Twelve Days
Between March 19 and March 31, 2026, attackers compromised Trivy, Checkmarx, LiteLLM, Telnyx, and Axios. Five supply chain attacks in twelve days, affecting security tools, AI infrastructure, telecom SDKs, and one of the most widely downloaded npm packages on the planet.
That is not a bad month. That is a structural failure.
And it came on the heels of a 2025 that was already brutal: the chalk/debug npm compromise exposed 2.6 billion weekly downloads to a cryptostealer, the Shai-Hulud worm became the first self-replicating npm malware (backdooring 796 packages before it was contained), and the tj-actions/changed-files attack leaked secrets from 23,000 repositories through a cascading GitHub Actions compromise that started with a single stolen PAT.
March 2026 made all of that look like a warmup.
What Happened
March 19: Trivy (CVE-2026-33634, CVSS 9.4). TeamPCP compromised credentials from Aqua Security’s CI/CD environment and force-pushed 76 of 77 version tags in aquasecurity/trivy-action to credential-stealing malware. Every CI/CD pipeline running Trivy exposed its secrets. Over 1,000 cloud environments were infected. CISA added it to the Known Exploited Vulnerabilities catalog with a federal remediation deadline of April 8.
The irony is ugly. Trivy is a security scanner. Organizations run it specifically to detect vulnerabilities in their supply chain. The attackers turned that trust into the attack vector.
March 23: Checkmarx GitHub Actions. Using tokens harvested from the Trivy compromise, TeamPCP tampered with checkmarx/ast-github-action and checkmarx/kics-github-action. Another security tool, another credential harvest. The pattern was now clear: attack the security infrastructure itself, because that is what has the most privileged access.
March 24: LiteLLM (PYSEC-2026-2). TeamPCP compromised LiteLLM on PyPI. Version 1.82.7 injected a malicious payload into proxy_server.py that executes on import. Version 1.82.8 went further: a malicious .pth file that executes at Python interpreter startup, no import required. LiteLLM is present in 36% of cloud environments and averages 3.6 million daily downloads.
March 27: Telnyx. Same campaign. Compromised PyPI credentials for the Telnyx Python SDK. Malicious versions downloaded a WAV file embedding an XOR-encrypted second-stage payload. Creative, if nothing else.
March 31: Axios. A North Korean state actor (Microsoft attributes to Sapphire Sleet; Google to UNC1069) compromised axios@1.14.1. Axios has roughly 100 million weekly downloads. The attacker injected a malicious dependency, plain-crypto-js, that deployed a platform-specific RAT via a postinstall script. No user interaction required. The window was about 2.5 hours. At Axios’s download volume, 2.5 hours is enormous.
Why This Is Different
We have been writing about supply chain risk for years. We wrote about static code analysis and its blind spots. We wrote about SCA limitations and cross-language dependency risks where Python packages silently vendor Java JARs. We wrote about the xz-utils backdoor and what it means when the release process itself is compromised.
March 2026 is different because the attackers figured out the meta-game.
The attackers are not just poisoning packages anymore. They are attacking the security tools that detect poisoned packages. Trivy and Checkmarx are the things organizations run to find supply chain compromises. When the scanner is the vector, the entire detection model breaks down.
The attacks are also chaining. The Trivy compromise yielded tokens that were used to compromise Checkmarx. The chalk/debug compromise in September 2025 yielded npm tokens that enabled the Shai-Hulud worm. The tj-actions compromise started with a stolen PAT from a different project entirely. Each attack generates the credentials for the next one.
And the Axios attack was a nation-state operation. Microsoft and Google both attributed it to North Korean actors. When state-sponsored groups are targeting npm packages with 100 million weekly downloads, the threat model has shifted from “annoying criminals” to “adversaries with resources and patience.”
What SCA Tools Miss
Software composition analysis catches known vulnerabilities in known packages. It checks your dependency tree against a database of CVEs. That is useful but insufficient against these attacks, because:
The vulnerability does not exist until the attacker publishes the malicious version. There is no CVE to match against during the attack window. The 2.5-hour window for Axios was more than enough for millions of installs.
SCA cannot detect a stolen maintainer credential. The malicious version of chalk looked exactly like a legitimate publish. The package name was correct. The version number was plausible. The only clue was a version on npm that did not exist in the GitHub repository.
SCA does not assess your CI/CD pipeline. The Trivy and Checkmarx attacks compromised GitHub Actions workflows. Your application’s package.json was fine. Your SBOM was accurate. The problem was in the build infrastructure, not the dependency tree.
And SCA definitely does not detect a .pth file that executes at Python interpreter startup before any of your code runs.
What Actually Helps
There is no single tool that would have prevented all five of these attacks. But there are practices that materially reduce the blast radius.
Pin dependencies to exact versions and verify checksums. GitHub’s 2026 Actions security roadmap introduces a dependencies: section that locks all direct and transitive dependencies with commit SHAs. That would have mitigated the Trivy and Checkmarx attacks.
Monitor for version discrepancies between registries and source repos. The chalk/debug compromise was discovered because someone noticed a version on npm that did not exist on GitHub. That kind of monitoring is cheap and effective.
Treat CI/CD credentials as high-value targets. The entire TeamPCP campaign was built on stolen credentials. Rotate tokens aggressively. Scope permissions narrowly. Use short-lived tokens where possible.
Audit your security tools with the same rigor you audit your code. If Trivy has more access to your secrets than your application does, Trivy is a higher-value target than your application. Act accordingly.
Review binary artifacts, not just source. The LiteLLM .pth file and the Telnyx WAV-embedded payload are examples of attack vectors that source-level analysis will not find. This is where binary analysis and deep dependency inspection matter.
Conduct supply chain security assessments. Not once. Regularly. The threat is evolving faster than annual reviews can track. If your last supply chain assessment was before September 2025, it is already outdated.
The Hard Part
March 2026 made the implicit bargain of open source explicit: everyone depends on packages maintained by people they have never met, distributed through registries they do not control, built by pipelines they have never audited. That bargain worked for a long time because the incentives were mostly aligned.
They are not aligned anymore. Malware on open-source platforms increased 73% in 2025. Supply chain attacks doubled, with global losses reaching $60 billion. OWASP put Software Supply Chain Failures at A03 in its 2025 Top 10.
The EU Cyber Resilience Act’s vulnerability reporting obligations begin September 2026. That means organizations distributing software in Europe will need to report actively exploited vulnerabilities within 24 hours. If your supply chain is not instrumented to detect these attacks, you will not be able to comply.
We build the tools and run the assessments that help organizations understand what is actually in their software, how their supply chain can be subverted, and what to do before the next twelve days happen.
Because they will happen. The question is whether you find out from your monitoring or from CISA’s advisory.
Related posts
Delve and the 494 Fake SOC 2 Reports: What the Compliance Industry Should Learn
A Y Combinator-backed compliance startup allegedly fabricated 494 SOC 2 reports with auditor conclusions pre-written before clients submitted any evidence.
Read moreThree More States, Three More Privacy Laws: 2026 Compliance Starts Now
Indiana, Kentucky, and Rhode Island all went live on January 1, 2026, which means privacy compliance just got a little less optional.
Read moreCycloneDX 1.7: Patents, Provenance, and the Next Generation of SBOMs
CycloneDX 1.7 turns SBOMs from static inventories into richer evidence packs with patent metadata, citations, and better cryptographic transparency.
Read more