From voice cloning to supply chain attacks, how AI could transform cybersecurity threats in 2025

It’s 10 p.m. on a Sunday when your lead researcher rushes onto an emergency video call. On screen are your CTO and CISO—both visibly alarmed—demanding the immediate deployment of an untested AI model to patch a critical security vulnerability. Their voices and mannerisms feel perfectly authentic. Except they aren’t real. They’re AI-generated clones. And with that one conference call, your carefully scheduled product roadmap is about to unravel.

Sound far-fetched? Think again. According to Danny Jenkins, CEO of ThreatLocker, voice-cloning attacks—once the stuff of sci-fi—are already a distinct possibility.

More than voice cloning

And as the earlier example pointed out, attackers can do more than voice cloning. With millions of deep fakes already circulating on social media, there is a pressing need to detect and label such content. The Guardian noted in mid-2024 that making deepfakes was “increasingly easy,” and the barrier to entry has only fallen since. As the threat landscape evolves, it’s telling that the U.S. government is allocating $30 billion to cybersecurity in 2025. Nine out of ten cybersecurity and risk leaders plan on budgeting more to cyber in 2025 than last year, as Forrester noted.

By 2025, R&D and product leaders across all industries—software, automotive, medtech, and beyond—are grappling with the sobering reality that AI isn’t just accelerating product innovation; it’s also turbocharging new forms of cyberattacks. With generative AI lowering the technical bar for threat actors and simultaneously boosting their sophistication, traditional defenses are crumbling under strain. The stakes have never been higher, and every missed patch or unsecured pipeline could open the door to a crippling breach—or, worse, a malicious update that compromises thousands of customers downstream.

From deepfakes to super-accurate phishing lures

GenAI attacks can do much more than spawn deepfakes and phishing lures. They open up new possibilities of attackers to launch traditional attacks. “We went on Google and searched for code for reverse shell in C#,” Jenkins explains. “When we compiled the most seasoned example, it got blocked immediately by antivirus. But when we asked ChatGPT to write the same thing—after some basic prompting—it generated functionally identical code that went completely undetected.”

And genAI makes it substantially easier for attackers to launch believable phishing attacks, which can target R&D and product development teams along with anyone else. Now, believable phishing exploits can come from attackers who don’t speak any English. “I don’t think we’ll see many Nigerian princes anymore,” Jenkins said, referring to the notorious old-school email scams.

AI isn’t just making attacks more sophisticated—it’s helping evade traditional security measures. “Every time you hit regenerate, it gave you a different version of the code,” Jenkins notes. “And it’s terrifying, because when we ran the AI-generated one, it wasn’t detected at all.”

In the sections that follow, we’ll explore exactly how AI is weaponizing product security threats, why supply chain attacks and voice-phishing are surging, and what steps R&D teams can take to ensure their development processes remain resilient. If you think a deepfake phone call is alarming, just wait until you see how swiftly attackers can generate brand-new malware or exploit that unpatched firmware update that’s been sitting in your backlog.

Cybercrime grows more corporoate

For years, many cybercriminal syndicates have operated much like mature business operations. If anything, that trend has only gained momentum. “It was always a business,” Jenkins notes, “but now it’s such a corporate business. These guys are making money because they’re businesses—they have quotas, and there’s a ten billion market there for cybercrime.”

In 2025, that means R&D and product teams must nix the image of an isolated hoodie-clad hacker lurking in a basement. “It’s got nothing to do with someone stealing your data because they want it—it’s about making money,” Jenkins explains. Instead, they’re facing sophisticated criminal enterprises with specialized divisions and sales pipelines. “Someone gets on your network, and they’ll maybe sell a thousand footholds in companies, and then they’ll trade them. When you think about a sales pipeline, I’m gaining access to the systems. I’m gonna sell you these leads, and then they’re going to go and execute those leads, and then they’re going to sell the deal to someone in Russia who’s got non-extradition treaty with the US, who can actually hold the ransom.”

“Ten years ago, someone would get on your network, encrypt your files, and send a demand for Bitcoin,” Jenkins says. “Today, someone gets on your network, they might sell that access to another group, who might then pivot to exfiltrate your data—and then yet another group specializes in encrypting it. It’s a full supply chain behind the scenes.”

From script kiddies to ‘pwn’ masters: AI levels the cybercrime playing field

While attackers at the high end are growing ever more sophisticated, there’s also a simultaneous trend drastically lowering the barriers to entry for would-be cybercriminals. In fact, you don’t even have to be a “script kiddy” anymore—a term once used to describe unskilled hackers who relied on existing, prewritten tools. Today, ChatGPT and other generative AI systems have obliterated the old entry barriers to writing sophisticated malware or spear-phishing campaigns.

“We’re not going from 1% to 80% of the world that can write malware,” Jenkins clarifies. “But we’re going from 0.00001% of people who are willing to write malware to 99% of those people who are willing to write malware can now go and create malware.”

Before AI, attackers often needed serious programming chops; now, even complete novices can generate novel, “signatureless” code with just a few prompts—making threats more numerous and harder to detect.

Why supply chain attacks are a nightmare for product teams

By 2025, a massive share of R&D teams—consumer electronics, aerospace, biotech, automotive, and more—use a blend of open-source libraries, outsourced modules, and cloud-based development pipelines. This creates a sprawling attack surface that’s ripe for infiltration by threat actors hoping to piggyback on your product updates. When asked if the IoT threat landscape had improved since the 2016 IoT-fueled Mirai botnet, which enabled a large-scale distributed denial-of-service (DDoS) attack on the website of cybersecurity journalist Brian Krebs, Jenkins is quick to answer in the negative.

“I moved into a house recently, and it’s quite a smart house, got a lot of smart stuff in it,” Jenkins explains. “There’s probably 48 IoT devices in my house.” Jenkins succeeded in connecting to many of them using mostly low-hanging-fruit approaches such as testing default passwords.

Once an attacker compromises a single IoT device—say, a connected camera with a default password—they can potentially pivot into more critical systems. For enterprise product teams, the stakes are even higher: unsecured embedded devices can open access to build servers or sensitive R&D resources.

This casual insecurity at the consumer level points to a deeper problem for R&D teams: If basic security hygiene is still lacking in 2025, what happens when threat actors target the complex supply chains that power modern product development? This is Jenkins’s top concern for software and hardware developers alike. “If you’re a software company and you become the source of the attack,” he warns, “you’re out of business. And that’s what keeps me up at night.”

The threat isn’t hypothetical—recent history offers sobering examples like the SolarWinds breach in 2020, where attackers compromised software updates that reached approximately 18,000 organizations, including critical U.S. government agencies. More recently, the 2023 3CX incident saw threat actors poison a widely-used VoIP application’s official update channel, demonstrating how supply chain compromises continue to evolve.

Nation-state actors, especially from countries with sophisticated cyber capabilities, are actively probing these supply chain vulnerabilities. Jenkins notes this systematic targeting of software companies, explaining how compromised components or updates could cascade through interconnected systems. Many products today contain software elements that automatically update from various global sources, creating complex dependencies that can pose thorny cyber risks.

Worse yet, the global code-sharing culture—while a productive boon on the one hand—also offers a massive hunting ground for adversaries. A single malicious commit to an open-source repository can quickly propagate into critical enterprise systems.

Endgame or new beginning?

For a smaller business that gets hit by ransomware, Jenkins says, “most likely, in 98% of cases, you’re going to survive that.” But for software and product companies that inadvertently infect their entire customer base?

In the end, if you don’t want to be the next 10 p.m. “emergency conference call” horror story, security can no longer be an afterthought. It’s your best shot at thriving in an era when even a frantic voice on the other end of the line may never have actually belonged to a human being.