Software supply chain attacks in 2025–2026: notes on what happened

A rundown of the big software supply chain incidents from 2025 into early 2026 — Axios, Shai-Hulud, Chalk/Debug, Nx, and the TeamPCP campaign — with what we know about how each one worked and what to do about it.

The last twelve months were unusually loud for supply chain attacks. Five or six different campaigns crossed the threshold from "interesting research write-up" to "you should care because your stack probably runs this code." Axios, Shai-Hulud, Chalk/Debug, Nx/s1ngularity, and TeamPCP all hit during this window, across npm, PyPI, GitHub Actions, and container registries.

This is a notebook-style summary of each one — what happened, who found it, and what to actually do — pulled together from the public disclosures by the researchers who did the work. Links to the original write-ups are inline and in the credits at the bottom.

A quick recap of what a supply chain attack is

A software supply chain attack goes after the components, libraries, build tools, or vendors your code depends on, instead of attacking your systems directly. Rather than breaking through your firewall, the attacker compromises something you trust and install every time you run npm install.

It works because nobody audits dependencies they pull in. A developer adding chalk to colorize terminal output isn't going to read 50,000 lines of transitive dependency code. Attackers know this, and they go after the part of the tree that's most-used and least-scrutinized.

The mechanics vary. Phishing a maintainer's npm account. Typosquatting. Slipping malicious code into a build pipeline. Dependency confusion in private registries. All five of those vectors were used at scale in the incidents below.

Axios npm RAT — March 2026

Reported by the npm security team and community researchers via GitHub advisories.

Malicious versions of Axios (one of the most-installed HTTP client libraries, >100M weekly downloads) were pushed to npm with a cross-platform remote access trojan baked in. They were live for about three hours before being pulled. Anything that ran npm install in that window may have shipped with it.

The payload could open persistent remote access, exfiltrate data, and run arbitrary commands. Given how widely Axios is used on both frontend and backend, the exposure window was the scary part — three hours of any CI build or developer machine globally pulling a fresh install.

What to check. Grep package-lock.json and yarn.lock for axios 1.14.1 or 0.30.4. If found, upgrade to 1.7.9+ or 0.28.1+. Pull deployment logs from March 31, 2026 and look for unexpected outbound connections or process spawning.

Shai-Hulud worm — September 2025

Analysed by Trend Micro and Sonatype.

Shai-Hulud was a new shape of attack: an npm worm that propagated by stealing credentials from each infected environment and using them to publish infected versions of more packages. Once a package was compromised, its install script harvested cloud tokens (AWS, GCP, Azure), CI/CD secrets, and environment variables, then used any captured npm tokens to push new infected versions of whatever else those tokens could publish.

It went from roughly 180 packages to over 500 in a short window. The worm primarily targeted cloud and CI/CD credentials, which is roughly the worst-case combination: by the time a defender realized they were infected, the credentials were already gone.

Indicators of compromise to look for:

• Unexpected outbound connections from CI/CD runners to unfamiliar endpoints.
• Cloud credential usage from unusual IPs or regions.
• npm publish events in your pipeline you didn't initiate.
• New versions of your own packages appearing in the registry without a corresponding release tag.

Chalk / Debug compromise — September 2025

First detected by Aikido Security. Further analysis from Wiz, Sonatype, Semgrep, ArmorCode, and Vercel.

On September 8, 2025, attackers registered npmjs.help to impersonate npm support and phished Josh Junon (alias qix), the maintainer of chalk. Within 16 minutes of taking the account over, they pushed malicious versions of 18 packages.

The payload was a browser-side crypto wallet drainer that hooked fetch(), XMLHttpRequest, and window.ethereum to intercept transactions and rewrite the destination address. It used Levenshtein distance matching to pick a replacement address that looked visually similar to the original — the kind of detail that defeats "just check the wallet address" advice.

A second maintainer account was also compromised, which is how duckdb got pulled in. Aikido caught it at 13:15 UTC. The malicious versions were live for about two hours. By the end, 27+ packages were confirmed compromised.

The affected list ran through chalk, debug, ansi-styles, strip-ansi, supports-color, color-convert, color-string, color-name, ansi-regex, wrap-ansi, has-ansi, slice-ansi, duckdb, duckdb-wasm, and a dozen-plus more. The full list is in the npm advisory database.

Nx / s1ngularity — August 2025

Reported by Upwind Security.

The Nx attack was the same general pattern, but aimed at enterprise dev teams. Packages in the @nx scope were compromised with code designed to exfiltrate source and CI/CD secrets from monorepo build pipelines. The s1ngularity package, a dependency in a few popular dev toolchains, was hit at the same time.

What makes this one interesting is that the code ran at build time, not at runtime — so anything that depends on watching production for misbehavior missed it entirely. CI runners and developer laptops were the actual target.

What to check. If you use Nx for monorepo management, audit lockfiles for affected @nx versions from August 2025. Review CI/CD logs for unusual file access or outbound transfer during build phases.

TeamPCP — March 2026, ongoing

Disclosed by Datadog Security Labs, Aikido Security, Wiz, and StepSecurity.

TeamPCP is a coordinated multi-stage campaign that hopped across ecosystems through March 2026. It used credentials harvested at each stage to fund the next compromise. The rough timeline:

• March 19
  Trivy compromised. Stolen credentials were used to publish malicious trivy v0.69.4 and force-push 76 GitHub Action tags. The release machinery propagated the compromise to GHCR, Docker Hub, ECR Public, deb/rpm packages, and get.trivy.dev. Malicious actions dumped CI runner memory and exfiltrated through a lookalike domain. Aqua Security disclosed; StepSecurity analysed.
• March 20–22
  CanisterWorm hits npm. A self-propagating npm worm spread across 40+ packages, including @EmilGroup (28) and @opengov (16). It stole npm tokens, resolved which packages each token could publish, bumped patch versions, and republished with malicious payloads. A Kubernetes-targeting script simultaneously dropped destructive payloads on Iranian systems and persistent backdoors elsewhere. Aikido Security discovered.
• March 23
  Checkmarx KICS and OpenVSX. The same credential-theft pattern reached Checkmarx KICS GitHub Actions and two OpenVSX VS Code extensions. The KICS payload used a stealer tied to a lookalike domain, falling back to creating a public repository with the victim's GITHUB_TOKEN to exfiltrate. Wiz discovered.
• March 24
  LiteLLM backdoored on PyPI. litellm 1.82.7 and 1.82.8 shipped with malware that collected env vars, SSH keys, cloud credentials, Kubernetes configs, Docker configs, shell history, database credentials, wallet files, and CI/CD secrets, encrypted them locally, and exfiltrated. PyPI quarantined the project after discovery. Datadog Security Labs.
• March 27
  Telnyx backdoored on PyPI. telnyx 4.87.1 and 4.87.2 shipped the same credential exfiltration payload. Any host or CI job that installed those versions should be treated as a full credential exposure.

If you installed any affected packages, treat it as a full credential exposure. Rotate every secret, cloud credential, SSH key, and token that was present in that environment. Review CI/CD logs for unexpected outbound connections. Check for Kubernetes DaemonSets you didn't deploy. Removing the package isn't enough.

How these attacks actually work

Five vectors cover almost everything in the list above:

Account takeover via phishing

Attackers phish maintainer credentials, then publish a malicious version from the legitimate account. This is how Chalk/Debug went down. The published version looks legitimate because it comes from the real maintainer's account.

Dependency confusion

Attacker publishes a public package with the same name as a private internal one. The registry resolves the public malicious version instead of the private legitimate one. Especially dangerous in enterprise environments with private registries that haven't locked down public resolution.

Typosquatting

Publish a package with a name almost identical to a popular one — chal for chalk, axois for axios. Developers who mistype install the malicious version.

Worm propagation

As in Shai-Hulud and CanisterWorm: extract credentials from each infected environment, use them to publish more infected packages, repeat. The attack spreads on its own without needing the original attacker to act each time.

Build-tool injection

Compromise a build tool (the Nx pattern) so malicious code runs during CI/CD, before the software ships. Runtime monitoring misses this entirely because the code never runs in production.

Detecting this kind of attack

Vulnerability scanning checks your code against a database of known CVEs. That doesn't help against a malicious package version that didn't exist when the scan ran. Supply chain defense needs a few different things:

1. Continuous dependency monitoring. Watch your dependency manifests against live feeds (npm advisories, OSV, GitHub Advisory Database) in real time, not on a nightly batch. The Axios window was three hours; a nightly scan would have missed it.
2. Version anomaly detection. Watch for unexpected patch-version bumps in stable packages. A package like chalk releasing a new version with no corresponding GitHub release or changelog is worth a closer look.
3. Behavioral checks in CI/CD. Watch build pipelines for unexpected network connections, file access outside the build directory, or environment-variable reads by build scripts. This is what catches the Nx-style build-time attacks.
4. Lockfile integrity. Make sure your package-lock.json or yarn.lock is committed and matches what was audited. Attackers occasionally edit lockfiles directly to pin a malicious version without changing package.json.
5. Provenance and signing. npm now supports package provenance — cryptographic proof a package was built from a specific git commit on a specific CI system. Enable it where you can and treat unsigned packages as higher risk.

Why automation matters here

Axios was live for three hours. Shai-Hulud spread to 500+ packages. Chalk/Debug exposed 2 billion weekly downloads. At this speed, manual triage and patching is just too slow — by the time a security engineer has investigated, triaged, and rolled out a fix across the affected services, the damage is already done.

What actually works is automated detection and patching that runs continuously and acts in minutes. That's the gap we're working on with CyberArmy AutoFix: monitor the dependency tree across repositories against live threat intel, detect version anomalies and behavioral signatures, generate a pinned upgrade PR with human review, verify in a prod-clone before any change reaches a real environment, and log every step for SOC 2 / PCI-DSS evidence.

We're early on it. If your team is thinking about this problem and wants to compare notes (or take an early-access slot), the contact page is the right place to start.

Checklist if you're reviewing your posture today

Immediate

• Audit lockfiles for Axios 1.14.1/0.30.4, affected chalk/debug versions (Sept 2025), and @nx packages from August 2025.
• Check deployment and CI/CD logs from March–September 2025 for unusual outbound connections, unexpected process spawning, or credential usage from unknown IPs.

This week

• Turn on npm provenance verification for internal packages and CI/CD pipelines.
• Add lockfile integrity checks to CI — build should fail if the lockfile differs from what was committed.

This month

• Wire up continuous dependency monitoring against OSV and npm advisory feeds. Real-time, not nightly.
• Rotate secrets and cloud credentials that were present in CI/CD environments during the Shai-Hulud window (August–September 2025).

Ongoing

• Automate dependency patching with human review gates. Manual patching can't keep up.
• Monitor for package version anomalies — automated alerts when a stable dependency publishes an unexpected new version.

Research credits

Almost everything in this post came from public research by other teams. The list below is who did the actual work — read their full write-ups for the technical detail this notebook entry compresses.

• Datadog Security Labs· Nick Frichette, Sebastian Obregoso, Christophe Tafani-Dereeper, Emile Spir

  TeamPCP investigation across LiteLLM, Telnyx, and cross-ecosystem attribution.

• StepSecurity· StepSecurity Research

  Technical analysis of the Trivy v0.69.4 release and exfiltration mechanism.

• Aqua Security· Aqua Security Team

  Disclosed the Trivy compromise and the GitHub advisory for affected versions.

• Aikido Security· Aikido Security Research

  First to detect Chalk/Debug at 13:15 UTC on September 8, 2025. Also discovered TeamPCP CanisterWorm propagation across npm.

• Trend Micro· Jeffrey Francis Bonaobra, Joshua Aquino

  Detailed technical analysis of the Shai-Hulud worm, its GitHub Actions propagation, and Cryptohijacker payload.

• Sonatype· Sonatype Security Research

  Tracked additional compromised packages including duckdb; maintains the OSS vulnerability timeline.

• Semgrep· Semgrep Supply Chain Team

  Published open-source detection rules for all compromised Chalk/Debug versions.

• ArmorCode· ArmorCode Research

  Scale analysis of the September 2025 npm attack and the Levenshtein wallet-address spoofing technique.

• Wiz· Hila Ramati, Gal Benmocha, Danielle Aminov

  Cloud telemetry on Chalk/Debug impact and disclosure of the Checkmarx KICS GitHub Action compromise.

• Vercel· Vercel Security Team

  Transparent incident response — identified 70 affected teams, purged build caches, notified customers within hours.

• Upwind Security· Upwind Research

  Coverage of the Nx / s1ngularity compromise.

• npm and PyPI security teams

  Registry-level quarantine and removal of compromised packages across all of the above.