IntroductionThere was a significant increase in software supply chain attacks in March 2026. There were five major software supply-chain attacks that occurred including the Axios NPM package compromise, which has been attributed to a North Korean threat actor. In addition, a hacking group known as TeamPCP was able to compromise Trivy (a vulnerability scanner), KICS (a static analysis tool), LiteLLM (an interface for AI models), and Telnyx (a library for real-time communication features).In this blog, we cover two of these supply chain attacks, which are significant given the scale and popularity of these packages.Axios NPM Package Compromised to Distribute Cross-Platform RATSummaryOn March 30, 2026, security researchers discovered that the widely-used NPM package Axios was compromised through an account takeover attack targeting a lead maintainer. Threat actors bypassed the project’s GitHub Actions CI/CD pipeline by compromising the maintainer’s NPM account and changing its associated email. The threat actor manually published two malicious versions via NPM CLI.These poisoned releases inject a hidden dependency called plain-crypto-js@4.2.1, which executes a postinstall script functioning as a cross-platform Remote Access Trojan (RAT) dropper targeting macOS, Windows, and Linux systems.During execution, the malware contacts command-and-control (C2) infrastructure at sfrclak[.]com to deliver platform-specific payloads, then deletes itself and replaces its package.json with a clean version to evade detection.RecommendationsReview package.json, package-lock.json, and yarn.lock files for axios@1.14.1, axios@0.30.4, or plain-crypto-js@4.2.1. Remove any compromised packages, clear caches, and reinstall clean ones.Downgrade to axios@1.14.0 (for 1.x users) or axios@0.30.3 (for 0.x users) and update lockfiles.Search for connections to sfrclak[.]com or 142.11.206[.]73 from developer workstations and CI/CD systems.Use private registry proxies and Software Composition Analysis (SCA) tools to filter and monitor third-party packages.Restrict open-source package consumption on corporate devices and CI systems to enterprise-open source package managers. Use Zscaler Internet Access controls to block access to internet package managers from corporate devices. Use native controls and Zscaler Private App Connectors to block access to internet package managers from CI systems.Apply lockfiles strictly (e.g., package-lock.json, pnpm-lock.yaml) and use npm ci instead of npm install.Reduce dependency surface by auditing and removing unused packages.Apply least privilege principles using scoped, short-lived keys and tokens.Revoke NPM tokens, GitHub PATs, cloud keys, and CI/CD secrets.Enable phishing-resistant multifactor authentication (MFA) on NPM, GitHub, and cloud platforms.Flag abnormal NPM publishes, unexpected GitHub workflow additions, or secret scanner usage in CI.Treat impacted systems as compromised by isolating, scanning, or reimaging them.Update response playbooks for supply chain attacks and run practice drills.Restrict build environments to internal package managers or trusted mirrors, and limit internet access to reduce exfiltration risk.Reinforce the secure handling of tokens and secrets, and train teams on phishing awareness and supply chain security best practices.Enforce a release cooldown period to ensure users can’t check out newly released packages, stopping emerging supply chain attacks.Affected packages and versionsThe following packages are impacted by this compromise.Package VersionAxios1.14.1Axios0.30.4Table 1: Axios package versions impacted by the compromise.How it worksAll NPM packages include a package.json file that declares dependencies. In the compromised version of Axios, the threat actor added a dependency for a malicious package called plain-crypto-js, which included a postinstall script that ran a setup.js script via node.When developers or CI pipelines run npm install axios@1.14.1, NPM resolves the dependency tree, downloads plain-crypto-js@4.2.1, and runs the postinstall script. Running node setup.js triggers the compromise sequence.Attack chainThe figure below shows the attack chain.Figure 1: Attack chain for the compromised Axios package.TeamPCP Supply Chain Attack Targets LiteLLM on PyPISummarySummaryOn March 26, 2026, a supply chain attack was uncovered targeting LiteLLM, a popular AI infrastructure library hosted on PyPI with roughly 3.4 million downloads per day. Two LiteLLM package versions were found to include malicious code published by a threat group called TeamPCP. TeamPCP has been associated with multiple recent supply chain attacks such as KICS, Telnyx, and an attack on Aqua Security’s Trivy. The impacted package versions of LiteLLM were only available in PyPI for about three hours before they were quarantined.The poisoned LiteLLM packages appear to be part of an attack designed to harvest high-value secrets such as AWS, GCP, and Azure tokens, SSH keys, and Kubernetes creden
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: