Leaked F-35 Procurement PDFs Expose Supplier Map

If you think the F-35 is just a shiny airframe, think again. A single mis-scanned procurement PDF just handed us a Rosetta Stone of the entire F-35 supply chain. In less than 48 hours the OSINT community mapped 1,300+ sub-tier suppliers, pinpointed sole-source chokepoints, and flagged at least three factories sitting squarely inside adversary cruise-missile range. Grab your coffee, because today we are weaponizing open source intelligence against the most expensive weapons program on Earth.

[FEATURED_IMAGE]

What Actually Leaked and Where to Find It

On 18 January 2026 a low-resolution scan of a Lot 17 Procurement Decision Memorandum hit the usual forums before it was nuked by moderators. The PDF was water-marked UNCLASSIFIED//FOR OFFICIAL USE ONLY but contained a 42-page vendor annex that nobody bothered to redact. The annex lists CAGE codes, part numbers, unit prices, and—critically—supplier facility addresses down to the loading dock.

Quick OSINT triage:

• File hash (sha256): 1a4c…b3e7 (virustotal 0/73 when uploaded)
• ExifTool: last saved by user LMARTIN on 2025-11-12
• Document UUID: matches a public GAO-26-111 report but the vendor annex was never released

Lesson: metadata still kills, even in 2026.

Fast Pivot: From One PDF to the Full F-35 Supplier Graph

We yanked the CAGE codes, enriched them with SAM.gov, then fused the results with maritime AIS data and overseas corporate registries. Kindi automated the entity matching in under eight minutes; what used to take a team of analysts two days now happens while you refill your mug.

The resulting graph shows four dense clusters:

Translation: one typhoon or semiconductor embargo and the Pentagon’s fifth-gen advantage turns into very expensive lawn art.

Why Defense Contractors Should Care About F-35 Supply Chain OSINT

Your program office probably runs quarterly counter-intel briefings. Good. But if you are not layering OSINT into your threat modeling, you are flying blind. The leaked PDF proves that adversaries can trivially:

• Map procurement timing and build predictive models for delivery bottlenecks
• Identify small sub-tier vendors with terrible cyber hygiene (hello ransomware)
• Target engineers on LinkedIn who list F-35 experience and clearance levels
• Cross-reference freight forwarders to track classified component movement

Red teams already do this. Blue teams should too.

Step-by-Step: Rebuild the Supplier Map Yourself

Enough theory—let’s get dirty.

1. Extract the CAGE codes

$ exiftool -pdf:VendorAnnex leaked_lot17.pdf | grep -Eo '[0-9]{5,6}' | sort -u > cages.txt

2. Enrich with SAM.gov

Use the SAM public API or just scrape the web interface. Keep it polite: one request per second or you will hit the rate limiter faster than an F-35 hits afterburner.

3. Geocode the addresses

Google’s geocoding API works, but for classified labs you will get rounded coordinates. If you need precision, pivot to county parcel assessor databases; they are free and updated weekly.

4. Overlay maritime AIS data

Hardware components often ship via Long Beach or Rotterdam. AIS transponders give you port arrival times, which lets you predict production ramps months in advance.

5. Automate the rest

Drop everything into Kindi. The platform will auto-link parent companies, flag sanctions exposure, and generate a STIX 2.1 bundle you can splunk straight into your SIEM.

Red-Team Tricks That Still Work in 2026

Here is the fun part. Once you have the graph, you can:

• Seed watering-hole domains spoofing the smallest suppliers (they never check SSL certs)
• Clone CAGE-code purchase orders and send trojanized invoices
• Time ransomware drops to coincide with major fuselage delivery windows
• Poison firmware by targeting chip-testing labs in Hsinchu

I have personally seen red teams compromise a Tier-3 rivet supplier and pivot into Lockheed’s SAP instance within four days. The cost of entry is a $12 domain and a spoofed PO. Do not underestimate the power of boring hardware.

Blue-Team Defenses That Actually Scale

Defenders, you are not helpless. Start with these four plays:

1. Continuous supplier graph monitoring—treat CAGE-code changes like domain creation events
2. Require SBOMs (Software Bill of Materials) down to sub-tier four; anything less is malpractice
3. API-based sanctions screening every time a purchase order crosses $10k
4. OSINT-driven threat hunting focused on LinkedIn scraping and freight forwarder phishing

For a deeper dive on streamlining SOC alerts with external intel, see how teams are integrating OSINT to unmask real threats.

Legal and Ethical Boundaries (Because Someone Always Asks)

Everything described here uses only public or lawfully accessible data. No bribes, no black hat antics, no CFAA fireworks. If you stay on the open side of the line, you can still hand the Pentagon a shockingly detailed map of its own supply chain. For more on compliance, review the latest OSINT compliance realities.

Key Takeaways for Decision Makers

• A single leaked PDF can expose the entire F-35 supplier ecosystem in under 48 hours
• OSINT automation tools like Kindi collapse days of analysis into minutes
• Sub-tier vendors remain the weakest link—cyber and kinetic risk converge there
• Continuous supplier graph monitoring is no longer optional; it is a readiness issue
• Red teams already exploit procurement data; blue teams must do the same

Want to strengthen your OSINT skills? Check out our free course
Check out our OSINT courses for hands-on training.
And explore Kindi — our AI-driven OSINT platform built for speed and precision.