened anyway.
- Malicious image generator: In May, a man pleaded guilty to hacking a Walt Disney Company employee by tricking them into running a booby‑trapped version of a popular open source AI image‑generation tool.
- Salesloft Drift token theft: In August, Google researchers warned that users of the Salesloft Drift AI chat agent should assume all security tokens connected to the platform were compromised. Unknown attackers had already used some credentials to access email in Google Workspace accounts, pivot into individual Salesforce accounts, and steal data—including credentials potentially useful in other breaches.
And sometimes, the models themselves leaked data on a massive scale.
GitHub’s CoPilot was caught exposing the contents of more than 20,000 private repositories from companies including Google, Intel, Huawei, PayPal, IBM, Tencent, and even Microsoft. Those repos had at one point been reachable via Bing search. Microsoft eventually pulled them from Bing’s index—but CoPilot’s training data still contained them, and it kept surfacing their contents.
Meta and Yandex vs. Android’s privacy model
Another major 2025 story didn’t involve exotic AI at all. It featured two familiar names: Meta and Yandex.
Both companies were found exploiting an Android weakness to de‑anonymize visitors and track years of their browsing histories. The tracking, embedded inside the Meta Pixel and Yandex Metrica analytics scripts, effectively bypassed core protections in Android and modern browsers.
- Android sandboxing is supposed to isolate apps from one another and from the underlying OS, protecting sensitive data and system resources.
- State and storage partitioning in browsers fence off cookies and site data by top‑level domain so that one site can’t freely inspect another’s history.
Through a clever implementation trick, Meta and Yandex worked around those defenses and linked supposedly separate browsing sessions back to specific users.
2025: The year the cloud felt fragile
The Internet’s original design goal was resilience. It was meant to survive even a nuclear strike. In 2025, our reliance on a handful of cloud providers made that ideal look quaint.
AWS: 15 hours, 32 minutes of “single point of failure”
The most disruptive outage hit in October, when a single point of failure inside Amazon’s massive network knocked out critical services around the world for 15 hours and 32 minutes.
Amazon’s post‑mortem traced the cascade back to a software bug in a system that monitors the stability of load balancers. Among other tasks, that system periodically creates new DNS configurations for endpoints inside Amazon Web Services.
A race condition—where correct behavior depends on the exact timing of events—caused a key component to experience unusually long delays while trying to update DNS endpoints. While it struggled to catch up, a second component started seeing a flood of DNS errors.
The combination pushed the network into a full‑blown collapse.
Cloudflare and Azure join the outage club
AWS had company. A mysterious traffic spike last month slowed much of Cloudflare—and large por...
