Your developers work for cyber gangs

Well, not deliberately. But if they’re building software with open-source components, there’s a chance that what they shipped last month included code placed there by criminals. And neither they nor you may know.

If your organisation builds or customises software (and almost every organisation does, even if it’s just internal tooling, integrations or automation), you are consuming open-source components. Your developers pull packages from public registries like npm and PyPI every time they run a build. Those packages have dependencies of their own. Those dependencies have dependencies. The tree goes deep.

In March 2026, three separate campaigns demonstrated what happens when that tree is poisoned at the root. The result: over 1,000 compromised cloud environments, credential-stealing malware distributed through trusted developer tools, a North Korean state actor hijacking the most popular HTTP client in the JavaScript ecosystem, and an unknown number of organisations that shipped production code containing attacker-placed components without ever knowing it.

This isn’t a developer problem. It’s a corporate risk problem.

What happened in March 2026

Three concurrent campaigns targeted the open-source software supply chain during March 2026, each using different techniques but achieving similar outcomes.

TeamPCP exploited credentials that survived an incomplete rotation following an earlier breach of Aqua Security’s Trivy (exploited by an automated bot, hackerbot-claw), a vulnerability scanner used in CI/CD pipelines worldwide. That residual access gave them the foothold they needed. From there, they compromised the scanner itself, Checkmarx’s GitHub Actions, and the LiteLLM AI gateway library (present in approximately 36% of monitored cloud environments, according to Wiz). Each compromise yielded the credentials needed to execute the next, spanning five ecosystems in six days. Mandiant Consulting CTO Charles Carmakal reported over 1,000 compromised cloud environments, with estimates that the number could reach 10,000.

GlassWorm took a different approach, force-pushing invisible Unicode payloads into 433 components across GitHub repositories, npm packages and VS Code extensions. The injected code was literally invisible in code editors and terminals. Researchers assessed that the attackers likely used large language models to generate contextually appropriate cover commits for each target project, blending malicious changes in with realistic documentation tweaks and minor refactors.

And then, on 31 March, a third campaign struck the npm ecosystem independently. A North Korean state attacker (tracked by Google as UNC1069 and by Microsoft as Sapphire Sleet) hijacked the maintainer account for axios, the most popular JavaScript HTTP client with over 100 million weekly npm downloads. The attacker published two backdoored versions containing a cross-platform Remote Access Trojan (RAT). The malicious versions were live for approximately three hours before being removed, but any environment that pulled them during that window was compromised. Google and Microsoft have both confirmed this attack is unrelated to TeamPCP.

TeamPCP and Glassworm independently adopted blockchain-based command-and-control (C2) infrastructure (Solana and ICP respectively). This infrastructure cannot be shut down through conventional domain seizure or hosting provider takedowns, because the C2 instructions are stored on immutable, globally distributed ledgers with no single point of control. The technical details of each incident are well documented in the references at the end of this post.

What matters for this discussion is the corporate risk they expose.

This isn't a developer issue. It's a corporate risk problem!

But you will need to understand a little about how your devs work, to get a handle on the risk.

When your development team runs npm install or pip install, they aren’t just installing the package they asked for. They’re installing that package’s entire dependency tree, which can run to hundreds of packages, each maintained by different individuals and organisations, each with their own security posture (or lack of one).

The axios compromise illustrates this perfectly. axios is a foundational HTTP client library used by a vast range of JavaScript projects. It’s a dependency of developer tools, application frameworks, and AI coding assistants alike. Anyone who installed or updated any npm package that transitively depended on axios during a roughly three-hour window on 31 March 2026 may have pulled in a version containing a remote access trojan. Incident responders at Huntress found the malware had propagated through dependency chains into unexpected places, including deeply nested WordPress modules.

This has a specific implication for organisations using AI-assisted development tools. If your developers use tools like Claude Code, Cursor, Copilot or similar AI coding assistants that are distributed via npm, those tools themselves are part of the dependency tree and therefore part of the attack surface. Anthropic confirmed that developers who installed or updated Claude Code via npm during the axios compromise window may have pulled in the malicious version. The recommended mitigation was to move away from npm-based installation entirely.

The uncomfortable reality for CIOs and risk officers is this: your organisation may have built and deployed production software during March 2026 that contains attacker-placed code. If your CI/CD pipeline ran without lockfiles, without pinned dependencies, and without suppressed install scripts, the malware executed silently during the build process, stole whatever credentials were available, cleaned up after itself, and left no trace in standard audit tools.

Why blockchain-based C2 makes this harder to contain

Two of the three campaigns summarised above used blockchain networks for command-and-control, and this represents a meaningful shift in the threat landscape that deserves specific attention.

Traditional malware C2 relies on domains and/or IP addresses. When defenders identify a malicious C2 server, they can seize the domain, issue a takedown to the hosting provider, or block the IP at the network perimeter. This works because domains and servers have identifiable owners and jurisdictional levers.

Blockchain-based C2 removes those levers. When an attacker writes instructions into a Solana transaction memo or deploys a payload to an ICP canister, that data becomes part of an immutable, globally distributed ledger. There is no registrar to contact, no hosting provider to compel, and no single server to block. GlassWorm’s malware polled a Solana wallet address every five seconds, reading updated C2 instructions from transaction memo fields. The attacker could update the payload URL at any time with a new transaction costing fractions of a cent.

For defenders, blocking outbound connections to known blockchain RPC endpoints at the network perimeter is now a relevant control, alongside traditional domain and IP-based blocking. For risk officers, the implication is that the window between compromise and effective containment is growing, because the attacker’s infrastructure will outlast the incident response.

What this means for your risk management program

The defensive measures for supply chain attacks fall into two categories: preventing compromised code from entering your environment, and detecting it quickly when prevention fails.

Before deployment: test what you’re about to ship

If your organisation is building or customising software, the integrity of your build pipeline is now a first-order security concern. This means your penetration testing programme should extend beyond the traditional scope of “test the running application” to include the CI/CD pipeline itself.

Specific areas to assess include whether GitHub Actions and build workflows reference dependencies by immutable SHA hashes or by mutable version tags that an attacker can redirect; whether npm postinstall hooks and similar lifecycle scripts are suppressed in automated builds; whether secrets injected into CI/CD runners are scoped to the minimum necessary and use short-lived credentials; whether your pipeline validates publishing provenance (such as OIDC attestations) for critical dependencies; and whether you maintain a Software Bill Of Materials (SBOM) that would let you answer the question “are we running axios 1.14.1 anywhere?” within minutes rather than days.

If you haven’t tested these controls, you don’t know whether they work. A targeted security assessment of your build and deployment pipeline is one of the most cost-effective ways to identify supply chain exposure before it becomes a breach.

After deployment: know when something is wrong

Prevention will not catch everything. The axios malware was live for roughly three hours, the LiteLLM compromise for a similar window. In both cases, the malicious packages were removed from registries relatively quickly, but any environment that pulled them during that window was compromised.

This is where detection capability matters. A properly configured SIEM with visibility across your endpoints, network egress and CI/CD infrastructure gives you the ability to identify indicators of compromise after the fact: unexpected outbound connections from build runners, anomalous process execution during package installation, or credential access patterns that don’t match normal developer activity.

The axios RAT, for example, made outbound connections to sfrclak.com on port 8000 within seconds of installation. GlassWorm’s malware polled Solana RPC endpoints at regular intervals. Both of these are detectable network behaviours, but only if you’re watching for them.

Without SIEM coverage of your development and build infrastructure (not just production), a supply chain compromise can persist undetected for weeks or months while the attacker uses stolen credentials to move laterally through your environment.

The bigger picture

The attack patterns demonstrated in March 2026 are not new individually. Tag poisoning, credential theft via CI/CD, and dependency confusion have all been documented before. What’s new is the scale, the coordination, and the convergence of multiple techniques into self-reinforcing campaigns where each compromise provides the credentials needed to execute the next.

TeamPCP’s operation spanned five ecosystems in a single coordinated campaign. GlassWorm compromised 433 components using AI-assisted automation. And a North Korean group turned the most widely used HTTP client in the JavaScript ecosystem into a dirty RAT delivery vehicle. All three campaigns adopted techniques that resist the takedown mechanisms defenders have relied on for decades.

For organisations that build software, the question is no longer whether your dependency tree contains risk. It does. The question is whether you have the visibility to know when that risk materialises, and the controls to contain it before it reaches production.

dotSec helps Australian organisations assess and manage software supply chain risk through penetration testing that extends to CI/CD pipelines and build infrastructure, managed SOC and SIEM services that provide detection coverage across development and production environments, and governance and compliance services that help you build supply chain risk into your security programme. If you’d like to discuss your organisation’s exposure, get in touch.

References

Wiz Research, “Trivy Compromised: Everything You Need to Know about the Latest Supply Chain Attack,” 20 March 2026. https://www.wiz.io/blog/trivy-compromised-teampcp-supply-chain-attack
StepSecurity, “axios Compromised on npm: Malicious Versions Drop Remote Access Trojan,” 30 March 2026. https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
The Register, “1K+ cloud environments infected following Trivy supply chain attack,” 24 March 2026. https://www.theregister.com/2026/03/24/1k_cloud_environments_infected_following
iTnews, “TeamPCP hackers deface Aqua Security’s internal GitHub,” 24 March 2026. https://www.itnews.com.au/news/teampcp-hackers-deface-aqua-securitys-internal-github-624527
LiteLLM, “Security Update: Suspected Supply Chain Incident,” 24 March 2026. https://docs.litellm.ai/blog/security-update-march-2026
Snyk, “How a Poisoned Security Scanner Became the Key to Backdooring LiteLLM,” March 2026. https://snyk.io/articles/poisoned-security-scanner-backdooring-litellm/
Trend Micro, “Your AI Gateway Was a Backdoor: Inside the LiteLLM Supply Chain Compromise,” 26 March 2026. https://www.trendmicro.com/en_us/research/26/c/inside-litellm-supply-chain-compromise.html
Huntress, “Supply Chain Compromise of axios npm Package,” March 2026. https://www.huntress.com/blog/supply-chain-compromise-axios-npm-package
SANS Institute, “Axios NPM Supply Chain Compromise: Malicious Packages Deliver Remote Access Trojan,” March 2026. https://www.sans.org/blog/axios-npm-supply-chain-compromise-malicious-packages-remote-access-trojan
VentureBeat, “Claude Code’s source code appears to have leaked: here’s what we know,” March 2026. https://venturebeat.com/technology/claude-codes-source-code-appears-to-have-leaked-heres-what-we-know
Aikido Security, “Glassworm Returns: Invisible Unicode Malware Found in 150+ GitHub Repositories,” March 2026. https://www.aikido.dev/blog/glassworm-returns-unicode-attack-github-npm-vscode
BleepingComputer, “GlassWorm malware hits 400+ code repos on GitHub, npm, VSCode, OpenVSX,” March 2026. https://www.bleepingcomputer.com/news/security/glassworm-malware-hits-400-plus-code-repos-on-github-npm-vscode-openvsx/
Cloud Security Alliance, “GlassWorm Returns: Developer Toolchain Worm Expands to GitHub and npm,” March 2026. https://labs.cloudsecurityalliance.org/research/csa-research-note-glassworm-supply-chain-developer-toolchain/
Palo Alto Networks, “When Security Scanners Become the Weapon: Breaking Down the Trivy Supply Chain Attack,” March 2026. https://www.paloaltonetworks.com/blog/cloud-security/trivy-supply-chain-attack/
Kaspersky, “Trojanization of Trivy, Checkmarx, and LiteLLM solutions,” March 2026. https://www.kaspersky.com/blog/critical-supply-chain-attack-trivy-litellm-checkmarx-teampcp/55510/
Malwarebytes, “Axios supply chain attack chops away at npm trust,” 31 March 2026. https://www.malwarebytes.com/blog/news/2026/03/axios-supply-chain-attack-chops-away-at-npm-trust
GitHub Blog, “Strengthening supply chain security: Preparing for the next malware campaign,” December 2025. https://github.blog/security/supply-chain-security/strengthening-supply-chain-security-preparing-for-the-next-malware-campaign/
Google Threat Intelligence Group, “North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package in Supply Chain Attack,” https://cloud.google.com/blog/topics/threat-intelligence/north-korea-threat-actor-targets-axios-npm-package
Microsoft Security Blog, “Mitigating the Axios npm supply chain compromise,” https://www.microsoft.com/en-us/security/blog/2026/04/01/mitigating-the-axios-npm-supply-chain-compromise/

Premier australian cyber security specialists

ISO 27001 consulting

Practical and experienced Australian ISO 27001 and ISMS consulting services. We will help you to establish, implement and maintain an effective information security management system (ISMS).

Penetration tests

DotSec’s penetration tests are conducted by experienced, Australian testers who understand real-world attacks and secure-system development. Clear, actionable recommendations, every time.

PCI DSS

dotSec stands out among other PCI DSS companies in Australia: We are not only a PCI QSA company, we are a PCI DSS-compliant service provider so we have first-hand compliance experience.

WAF and app-sec

Web Application Firewalls (WAFs) are critical for protecting web applications and services, by inspecting and filtering out malicious requests before they reach your web servers. Web page or API, a WAF is your first defence.

Identity management

Multi-Factor Authentication (MFA) and Single Sign-On (SSO) reduce password risks, simplify access, letting verified and authorised users reach sensitive systems, services and apps.

Vulnerability management

dotSec provides comprehensive vulnerability management services. As part of this service, we analyse findings in the context of your specific environment, priorities and threat landscape.

Phishing and soc eng

We don’t just test whether users will click a suspicious link — we also run exercises, simulating phishing attacks that are capable of bypassing multi-factor authentication (MFA) protections.

Penetration testing

DotSec’s penetration testing services help you identify and reduce technical security risks across your applications, cloud services and internal networks. Clear, actionable recommendations, every time!

Managed SOC/SIEM

dotSec has provided Australian managed SOC, SIEM and EDR services for 15 years. PCI DSS-compliant and ISO 27001-certified. Advanced log analytics, threat detection and expert investigation services.

Secure configuration

We provide prioritised, practical guidance on how to implement secure configurations properly. Choose from automated deployment via Intune for Windows, Ansible for Linux or Cloud Formation for AWS.

Secure cloud hosting

Secure web hosting is fundamental to protecting online assets and customer data. We have over a decade of AWS experience providing highly secure, scalable, and reliable cloud infrastructure.

Essential eight

DotSec helps organisations to benefit from the ACSC Essential Eight by assessing maturity levels, applying practical security controls, assessing compliance, and improving resilience against attacks.

CIS 18 Critical Controls

Evaluation against the CIS 18 Controls establishes a clear baseline for stakeholders, supporting evidence-based planning, budgeting, maturity-improvement and compliance decisions

Advisory services

We have over 25 years of cyber security experience, providing practical risk-based guidance, advisory and CISO services to a wide range of public and private organisations across Australia.