Recently, attackers seem to have shifted focus away from directly targeting companies with strong security or a wealth of resources to going after weak links in the software supply chain.