DFW
Houston
Austin
San Antonio
Business+Technology
Open Launchpad →
HomeNewsCybersecurity Risk
Vendor Cybersecurity Audit: What Mid-Market Manufacturers Need to Check Now
Cybersecurity Risk6 min readMay 31, 2026

Vendor Cybersecurity Audit: What Mid-Market Manufacturers Need to Check Now

Six active attack groups identified by Group-IB in 2026 are targeting the SaaS platforms, MSPs, and open-source tools mid-market manufacturers depend on daily — and your perimeter tools won't catch them.

Manufacturing ransomware incidents reached 1,466 documented cases in 2025 — a 56% year-over-year increase from 937 the year before, according to Check Point Research via Industrial Cyber. That equals about one in five of the 7,419 global ransomware incidents recorded that year. The groups behind those attacks — Akira, Qilin, Play, Clop, Safepay, NoName057(16) — are not breaking through firewalls. They are walking through doors that trusted vendors left open.

What Is Actually Happening in 2026

In its 2026 threat intelligence report, Group-IB identified six active attack groups that have industrialized supply chain compromise as a delivery mechanism. Their primary targets are not manufacturers directly — they are the vendors manufacturers rely on: SaaS platforms, managed service providers, open-source repositories, and cloud API integrations. That framing comes from Group-IB's own research and should be read as vendor-sourced threat intelligence, not a neutral third-party finding. The operational logic holds regardless of who is counting.

On May 18, 2026, a campaign called Megalodon demonstrated the mechanics at scale. According to SafeDep and StepSecurity via Mashable, attackers injected malicious commits into 5,561 GitHub repositories within a six-hour window. GitHub is not a consumer platform — it is the infrastructure where the software vendors who build your ERP modules, MES integrations, accounting connectors, and automation tools maintain their code. A malicious commit that passes undetected becomes a malicious software update that lands in your environment automatically.

The SolarWinds attack in 2020 established this model. A single compromised software vendor became the entry point for breaches across thousands of downstream organizations. What Group-IB's 2026 research documents is that model becoming routine.

Why Your Perimeter Tools Miss This

Standard network security tools — firewalls, endpoint detection, intrusion detection systems — are designed to catch unauthorized access. They are not designed to catch access that is technically authorized. When your ERP vendor's support technician logs in through a remote management credential provisioned two years ago, that session looks legitimate. It is legitimate, until it isn't.

The access paths Group-IB flags as primary compromise vectors are exactly the ones mid-market manufacturers provision during vendor onboarding and rarely review again:

  • OAuth tokens — issued when your team connects a SaaS platform (CRM, accounting, HR) to Microsoft 365, Salesforce, or your ERP. These tokens persist indefinitely unless explicitly revoked. A vendor breach transfers those tokens to the attacker.
  • API keys — embedded in vendor-managed integrations connecting your WMS, ERP, or supply chain visibility platform to their systems. Rarely rotated. Rarely scoped with least-privilege access.
  • MSP remote management credentials — your managed IT provider holds persistent remote access to your network, servers, and often your OT environment. That access is wide and, in most mid-market setups, operates without session logging or time-bounded permissions.
  • Software update channels — if your ERP or MES software pulls automatic updates from a vendor repository, a compromised update is an automatic delivery into your production environment. You do not have to click anything.

The distinction matters: an attacker who has compromised a vendor does not need to target you specifically. They inherit access to every customer that vendor serves.

Which Systems Are Actually Reachable

For a mid-market manufacturer running a common technology stack, the exposure map is wider than most operators realize:

Production-adjacent systems at risk through vendor access:

  • ERP (any instance with active third-party integrations or MSP management)
  • MES and SCADA environments where remote monitoring vendors hold persistent access
  • WMS with third-party logistics or carrier API connections
  • OT devices configured for remote access by equipment vendors or automation integrators

Business systems at risk through SaaS and OAuth exposure:

  • Accounting platforms (QuickBooks Online, Sage, NetSuite) with connected vendor apps
  • CRM integrations carrying customer order, pricing, and contact data
  • Procurement platforms with supplier portal and EDI connections

The production-side risk is the one that gets underweighted. A ransomware group that enters through an IT system can pivot to OT environments when those environments are managed by the same MSP or share network connectivity. Check Point Research notes via Industrial Cyber that legacy OT systems and complex supply chains are cited drivers of the 2025 manufacturing ransomware spike — precisely because those environments have accumulated years of vendor access grants that nobody has reviewed.

The Exposure Mid-Market Operators Face That Enterprise Doesn't

Large manufacturers run dedicated security operations teams with vendor risk management programs, vendor breach disclosure reviews, and enforced least-privilege policies on every third-party integration. A $30M discrete manufacturer in the Metroplex or a $150M food processor in San Antonio typically does not. Vendor access grants accumulate during implementation projects, software onboarding, and MSP renewals — and nobody revokes them when the project ends.

No source directly quantifies the mid-market-versus-enterprise risk disparity, but the structural difference is clear: fewer security resources, more unreviewed access grants, and an identical attack surface from a vendor-compromise perspective. The attack groups Group-IB identified are not selecting targets based on company size. They are selecting targets based on which vendors' customer bases they can reach efficiently.

Foley & Lardner reports that supply chain attacks have surged significantly since 2021 and that manufacturing has been the most targeted sector for cyberattacks in recent years — though the underlying primary reports are not directly cited in their accessible publication, so treat those characterizations as attorney-authored analysis rather than independently sourced data.

What to Audit Before the Next Rotation Reaches Your Vendors

The audit is an operational process, not a technology purchase. It starts with a question most mid-market manufacturers cannot answer in under 24 hours: which vendors have standing access to your systems right now, and what can they reach?

Pull and verify the following:

  • Third-party vendor access register — Does one exist? Is it current? Does it cover ERP, MES, OT, WMS, accounting, and SaaS platforms — not just IT systems? If no register exists, creating it is the first step.
  • Active OAuth token inventory — Log in to each connected SaaS platform and audit authorized third-party applications. Every OAuth grant that is not actively needed should be revoked. This takes minutes per platform.
  • MSP remote access scope — What systems does your MSP access? What remote management tools do they use? Have credentials been rotated in the past 90 days? Are sessions logged?
  • API keys in active integrations — Where are API keys stored? When were they last rotated? Are they scoped to minimum necessary permissions, or do they carry admin-level access because that was easiest during setup?
  • Software vendor update channels — Which production systems receive automatic updates from a vendor? Is there a review step before updates are applied in your production environment?
  • Vendor breach monitoring — Is anyone in your organization watching breach disclosure notifications for your top 10 vendors? If a vendor you rely on discloses a compromise, how quickly would you know to revoke their access?

What to Watch Through the Rest of 2026

The Megalodon attack's six-hour, 5,561-repository scale signals that this is automated, not hand-crafted. Attackers are scanning for access opportunities at machine speed. The relevant signals to track:

  • Group-IB and CISA advisories on the six named attack groups and their evolving SaaS and MSP targeting methods
  • GitHub repository compromise events affecting software vendors whose products run in your production environment
  • RMM (remote monitoring and management) tool vulnerability disclosures — these tools are the keys to MSP access and are a primary target category
  • Ransomware group activity for Akira, Qilin, Play, and Clop, all named by Check Point Research as active in manufacturing sector attacks in 2025
  • CISA's Known Exploited Vulnerabilities catalog for entries affecting SaaS platforms or remote management tools in your current stack

The operational window before the next attack cycle reaches a mid-market vendor ecosystem is not months — it is weeks. A vendor access register that does not exist today is an attack surface that is open right now.

Sources and supporting resources
Next →
Intuit Launches QuickBooks Workforce: What Mid-Market Operators Need to Evaluate Before Consolidating HR and Payroll