ENISA published its annual Threat Landscape on 1 October 2025, analysing 4,875 cybersecurity incidents observed in the EU between 1 July 2024 and 30 June 2025. The report is the agency's most influential single publication: NIS2 competent authorities use it to scope risk assessments, the European Cyber Crisis Liaison Organisation Network (EU-CyCLONe) calibrates exercises against it, and the Commission cites it directly in delegated acts under the Cyber Resilience Act. The 2025 edition is notable for what it says about the supply chain: digital service compromise has moved from a tail risk into a top-three vector, and a new attack class — "slopsquatting" against AI coding assistants — has been documented and named.
What did ENISA find about supply chain attacks?
Three numbers anchor the 2025 supply chain narrative. Phishing accounted for approximately 60% of observed initial-access cases, vulnerability exploitation for 21.3%, and a residual category dominated by supply chain compromise for most of the remainder. ENISA does not publish a single supply-chain percentage at the same headline level, but the report's case studies and the breakdown of "compromise of digital services" — which includes managed services, SaaS, and shared infrastructure — establish that supply chain pathways are the second-fastest-growing class of initial access after stolen credentials.
Three case studies illustrate the patterns:
- In March 2025, Plus Service — the external provider managing the Telemaco platform for several Italian transport operators — suffered a data breach that paralysed Mobilità di Marca (MoM) ticketing systems for two days, with downstream impact on tens of thousands of commuters. The incident is a textbook fourth-party blast-radius case: the affected transport operators had contractual relationships with the platform operator, but neither they nor their direct supplier had clear visibility into the security posture of Plus Service.
- Operation Digital Eye (active from mid-2024 into 2025) targeted IT service providers in Southern Europe to obtain footholds for downstream espionage. ENISA attributes the campaign to a China-linked actor and notes that the attackers explicitly selected IT providers as gateway victims to access higher-value end-customers.
- Malicious code in open source ecosystems and AI development pipelines, including poisoned ML models on Hugging Face, malicious PyPI packages, and a "Rules File Backdoor" technique against AI coding assistants including Cursor and GitHub Copilot.
What is slopsquatting and why did ENISA name it?
Slopsquatting is the technique of registering package names that AI coding assistants are known to hallucinate consistently. Large language models, when asked to write code that imports a non-existent package, often produce the same plausible-sounding name across many sessions. An attacker who observes which hallucinated names appear most frequently can pre-register those names on PyPI, npm, or RubyGems with a malicious payload, and wait for developers who paste AI-generated code without checking imports.
ENISA cites independent research showing that for some Python prompts, more than 20% of AI-generated import statements referenced packages that did not exist on PyPI at the time of generation, and that the distribution of hallucinated names is heavily skewed — a small number of names appear repeatedly across models and prompts. The supply chain implication is straightforward: an attacker who registers the top 100 hallucinated names captures a meaningful share of developer attention through a single asynchronous step.
This is the first time ENISA has named slopsquatting as a distinct category. It joins typosquatting, dependency confusion, repojacking, and brandjacking on the list of registration-attack vectors that the agency now expects defenders to monitor.
Who is targeted and how does the report categorise sectors?
The 2025 report's sectoral breakdown is consistent with the previous two editions but with shifts at the margin:
| Sector cluster | Share of incidents | Direction vs 2024 | |---|---|---| | Public administration | ~19% | up | | Transport | ~11% | up | | Banking and finance | ~9% | flat | | Digital infrastructure | ~9% | flat | | Health | ~8% | up | | Manufacturing | ~7% | up | | Digital service providers (MSP, SaaS) | ~7% | up sharply | | Education and research | ~6% | flat | | Energy | ~4% | flat | | Other | balance | mixed |
Public administration's rise is driven by hacktivist activity tied to geopolitical events, including DDoS campaigns by groups including NoName057(16) and an uptick in pro-Russian operations against EU member states supporting Ukraine. The digital service provider rise — which ENISA flags as the most concerning trend — reflects the supply chain dynamic above: compromising one MSP gives access to dozens of downstream customers, and adversaries are increasingly explicit about selecting providers for downstream reach.
What does ENISA say about state-aligned activity?
The report dedicates an unusually large section to state-aligned activity in 2024-2025. ENISA identifies four clusters of concern: Russia-linked groups (including the cluster sometimes tracked as Sandworm), China-linked groups (with several distinct sub-clusters whose targeting includes EU defence, telecom, and government), Iran-linked groups, and the DPRK's financially motivated APT clusters whose cryptocurrency-theft operations now touch European exchanges. State-aligned activity is documented as accounting for a small minority of total incidents by count but a disproportionate share of high-severity supply chain incidents — the cases where dwell time was measured in months and where the goal was strategic access rather than ransom.
How are policy makers using this report?
Three concrete channels:
- NIS2 competent authorities are integrating the 2025 findings into their supervisory plans. The German BSI, French ANSSI, and Dutch NCSC have published cross-references between their sector-specific risk assessments and the ENISA top-vectors list.
- The Commission has used the report's data on supply chain compromise to justify the prioritisation of mandatory CRA conformity assessment for "important" and "critical" product categories.
- ENISA itself has updated its supply chain guidance for NIS2 entities, with a 2026 revision expected to incorporate slopsquatting and the AI-pipeline attack patterns flagged in 2025.
What should defenders do now?
Five actions track the report's findings directly:
- Treat managed service providers and SaaS vendors as in-scope for direct-supplier due diligence under NIS2 Article 21(2)(d). The MoM/Plus Service case is the canonical example of why.
- Detect typosquatting and slopsquatting against your dependency graph by name-similarity scoring at install time. Block at the proxy, not just at the SBOM level.
- Pin and verify package integrity (checksums, signatures, sigstore where available) for every external dependency that reaches production. The 21.3% vulnerability-exploitation share masks a meaningful fraction where the "vulnerability" was a maliciously published package.
- Integrate AI coding assistants with a package-existence check before code generation lands on a developer's machine — this is a non-trivial control but is becoming table stakes.
- Calibrate incident response runbooks to the NIS2 reporting cadence (24/72 hours) for the specific incident types the ENISA report says are dominant: phishing-to-ransomware, exploited edge devices, and digital-service-provider compromise.
How Safeguard Helps
Safeguard SBOMs and dependency graphs identify typosquatting and slopsquatting candidates by computing name-similarity scores against known-good registries and against the live PyPI, npm, and crates.io catalogues — at ingest, not after install. Griffin AI reachability filters distinguishes a malicious package that touched a build step from one that reached production code paths, which materially changes incident severity under NIS2 reporting. TPRM workflows score managed service providers and SaaS vendors against the ENISA 2025 findings, including the specific supply chain risk dimensions ENISA highlights. Policy gates block builds that pull from packages without verified signatures or against compromised-package feeds. The compliance automation module maps the ENISA findings to NIS2 Article 21 measures and produces evidence packages that competent authorities increasingly expect to see in their supervisory cycles.