Software Supply Chain Attacks 2025–2026:
The 2025–2026 Complete Breakdown
From the Axios npm RAT to the TeamPCP cross-platform campaign: supply chain attacks reached unprecedented scale in 2025–2026, spanning npm, PyPI, GitHub Actions, and container registries simultaneously. This article documents every major incident, explains how each attack worked, and outlines what security teams can do to detect and remediate automatically.
TL;DR
- Supply chain attacks now regularly expose billions of weekly downloads to malware, RATs, and secret-stealing code
- Attackers target npm maintainer accounts, confuse package registries, and publish infected versions of trusted libraries
- Traditional security scanning misses these attacks because the malicious code is inside legitimate, widely-used packages
- Automated dependency monitoring and auto-patching (not manual review) is the only realistic defence at scale
Contents
- What is a software supply chain attack?
- Axios npm RAT — March 2026
- Shai-Hulud Worm — September 2025
- Chalk / Debug Compromise — September 2025
- Nx / s1ngularity Attack — August 2025
- TeamPCP Campaign — March 2026 (ongoing)
- Common attack vectors and how they work
- How to detect supply chain attacks
- Automated remediation: the only scalable defence
- Security team checklist
What is a software supply chain attack?
A software supply chain attack targets the components, libraries, build tools, or vendors that your code depends on, rather than attacking your systems directly. Instead of breaking through your firewall, attackers compromise something you trust and install every time you run npm install.
The technique is devastatingly effective because security teams rarely scrutinise the internals of packages they depend on. A developer adding chalk to colorise terminal output is not going to audit 50,000 lines of transitive dependency code. Attackers know this.
Supply chain attacks can be executed several ways: compromising a maintainer's npm account via phishing, publishing a malicious package with a name similar to a popular one (typosquatting), injecting malicious code into a build pipeline, or exploiting a dependency confusion vulnerability in private registries. In 2025–2026, all of these vectors were actively exploited at scale.
Axios npm RAT — March 2026
Reported by: npm security team and community researchers via GitHub advisories
Axios Remote Access Trojan
Packages affected
axios@1.14.1, axios@0.30.4
Attack vector
Compromised npm publish credentials
Impact
Cross-platform RAT distributed via trusted package
Malicious versions 1.14.1 and 0.30.4 of Axios (one of the most widely-used HTTP client libraries with over 100 million weekly downloads) were published to npm containing a cross-platform remote access trojan. The malicious versions were available for approximately three hours before being identified and removed. Any project that ran npm install during that window may have installed the compromised version. The RAT was capable of establishing persistent remote access, exfiltrating data, and executing arbitrary commands on affected systems. Given the ubiquity of Axios in both frontend and backend JavaScript applications, the potential exposure was enormous.
What to check immediately:
Audit your package-lock.json and yarn.lock files for axios versions 1.14.1 or 0.30.4. If found, update to axios@1.7.9 or later (1.x) or axios@0.28.1 or later (0.x). Check deployment logs from March 31, 2026 for any unusual network connections or process spawning.
Shai-Hulud Worm — September 2025
Analysis by: Trend Micro, Sonatype
Shai-Hulud Self-Propagating Supply Chain Worm
Packages affected
500+ npm packages (initial: ~180, grew to 500+)
Attack vector
Worm propagation via stolen npm credentials and auto-republish
Impact
Cloud secret exfiltration, credential theft, registry poisoning
The Shai-Hulud worm represented a new category of supply chain attack: a self-propagating worm that targeted the npm ecosystem specifically. Once it compromised an initial set of packages, it extracted maintainer credentials from the environment, used them to publish new infected versions of additional packages, and so on recursively. The worm was designed primarily to steal cloud credentials (AWS, GCP, Azure tokens), CI/CD pipeline secrets, and environment variables from any system that installed affected packages. Within a short period, it spread from approximately 180 initial packages to over 500, each republishing infected versions that continued the chain.
Indicators of compromise:
- ·Unexpected outbound connections to unknown endpoints from CI/CD runners
- ·Cloud credential usage from unusual IPs or regions
- ·npm publish events in your pipeline you did not initiate
- ·New versions of your own packages appearing in the registry without a corresponding release
Chalk / Debug Compromise — September 2025
Discovered by: Aikido Security · Analysis: Wiz, Sonatype, Semgrep, ArmorCode, Vercel
Chalk, Debug, DuckDB and 25+ Other Packages — Crypto Wallet Drainer
Packages affected
chalk, debug, ansi-styles, strip-ansi, supports-color, duckdb, and 21+ others (27+ total confirmed)
Attack vector
Maintainer phishing via fake domain npmjs.help — TOTP bypass, account takeover in minutes
Impact
Browser-side crypto wallet drainer silently redirecting transactions using Levenshtein address spoofing
On September 8, 2025, attackers registered npmjs.help to impersonate npm support and phished Josh Junon (alias qix), maintainer of chalk. Within 16 minutes of account takeover, malicious versions of 18 packages were published. The payload was a browser-side crypto wallet drainer hooking fetch(), XMLHttpRequest, and window.ethereum to intercept transactions and rewrite wallet destinations using Levenshtein distance matching — making spoofed addresses visually indistinguishable. A second maintainer account was also compromised, adding duckdb packages. Detected by Aikido Security at 13:15 UTC. Malicious versions were live for approximately 2 hours. 27+ packages ultimately confirmed compromised.
Affected packages included:
chalk · debug · ansi-styles · strip-ansi · supports-color · color-convert · color-string · color-name · ansi-regex · wrap-ansi · has-ansi · slice-ansi · duckdb · duckdb-wasm · and 13+ others. Full list: npm advisory database.
Nx / s1ngularity Attack — August 2025
Reported by: Upwind Security
Nx Monorepo Tool and s1ngularity Compromise
Packages affected
@nx/* packages, s1ngularity
Attack vector
Build tool compromise targeting enterprise monorepo pipelines
Impact
CI/CD pipeline infiltration, source code exfiltration risk
The Nx attack targeted enterprise development teams using the Nx monorepo build tool. Attackers compromised packages in the @nx scope, embedding malicious code designed to exfiltrate source code and CI/CD secrets from enterprise build pipelines. The s1ngularity package, a dependency in several popular development tool chains, was also compromised simultaneously. This attack was particularly sophisticated because it targeted build-time rather than runtime, meaning the malicious code executed during development and CI/CD processes rather than in production, making it harder to detect with traditional runtime monitoring.
Enterprise risk profile:
If your organisation uses Nx for monorepo management, audit your lock files for affected @nx versions from August 2025. Review CI/CD pipeline logs for unexpected file access patterns or outbound data transfer during build phases.
TeamPCP Campaign — March 2026 (ongoing)
Discovered and reported by: Datadog Security Labs, Aikido Security, Wiz, StepSecurity
TeamPCP: Multi-Stage Cross-Platform Supply Chain Campaign
Packages affected
trivy, litellm, telnyx (PyPI); 40+ npm packages; Checkmarx KICS GitHub Action; OpenVSX extensions
Attack vector
Stolen credentials, self-propagating worm, GitHub Actions compromise
Impact
Full credential exfiltration, Kubernetes destruction on Iranian targets, persistent backdoors
TeamPCP is a coordinated, multi-stage supply chain campaign that moved systematically across ecosystems in March 2026. Starting with stolen credentials on March 19, the threat actor compromised the Trivy container security scanner (used by millions of CI/CD pipelines), then deployed a self-propagating npm worm across 40+ packages, then pivoted to Checkmarx KICS and OpenVSX extensions, and finally reached PyPI with backdoored releases of LiteLLM and Telnyx. Each stage harvested credentials from the environment to fund the next compromise.
Campaign timeline
Trivy compromised
Aqua Security
Stolen credentials used to publish malicious trivy v0.69.4 and force-push 76 GitHub Action tags. Release machinery propagated the compromise to GHCR, Docker Hub, ECR Public, deb/rpm packages, and get.trivy.dev. Malicious actions dumped CI runner memory, scraped credentials, and exfiltrated via a lookalike domain.
Disclosed by Aqua Security, analysed by StepSecurity →CanisterWorm deploys across npm
Multiple publishers
A self-propagating npm worm spread across 40+ packages across multiple publisher scopes including @EmilGroup (28 packages), @opengov (16 packages), and others. The worm stole npm tokens from infected environments, resolved which packages each token could publish, bumped patch versions, and republished with malicious payloads. A Kubernetes-targeting script simultaneously deployed destructive payloads on Iranian systems and persistent backdoors elsewhere.
Discovered by Aikido Security →Checkmarx KICS and OpenVSX
Checkmarx / Eclipse
The same credential-theft pattern reached Checkmarx KICS GitHub Actions and two OpenVSX VS Code extensions. The KICS payload used a stealer tied to a lookalike domain, falling back to creating a public repository with the victim GITHUB_TOKEN to exfiltrate data.
Discovered by Wiz →LiteLLM backdoored on PyPI
LiteLLM
litellm 1.82.7 and 1.82.8 published with malicious payload. The malware collected environment variables, SSH keys, cloud credentials, Kubernetes configs, Docker configs, shell history, database credentials, wallet files, and CI/CD secrets, encrypted them locally, and exfiltrated. PyPI quarantined the project after discovery.
Discovered by Datadog Security Labs →Telnyx backdoored on PyPI
Telnyx
telnyx 4.87.1 and 4.87.2 backdoored with the same credential exfiltration payload. Any host or CI job that installed these versions should be treated as a full credential exposure event.
Reported by Datadog Security Labs →If you installed any affected packages:
Treat it as a full credential exposure event. Rotate all secrets, cloud credentials, SSH keys, and tokens present in that environment. Review CI/CD pipeline logs for unexpected outbound connections. Check for Kubernetes DaemonSet deployments you did not authorise. Do not rely on package removal alone.
Common attack vectors: how supply chain attacks work
Account takeover via phishing
Attackers phish npm maintainer credentials, then use the legitimate account to publish a new malicious version. This is how Chalk/Debug was compromised. The published version looks legitimate because it comes from the real maintainer account.
Dependency confusion
Attacker publishes a public package with the same name as a company's private internal package. npm's registry resolution may fetch the public malicious one instead of the private legitimate one. Particularly dangerous in enterprise environments with private registries.
Typosquatting
Publishing packages with names nearly identical to popular ones (e.g., "chal" instead of "chalk", "axois" instead of "axios"). Developers who mistype the package name install the malicious version.
Worm propagation
Like Shai-Hulud, the malware extracts credentials from the infected environment and uses them to publish new infected versions of other packages, spreading autonomously across the registry.
Malicious maintainer
An existing or newly accepted maintainer introduces malicious code gradually over time, or in a single release. Sometimes executed by a compromised package author who sells maintainer rights to bad actors.
Build tool injection
Compromising build tools (like the Nx attack) means the malicious code runs during CI/CD, before the software even reaches production. Traditional runtime security completely misses this.
How to detect supply chain attacks
Traditional vulnerability scanning checks your code against a database of known CVEs. It cannot detect a newly published malicious package version that was not in the database when the scan ran. Supply chain defence requires a different approach.
Continuous dependency monitoring
Monitor your dependency manifests against live feeds (npm advisories, OSV, and the GitHub Advisory Database) in real time, not on a nightly batch schedule. The Axios attack window was three hours. A nightly scan would have missed it entirely.
Version anomaly detection
Monitor for unexpected version bumps in your lockfiles, especially patch versions of stable packages. A package like chalk releasing a new version with no corresponding GitHub release or changelog is a strong signal of compromise.
Behavioral analysis in CI/CD
Monitor CI/CD pipelines for unexpected network connections, file system access outside the build directory, or environment variable access by build scripts. This catches build-time attacks like Nx that traditional runtime monitoring misses.
Lockfile integrity verification
Verify that your package-lock.json or yarn.lock is committed and matches exactly what was audited. Attackers sometimes modify lockfiles directly to pin a malicious version without changing package.json.
Provenance and signing verification
npm now supports package provenance: cryptographic proof that a package was built from a specific git commit on a specific CI system. Enable provenance verification where possible and treat unsigned packages as higher risk.
Automated remediation: the only scalable defence
The Axios attack lasted three hours. The Shai-Hulud worm spread to 500+ packages. The Chalk/Debug compromise exposed 2 billion weekly downloads. At this scale and speed, manual triage and patching is not a viable defence strategy. By the time a security engineer has investigated, triaged, and manually updated the package across all affected services, the damage may already be done.
The only realistic defence is automated detection and patching that operates continuously and acts in minutes, not days.
How CyberArmy AutoFix handles supply chain attacks
Continuous scanning
AutoFix monitors your dependency tree across all repositories against live threat intelligence including npm advisories, OSV, and CVE feeds, in real time.
Compromise detection
Detects version anomalies, unexpected republications, and behavioral signatures of newly compromised packages within minutes of their appearance.
Auto-patch generation
Automatically generates a pinned upgrade to the safe version, creates a pull request with full explanation, and requires human review before merge.
Prod-clone verification
Tests the patch in an isolated production clone before any change reaches your real environment. Instant rollback if tests fail.
CI/CD pipeline protection
Monitors build pipelines for supply chain attack indicators: unexpected network calls, environment variable access, and unusual file operations.
Full audit trail
Every detection, patch, and deployment logged with timestamps for SOC 2, PCI-DSS, and compliance evidence.
Security team checklist
If you are reviewing your supply chain security posture after reading this, here is a prioritised action list:
Audit lockfiles for Axios 1.14.1/0.30.4, affected chalk/debug versions (Sept 2025), and @nx packages from August 2025.
Check deployment and CI/CD logs from March–September 2025 for unusual outbound connections, unexpected process spawning, or credential usage from unknown IPs.
Enable npm provenance verification on all internal packages and CI/CD pipelines.
Configure lockfile integrity checks in your CI pipeline. Build should fail if lockfile differs from what was committed.
Implement continuous dependency monitoring against OSV and npm advisory feeds. Real-time, not nightly batch.
Review and rotate all secrets and cloud credentials that were present in CI/CD environments during the Shai-Hulud window (August–September 2025).
Automate dependency patching with human review gates. Manual patching cannot keep pace with the speed of supply chain attacks.
Monitor for package version anomalies. Set automated alerts when a stable dependency publishes an unexpected new version.
Research credits
This article draws on original research and disclosures from the security community. We credit each team below and encourage you to read their full reports.
Nick Frichette, Sebastian Obregoso, Christophe Tafani-Dereeper, Emile Spir
Full investigation of the TeamPCP campaign including LiteLLM, Telnyx, and cross-ecosystem attribution.
StepSecurity Research
Technical analysis of the Trivy v0.69.4 malicious release and exfiltration mechanism.
Aqua Security Team
Disclosed the Trivy compromise and GitHub advisory for affected versions.
Aikido Security Research
First to detect the Chalk/Debug npm attack at 13:15 UTC on September 8, 2025. Also discovered the TeamPCP CanisterWorm npm propagation.
Jeffrey Francis Bonaobra, Joshua Aquino
Detailed technical analysis of the Shai-Hulud worm, including its GitHub Actions propagation mechanism and Cryptohijacker payload.
Sonatype Security Research Team
Tracked additional compromised packages including duckdb across multiple incidents, and maintains the open source vulnerability timeline.
Semgrep Supply Chain Team
Published open-source detection rules for all compromised Chalk/Debug package versions, available to the entire community.
ArmorCode Research
Comprehensive analysis of the September 2025 npm attack scale, confirming 200+ compromised packages and the Levenshtein wallet-address spoofing technique.
Hila Ramati, Gal Benmocha, Danielle Aminov
Cloud environment telemetry and impact analysis of Chalk/Debug, and disclosure of the Checkmarx KICS GitHub Action compromise (TeamPCP).
Vercel Security Team
Transparent incident response report identifying 70 affected teams, purging build caches, and notifying impacted customers within hours.
npm and PyPI security teams
Registry-level quarantine and removal of compromised packages across multiple incidents.
Published by Cyber Army Security Team · 2026-04-03
440 N Wolfe Rd, Sunnyvale, CA 94085 · cyberarmy@codeproof.com