As We Close 2025, One Pattern Is Clear

Containers Will Be the Fastest Way In

As we wrap up 2025 and begin shaping priorities for the year ahead, I see a clear shift in how software risk appears inside modern environments. It no longer arrives as a sudden incident. It shows up quietly through dependencies, build pipelines and container images. It embeds itself inside the delivery process before teams even know it is there.

Across 2024 and 2025, this pattern became visible across APAC. The most impactful attacks did not target network edges. They targeted software components that developers trusted. They entered through public registries, open-source packages, and sometimes even official container images. These signals are too consistent to ignore.

What follows is not speculation. It is a summary of what we have been seeing across the ecosystem and how I believe 2026 will reshape supply chain expectations for enterprises in the APAC region.

What Actually Happened

1. Public registries became active hunting grounds

In 2025, hundreds of malicious packages appeared across npm, PyPI and Docker Hub. Some replaced legitimate libraries. Others harvested credentials directly from CI pipelines. The Shai-Hulud campaign used GitHub Actions to exfiltrate secrets. This was not a traditional breach. It was a supply chain infiltration.

This confirmed one shift. Attackers are not waiting at the perimeter. They are moving upstream into dependencies that teams already use.

2. The XZ Utils backdoor nearly went mainstream

A multi-year backdoor was discovered in XZ Utils in early 2024. Months later, vulnerable versions were still found inside official Docker Hub images. Many teams using trusted base images were unknowingly shipping workloads with a built-in path to remote execution.

This reminded us of a core principle. A trusted image is not the same as a verified one.

3. India saw its own example

An npm package used by an Indian payment provider was found leaking credit card data through an embedded tunnel. It was not an advanced incident. It was a supply chain compromise that had already entered containerized integration environments before anyone noticed.

This showed that the problem is not waiting to arrive in India. It has already arrived.

4. Runtime and Kubernetes vulnerabilities widened the blast radius

Recent issues in runC and Kubernetes heightened the risk. A single malicious package can now move across the full chain: from source to CI pipeline, into container builds, then across clusters, and finally to hosts. The progression is faster than most teams are prepared for.

5. CERT-In accelerated expectations

In 2024, SBOM guidelines were introduced. In 2025, coverage expanded to CBOM, QBOM, AIBOM and HBOM. The tone shifted from advisory to review expectation. BFSI, telecom, public projects and software exporters will increasingly need to demonstrate supply chain visibility to qualify for certain contracts.

6. APAC adoption is rising faster than control maturity

Cloud-native ecosystems are growing rapidly across APAC. Containers and Kubernetes are now industry standards. Yet in many organizations, security controls remain focused on post deployment scanning rather than pre trusted builds. This gap is becoming the new target surface.

What I Believe 2026 Will Bring

#1

Supply chain attacks will not be rare. They will become a constant background condition. Teams will begin asking how quickly they can find and trace every image affected by a compromised dependency.

#2

Containers will become the fastest way to weaponize supply chain weaknesses. A single dependency can propagate across hundreds of container images and reach multiple clusters within hours.

#3

SBOM, signed images and provenance will shift from recommendations to expectations. Audit teams will ask for verifiable evidence, not just scanning reports.

#4

Build containers and CI agents will become high-value targets. Tokens and credentials from CI environments have already led to breaches. In 2026, the build stage will become the primary trust boundary.

#5

AI will accelerate every part of the attack cycle. It will also accelerate readiness for teams that use it well. I believe this will become one of the biggest differentiators in 2026.

What Enterprises in APAC Can Do Now

The most effective response is lifecycle based rather than tool based. The objective is to make risk visible from source to runtime.

Phase 1: Control where code comes from

• Mirror critical packages

• Track maintainership changes

• Vet dependencies before CI pipelines use them

Phase 2: Harden the build step

• Isolate CI containers and agents

• Remove static credentials

• Move toward reproducible and attested builds

Phase 3: Secure the registry layer

• Sign container images at push time

• Attach SBOM and provenance with each image

• Limit who can push and promote internally

Phase 4: Deploy with policy

• Enforce trusted registries

• Block unsigned or unverifiable images

• Isolate container communication inside clusters

Phase 5: Respond with traceability

• Maintain searchable SBOMs

• Enable one hour lookup across all images

• Rebuild and rotate rapidly when a dependency is compromised

Where CleanStart Aligns With This Shift

I believe industry momentum is moving toward pre verified container builds rather than post deployment fixes. This is aligned with the approach we take at CleanStart. Our focus is on hardened base images, hermetic builds and provenance that travels with every artifact. The goal is to treat trust as a build property, not an audit exercise.

This is not a theoretical direction. It is increasingly becoming a procurement and compliance expectation across regulated sectors in India and APAC. Early adoption can prevent disruption later and create a strong foundation for scale.

A Question I Think Every Team Should Ask in 2026

“If a dependency is compromised tomorrow can every affected container image be identified and rebuilt within one hour not one week”

If the answer is uncertain that is the right moment to revisit container governance before attackers do it first.

Final Thought

The perimeter is no longer the frontline. The software supply chain is. Containers helped us move faster. In 2026, they will test how prepared we are to verify what we build and deploy rather than simply trust it.

The APAC region is in a stronger position to lead this shift. Supply chain visibility must be built in, not added later. That decision may become the most important one of the year ahead.