Cybercrime Has Entered the Physical Supply Chain
Cybercrime no longer stays neatly contained behind a screen. In Episode 369 of The 443 Podcast, Marc Laliberte and Corey Nachreiner unpack three recent threat stories that show how digital compromise can ripple outward into software supply chains, ransomware recovery, and even stolen freight shipments.
The common thread? Attackers are no longer relying on one obvious entry point. They are chaining together human behavior, trusted tools, third-party access, and weak verification processes to create attacks that move across both digital and physical environments.
A Roblox Cheat, an Infostealer, and a Software Supply Chain Incident
One of the episode’s most striking stories starts with something that sounds almost absurd: Roblox cheats.
Vercel, a major software development platform, disclosed a security incident impacting a limited number of customers. The incident was eventually tied back to a third-party AI platform, Context AI, which had access to a Vercel employee’s Google Workspace account. According to the episode discussion, an employee at Context AI appears to have been compromised by Luma Stealer after searching for Roblox cheats. From there, stolen credentials and OAuth tokens opened a path into Vercel’s environment.
That path matters because it illustrates how modern supply chain risk actually works.
This was not a simple “someone clicked a bad link” story. It was a multi-stage compromise that moved from one employee’s device, to a third-party AI platform, to OAuth access, to a production environment, and potentially to customer environment variables.
For MSPs and SMBs, the lesson is clear: your security posture is no longer limited to your own endpoints, users, and applications. It also depends on the tools your vendors use, the permissions those tools have, and how quickly your team can detect suspicious activity across connected environments.
It also reinforces a practical point that security teams have repeated for years: corporate devices should not be used for personal software, game cheats, unknown downloads, or family browsing. What looks like a harmless personal action can become a business-impacting breach when it happens on a machine with privileged access.
When Ransomware Accidentally Becomes a Wiper
The episode also covers Vect, a newer ransomware-as-a-service offering that appeared on Russian-language cybercrime forums. On paper, Vect presents itself as ransomware. In practice, researchers found implementation flaws that can permanently destroy files larger than 128 KB.
That turns a supposed ransomware incident into something much worse: a wiper event.
The distinction matters. In a typical ransomware attack, victims may at least believe there is a theoretical path to decryption, even if paying the ransom is risky, discouraged, and never guaranteed. But if the malware destroys data during the encryption process, there may be nothing to recover from the attacker at all.
That puts the focus back where it belongs: backup and restoration readiness.
Having backups is not enough. Organizations need tested restoration processes, clear recovery time expectations, and confidence that their backups are isolated from the same compromise path as production systems. For MSPs, this is especially important because clients often assume “we have backup” means “we can recover quickly.” Those are not the same thing.
Vect also highlights a broader trend: as AI-assisted development becomes more accessible, threat actors may be able to create malware faster, but not necessarily better. Poorly built ransomware can still cause enormous damage, even if the attacker’s code is sloppy.
Cybercrime Is Now Stealing Real Shipments
The most unusual story from Episode 369 comes from an FBI warning about cyber-enabled cargo theft.
Threat actors are using social engineering, spoofed broker communications, fake websites, and malicious downloads to compromise freight brokers and carriers. Once inside, they can manipulate load boards, impersonate legitimate businesses, alter shipment details, and reroute goods to attacker-controlled destinations.
This is where the episode’s title lands: you would not download a shipment, but attackers are using digital compromise to steal physical cargo.
The attack chain is highly targeted. Criminals may impersonate a broker and send emails claiming that a carrier needs to sign a new agreement or address a poor service rating. Those links can lead to fake websites that deliver legitimate remote monitoring and management tools. Because RMM tools are commonly used for IT administration, they may not be automatically blocked by standard antivirus tools.
From there, attackers can use stolen access to create fraudulent load postings, compromise additional carriers, change bills of lading, modify destination details, and coordinate the handoff of stolen goods.
This should get every operational leader’s attention. Cybersecurity is no longer just an IT concern. It now touches logistics, finance, legal, compliance, vendor management, and customer trust.
Why Trusted Tools Create Detection Challenges
One of the most important takeaways from the FBI cargo theft discussion is the abuse of legitimate tools.
Remote monitoring and management tools are not inherently malicious. MSPs use them every day to monitor endpoints, push updates, troubleshoot systems, and support customers. But that same functionality is valuable to attackers. If a threat actor can trick someone into installing an unexpected RMM tool, they may gain remote access without immediately triggering traditional malware defenses.
This is exactly why organizations need detection and response capabilities that look beyond known malware signatures.
Security teams should be able to identify unusual remote access tools, unexpected administrative behavior, new software appearing across endpoints, and activity that does not match normal business operations. For MSPs supporting multiple clients, that visibility becomes even more critical because one compromised tool or account can quickly become a broader operational issue.
What MSPs and SMBs Should Take Away
Episode 369 is not just a collection of interesting threat stories. It is a warning about how cyber risk is evolving.
The key lessons include:
- Third-party access can create downstream risk.
The Vercel incident shows how one compromised user at a third-party provider can expose another organization to risk. - Recovery planning matters before ransomware hits.
Vect shows why tested backups and restoration processes are critical, especially when ransomware behaves more like a wiper than an encryption tool. - Cybercrime can disrupt physical operations.
The cargo theft warning shows how attackers can use digital compromise to reroute shipments and steal real-world goods.
For MSPs and SMBs, the practical priorities are clear:
- Strengthen endpoint protection and detection across user devices, especially for employees with privileged access.
- Review third-party application permissions, OAuth access, and SaaS integrations regularly.
- Train employees to recognize social engineering tactics tied to urgency, contracts, poor reviews, account warnings, or business process pressure.
- Monitor for unexpected RMM tools and unusual remote access behavior.
- Validate critical business process changes through secondary channels, especially for payment, shipment, pickup, vendor, and destination changes.
- Test backup restoration processes before an incident forces you to rely on them.
The bigger message is simple: attackers are not just hacking systems anymore. They are hacking trust. They are abusing business workflows, vendor relationships, remote access tools, and routine operational processes.
That means security has to move closer to how the business actually runs.
Security Must Follow the Attack Chain
Modern attacks rarely stay in one lane. They move from personal behavior to corporate systems, from third-party platforms to customer environments, from ransomware claims to irreversible data loss, and from fake emails to stolen shipments.
That is why prevention alone is not enough. Organizations need layered security, strong detection, fast response, and real-world recovery planning.
For MSPs, this is also an opportunity. Clients need help understanding that cybersecurity is not only about blocking malware. It is about protecting business continuity, operational trust, and the systems that keep revenue moving.
Cybercrime has entered the physical supply chain. The organizations that respond best will be the ones that treat security as part of the business, not just part of the network.