PyPI, npm, and the New Frontline of Software Supply Chain Attacks

Written by

Jacob Mammoliti

Published on

April 3, 2026

Three months into 2026, four significant software supply chain attacks have already been disclosed.

The targets: Trivy, a widely used container scanner. LiteLLM, a PyPI package. Telnyx, with over one million monthly downloads. And Axios, a widely used npm package.

These are not obscure packages. They sit inside CI/CD pipelines, developer environments, and production systems across the open-source ecosystem.

Software supply chain attacks continue to increase in frequency and impact, targeting widely used open-source packages and developer tooling. The early months of 2026 show exactly how that plays out in practice.

The Pattern Across All Four

In each case, attackers did not create fake packages. They gained unauthorized access to trusted projects or maintainer accounts and introduced malicious code into official releases. The malicious versions appeared authentic because they moved through the same registries, GitHub releases, and CI/CD integrations that teams rely on every day.

Once distributed, the injected payloads executed automatically. They ran during installation, import, or pipeline execution. No unusual behavior. No user interaction required.

The objective in every case: credential theft. Cloud keys, SSH keys, Kubernetes secrets, and environment variables were consistently targeted.

In the LiteLLM compromise, cryptocurrency wallet files were also collected. In multiple incidents, stolen credentials were then used to publish additional malicious packages, propagating the attack further across ecosystems.

Four Incidents, One Underlying Problem

Trivy

v0.69.4 — GitHub Actions

CVE-2026-33634

Multi-phase attack by TeamPCP. Incomplete credential rotation allowed unauthorized access to persist. More than 60 npm packages affected.

LiteLLM

1.82.7 / 1.82.8 — PyPI

PyPI

Malicious .pth file executed automatically at Python interpreter startup. No explicit import required.

Telnyx

4.87.1 / 4.87.2 — PyPI

PyPI

Payload hidden inside WAV audio files using steganography. AES-256-CBC and RSA-4096 encryption. Exfiltrated via HTTP.

Axios

1.14.1 / 0.30.4 — npm

State actor

Maintainer account takeover. Cross-platform RAT deployed at install time. Attributed to a North Korean state-linked threat actor.

Trivy v0.69.4 — CVE-2026-33634 · CISA KEV

Between February 27 and March 22, 2026, the TeamPCP threat group carried out a multi-phase attack that also affected more than 60 npm packages. It began with unauthorized repository access that persisted due to incomplete credential rotation. Attackers pushed a malicious release through official channels, then force-pushed tags on trivy-action and setup-trivy. Existing version references in thousands of workflows silently resolved to attacker-controlled code. The compromise has since been formally assigned CVE-2026-33634 and added to CISA's Known Exploited Vulnerabilities catalog.

LiteLLM 1.82.7 / 1.82.8

Compromised across two consecutive PyPI versions. The first embedded malicious code in the proxy server module, executing on import. The second introduced a malicious .pth file that executed automatically at Python interpreter startup, requiring no explicit import. Both versions matched the real project's metadata and did not correspond to any official GitHub release.

Telnyx 4.87.1 / 4.87.2

Delivered payloads hidden inside WAV audio files using steganography. On Windows, the payload installed a persistent executable in the Startup folder. On Linux and macOS, it collected sensitive data, encrypted it using AES-256-CBC and RSA-4096, and exfiltrated it via HTTP. With over one million monthly downloads, this was a high-impact compromise.

Axios 1.14.1 / 0.30.4

Compromised through a maintainer account takeover. Attackers pushed two unauthorized releases directly to npm. Those releases introduced a malicious dependency that connected to an external command-and-control server during installation. It then deployed a cross-platform remote access trojan across macOS, Windows, and Linux. Any environment that ran a standard install while those versions were live executed the payload automatically. Google Cloud Threat Intelligence, Microsoft, and Mandiant have since attributed this attack to a North Korean state-linked threat actor.

Why Security Tooling Is Now a Target

The Trivy compromise stands out for one specific reason.

Trivy is a security scanner. It runs inside CI pipelines specifically to find vulnerabilities. In early 2026, it was used as the delivery mechanism for credential-stealing malware across thousands of workflows.

The tools teams use to check for risk are not automatically exempt from it.

A scanner running with access to CI secrets is a high-value target. If it is not version-pinned, not monitored, and not isolated from production credentials, it is an exposure. Scanners should be treated like any other software dependency in the pipeline.

What These Incidents Require

These incidents highlight that preventing supply chain attacks requires both dependency hygiene and strong CI/CD security controls. The following practices help reduce exposure and limit the impact of compromised packages.

Prevention framework

Pin package versions and use immutable references

Use lockfiles everywhere. Never run pip install or npm install without a pinned version in CI. Most of these attacks succeeded because pipelines pulled the latest version. Where possible, reference SHAs rather than tags. Tags can be mutable. SHAs are immutable.

Rotate credentials atomically

When rotating after a breach, revoke all credentials simultaneously. Sequential rotation leaves a window attackers can capture. The Trivy attack persisted specifically because of incomplete credential rotation.

Restrict egress from CI/CD runners

Every attack in this set exfiltrated data over the network. Restricting outbound connections from runners to an allowlist stops data from leaving even if a malicious payload executes.

Apply least privilege to service account tokens

Scope service account PATs to the minimum repositories and permissions required.

Treat security tooling as attack surface

Scanners should be version-pinned and monitored like any other software. Their steps should be isolated from production credentials.

How RapidFort Is Addressing This

For over five years, RapidFort has focused on delivering clean, production-ready container images built on well-known Linux distributions, reducing risk across both OS and application layers. By building from source, RapidFort is able to remediate vulnerabilities not only in base OS packages but also in embedded language dependencies within third-party images, providing a more comprehensive approach to CVE reduction.

Beyond images, RapidFort provides a platform that enables organizations to scan, profile, and harden their workloads, helping teams understand and minimize their attack surface without disrupting existing development workflows.

As supply chain attacks increasingly target language ecosystems such as npm, PyPI, and Maven, RapidFort is expanding its approach to address this growing risk. Upcoming capabilities will extend package-level support, enabling customers to consume vetted and scanned language dependencies through RapidFort rather than pulling directly from a package repository. This adds an additional layer of trust and control to the software supply chain.

Subscribe to newsletter

Subscribe to receive the latest blog posts to your inbox every week.

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.