2025 was a brutal, challenging year for businesses in terms of cyberattacks. The year was marked by significant increases in the frequency, sophistication and financial impact of incidents, with the UK’s National Cyber Security Centre (NCSC) reporting a 50% increase in ‘highly significant’ cyber incidents over the past year.

For example, a noticeable trend was the rise of breaches involving a third-party or a supply chain compromise: approximately 30% of all cyberattacks were levelled against this area of computing in 2025. This caused significant havoc in key industries such as industrial and aerospace, often leading to financial and reputational damage to businesses.

Here are just three examples of some major attacks our members spotted this year:

The HybridPetya Hijack
In February 2025, researchers began to notice new ransomware samples uploaded to VirusTotal that resembled the infamous Petya and NotPetya strains – but with a modern escalation.

The malware, which was later dubbed HybridPetya, introduced a boot-path component capable of targeting UEFI-based systems, rather than operating solely at the operating system level. Instead of limiting itself to user-space encryption, HybridPetya developed a malicious EFI application for its System Partition, positioning itself in the system’s early start-up sequence. Once activated, the ransomware encrypted the NTFS Master File Table (MFT), the critical structure that stores metadata, effectively locking systems out of their own storage volumes. By shifting execution into the pre-operating system (OS) environment, the attack blurred the traditional boundary between firmware integrity and OS security.

Although early samples did not show clear signs of widespread active development at the time of reporting, the technical approach signalled a concerning evolution in ransomware attacks: by extending the boot process, HybridPetya demonstrated how modern threats continue to move lower in the stack by targeting foundational trust layers rather than applications or user data.

MaaSive Attack
May 2025 saw the largest data breach in history with 16 billion log-in credentials exposed across 30 different online databases. Research carried out by Cyber News uncovered massive stashes of exposed data, featuring billions of social media accounts, corporate tools, VPNs, developer platforms and more. Through these credentials, attacks now have an unprecedented opportunity to take over accounts, carry out identity theft and other malicious actions.

The researchers who found the data believe that the majority of the leaked data resulted from infostealer malware, alongside credential stuffing sets and a recycling of old leaks. Infostealer malware is significantly on the rise, having become one of the most dominant and prolific cyber threats in 2025. This surge has been driven by ‘malware-as-a-service (MaaS)’ attack models, which has reduced the technical complexities for hackers to conduct effective attacks: ransomware, often distributed through MaaS models, was present in 44% of all data breaches analyzed in 2025.

Worming its way into supply chains
‘Shai-Hulud 2.0’ is the name of a complex, self-propagating software supply chain attack that was levelled against the npm ecosystem in November 2025. The primary goal of the worm was to steal sensitive information, including GitHub and npm tokens, alongside credentials for leading cloud providers like Google Cloud, Azure and AWS.

The worm used stolen npm tokens in order to automatically publish malicious versions of other packages maintained by the victim, self-replicating to cause widespread carnage. Using Bun JavaScript runtime to execute it’s payload and avoid system monitoring, Shai-Hulud 2.0 was able to access and steal data through the creation of randomly named GitHub repositories with the description “Sha1-Hulud: The Second Coming”, and if the malware failed to exfiltrate the data – or if it was detected – the worm featured a “dead man’s switch” that would wipe out files in the user’s directory. As a result, several high-profile projects were affected, including those led by Postman, Zapier, PostHog and AsyncAPI.

The TCG perspective
These attacks from last year reinforce a clear, urgent reality: that attackers are deliberately moving lower in the stack, exploiting weaknesses in firmware, identity, and the software supply chain. HybridPetya’ s shift into the UEFI boot path demonstrates how attackers are now targeting pre‑OS trust anchors, bypassing traditional endpoint controls entirely. Similarly, the MaaS‑driven explosion of credential theft highlights the fragility of identity when secrets are stored or transmitted without hardware‑backed protection. Shai‑Hulud 2.0’s ability to self‑propagate through the npm ecosystem, for example, also underscores the systemic risk of unverified code provenance.

Taken together, these incidents show that the threat landscape is converging on the foundational trust layers of computing. For organizations, the path forward must be the adoption of hardware-based Roots of Trust (RoT), enforced attestation across devices and workloads, and the verification of integrity across every stage of a device’s lifecycle. Through the adoption of TCG technologies and specifications, these capabilities can be achieved.