2025 was the year software supply chain risk becamemeasurable. The increase in upstream attacks, CI/CDcompromises and container image manipulationrevealed how modern software is assembled and whereit can be disrupted. Trust was often assumed. Thatassumption was exploited.This report brings together signals from 2025 andoutlines what enterprises must prepare for in 2026. It isdesigned for leaders across technology, security andbusiness domains who need to convert supply chainawareness into operational capability.