Alpaca Forms

Alpaca Forms, headquartered in the United States, is a company whose services were implicated in a significant 2019 supply-chain attack. The incident involved hackers compromising the servers of multiple companies, including Alpaca Forms, to inject malicious scripts into thousands of websites. These scripts were designed to harvest sensitive data from all form fields present on affected sites, such as payment details, login credentials, and contact information, and exfiltrate that data to a server based in Panama. The attack methodology specifically exploited third-party service providers, leveraging their widespread code distribution networks to maximize the number of compromised websites and the volume of data stolen. This approach allowed threat actors to bypass direct security measures on high-profile sites by targeting the secondary vendors whose code those sites trusted and integrated.

The malicious script delivery network was eventually disabled following intervention by Cloud CMS, a content management service. However, the attack's effectiveness was uneven; some affected third-party providers, notably Picreel and OmniKick, experienced implementation errors that rendered their delivered malicious code non-functional, thereby limiting data theft in those specific instances. This event served as a prominent case study illustrating a broader and escalating cybersecurity trend where attackers deliberately target secondary or tertiary vendors within a supply chain. By compromising these less scrutinized partners, adversaries can infiltrate a vast number of downstream organizations and their users with a single breach, exploiting the implicit trust placed in third-party code and services. The Alpaca Forms incident underscored the systemic risk posed by interconnected digital ecosystems and the critical importance of rigorous security vetting across all vendor relationships.