Supply chain attacks are exploiting our assumptions