FEATURE Two supply chain attacks in March infected open source tools with malware and used this access to steal secrets from tens of thousands – if not more – organizations. We won’t know the full blast radius for months.
Both targeted popular open source projects that are used by a ton of organizations and integrated into countless software products, apps, and developer environments.
First, attackers hit Trivy, a vulnerability scanner with more than 100,000 users and contributors that is embedded in thousands of CI/CD pipelines. Up next: Axios, an open-source JavaScript library that has about 100 million weekly downloads and runs in 80 percent of cloud and code environments.
“Both of these campaigns will likely play out over several months,” Mandiant Consulting CTO Charles Carmakal told The Register. “The data that was taken a few weeks ago will likely be leveraged this week, next week, next month – probably for several months – and the blast radius will continue to expand.”
Although executed by different attackers – Axios by North Korean-linked goons, and Trivy et al. by a loosely knit band of smash-and-grab miscreants called TeamPCP – both had similar end goals, a deep understanding of developer environments, and advanced social engineering skills.
According to security experts, the incidents demonstrate the future of supply-chain attacks.
“We are seeing more and more developers targeted by this type of activity,” Cisco Talos outreach lead Nick Biasini told The Register. “Attackers are starting to really look at the supply chain and open source packages, and figure out ways to compromise developers to deliver malware or gather data, depending on the type of threat.”
It’s going to become even more frequent as attackers use AI to make their social engineering campaigns more believable and hyper-personalized to targeted people and organizations, Biasini added.
“In today’s world, with AI and the kind of public personas that people keep, it’s increasingly easy to build attacks,” he said. “If there’s a lot of money at stake, there’s going to be a lot of people running to cash in. So with this success, I expect to see more.”
Vuln scanner as initial attack vector
TeamPCP compromised Trivy, an open source vulnerability scanner maintained by Aqua Security in late February, then injected credential-stealing malware into the scanner on March 16 through the binary, GitHub Actions, and container images. This malware hoovered up CI/CD secrets, cloud credentials, SSH keys, and Kubernetes configuration files, and planted persistent backdoors on developers’ machines. It also gave the attacks an initial access vector into several other open source tools.
Then, on March 23, the same crew used CI/CD secrets stolen from the Trivy intrusion to inject the same malware into open source static analysis tool KICS, maintained by Checkmarx. Days later, TeamPCP published malicious versions of LiteLLM and Telnyx to the Python Package Index (PyPI), both of which use Trivy in their CI/CD pipeline.
“I think they went after security tools deliberately,” Ben Read, who leads the cyber threat intel team at Wiz, told The Register. “It could be giving the finger to people and brashness, or they saw a market opportunity because odd things happen in security environments, and they don’t get watched as closely. But the bigger picture is: This stuff is very accessible.”
TeamPCP, the group behind the Trivy and other open source supply chain attacks, first showed up on the cybercrime scene at the end of 2025, targeting cloud environments in data-theft and extortion operations.
Their style was very much smash-and-grab. It was primarily about speed, just grabbing everything, and getting out quickly.
Researchers at Flare, a threat exposure management provider, were among the first to sound the alarm about TeamPCP. In December, Flare detailed how the hacking crew exploited misconfigured Docker APIs, Kubernetes APIs, Ray dashboards, Redis servers, and vulnerable React/Next.js applications. After compromising one workload, the criminals used that access to move laterally across entire clusters, monetizing stolen data for ransom and using exposed infrastructure for crypto-mining, proxy networks, scanning, and data hosting.
“The operation’s goals were to build a distributed proxy and scanning infrastructure at scale, then compromise servers to exfiltrate data, deploy ransomware, conduct extortion, and mine cryptocurrency,” Flare analysts wrote at the time.
“Initially, there’s not a ton to distinguish them from the other, relatively noisy, financially motivated groups claiming stuff online,” Read said.
Infosec researchers believe TeamPCP is a loosely knit group of young people, primarily English speakers inspired by influencer culture and YouTube trends. The miscreants like to brag about their exploits on Telegram and Discord channels, a trait they share with other attack gangs like The Com, Lapsus$, Scattered Spider, and ShinyHunters.
“They’re clearly inspired by the communication style of Lapsus$,” Read said, noting the group points to a Rickroll video in its malicious domain, and hid a secret message saying “thank you for not being a vibe researcher” in its blockchain-based command-and-control infrastructure.
“They’re aware people are watching them, and they are leaning into that, trying to create this vision of themselves,” he added.
Plus, as the group’s December attacks and then Trivy compromise showed, TeamPCP “definitely know the developer environment well,” Read said. “And they are clearly leaning on LLMs to develop some of their code.”
Developer environments tend to be well-documented – and this lends itself to using LLMs to assist in finding misconfigurations, and writing and injecting malicious code into packages.
“Their style was very much smash-and-grab,” in all four of the open source compromises, Read says. “In all of the cases, they were found in less than 12 hours. They were not trying to mask stuff or find one valuable thing and get out silently. It was primarily about speed, just grabbing everything, and getting out quickly.”
North of 10,000 organizations were likely impacted
Even if the attack wasn’t elegant, it still amassed a huge volume of credentials – “so large, that the adversary started soliciting support from a variety of other threat actors to do things with the stolen credentials,” Carmakal said.
In total, TeamPCP stole credentials for more than 10,000 organizations, according to Carmakal, although that doesn’t necessarily mean they’ve since compromised that many environments to steal data or perform other nefarious acts.
“North of 10,000 organizations were likely impacted,” he said. “It was really interesting and quite alarming to see how many credentials these folks had successfully obtained from a whole bunch of compromise endpoints.”
Carmakal doubts the gang has ended its rampage. “We assess that the threat actor, as long as they continue to leverage these credentials and these secrets, they’ll likely continue to compromise more environments,” he said. “As they compromise more environments, they’ll get more secrets, more credentials, and keep going until they choose to stop, or law enforcement takes action, or there’s some other disruption activity that occurs.”
In another open source galaxy, not so far away…
Then, just two weeks after Trivy, another supply chain attack hit a different open-source library.
On March 31, Axios, one of npm’s most widely used HTTP client libraries, became a malware delivery vehicle for about three hours after attackers hijacked a maintainer’s account and slipped a remote-access trojan (RAT) into two seemingly legitimate releases.
Google’s Threat Intelligence Group attributed the attack to a suspected North Korean threat actor it tracks as UNC1069.
“North Korean hackers have deep experience with supply chain attacks, which they’ve historically used to steal cryptocurrency,” GTIG chief analyst John Hultquist told The Register at the time. “The full breadth of this incident is still unclear, but given the popularity of the compromised package, we expect it will have far reaching impacts.”
Axios’ primary maintainer Jason Saayman later published a detailed post-mortem, and said the tactics mirrored Google’s February analysis of UNC1069, and its use of AI-enabled social engineering to target cryptocurrency companies with custom malware.
The attackers reached out to Saayman pretending to be a company founder – after creating a digital clone of the real company and its founders. They also built a realistic Slack workspace, complete with employee profiles and posts, and then invited Saayman to join.
“The gentleman who was the initial victim got an invite to collaborate,” Read said. “This is how the internet is supposed to work: Two people from across the globe collaborating on a project that helps other people. But it was North Korea.”
This was the RAT
After gaining Saayman’s trust, the criminals lured him into joining a Teams meeting. When he joined, however, Teams told Saayman his software was out of date, and he needed to install an update to continue. “This was the RAT,” he wrote in the post-mortem.
The malware gave UNC1069 access to Saayman’s machine, and this allowed them to push malicious updates to the Axios project, ensuing any system that installed the compromised packages during the three-hour window downloaded a stealer that exfiltrated users private keys and credentials, sending them to an attacker-controlled server.
The number of downstream victims is unknown.
“This was a very sophisticated campaign,” Biasini said. “They did a lot to compromise this particular victim, and there’s not a lot that would have tipped them that there were problems.”
North Korean criminals have targeted developers – and companies looking to hire developers – for years, with state-sponsored offensive cyber operations that include cryptocurrency theft, ransomware and extortion attacks, and IT worker scams. More recently, they’ve also begun directly going after developers, using lures like job interviews and meetings to compromise their machines and steal credentials and cryptocurrency wallets.
“North Korea’s got this flywheel of understanding, where they’ve got the IT workers who are getting real jobs, and they also understand developer environments and how they work from a technical perspective,” Read said. “From what we’ve seen, and what we tell our customers: This is going to keep happening.”
What to expect when you’re defending
Both supply-chain attacks illustrate how adversaries will always choose the path of least resistance, whether that means logging in with compromised credentials or social engineering the sole maintainer on an open source project that underpins most of the internet.
“They realize that instead of trying to bang my way into these companies, it’s much better for me to go after the one, maybe two people that are maintaining this open source package,” Biasini said. “And by compromising these packages, they can create a huge amount of opportunity in a wide array of spaces.”
If there’s a silver lining to be had, it’s that both incidents “created a whole bunch of awareness of this problem that everybody’s dealing with right now with compromised packages,” Carmakal said. “And it reintroduces the conversation of SBOMs – software bill-of-materials.”
This essentially serves as an “ingredients list” for software components, including open source, third-party, and proprietary code.
“The biggest thing that you can do is understand where your risk is,” Biasini said. “If a supply-chain attack happens, you should be able to quickly determine where is this package being used in our environment, and where are our potential infection points? The best thing you can do as defenders is make sure that you have those SBOMs, understand where these packages are, and try and triage as quickly as you can.”
Biasini suggests using AI agents to help. “This would be a great place to leverage AI,” he said. “Start turning on AI agents to identify where these open source projects are in your environment.”
All of the security experts we spoke with noted the rapid detection time in these supply chain attacks. “Within 12 hours in most cases,” Read said. “This wasn’t something that was lying there silently for a long time.”
There will always be a window between whenever code is poisoned and the time it’s detected in a supply-chain attack. That window presents an opportunity for organizations to avoid downloading malware onto their systems and machines, he added.
“If you create a rule in your development environments where you don’t download any versions newer than 24 hours, you would have skipped these,” Read said. “It’s easy to say, hard to enforce consistently, especially with Jim from accounting spinning up Claude and now everybody’s a developer.”
Still, enforcing some type of short delay, coupled with SBOMs, knowing what software runs on which machines, and where secrets live, can help organizations better “respond and prioritize efficiently,” he added.
“Social engineering isn’t going away,” according to Biasini. “It’s going to get really bad with deep fakes, voice cloning, and video cloning. Organizations should already be planning for secure phrases, secure objects.” He’s talking about a physical object, something you have on your desk that you can pick up and prove your identity to the person on the other end of the video call.
“Making sure that you have the things in place now to deal with the stuff that’s going to be coming, because soon you’re going to have your CEO or your boss showing up on a video call demanding that you do something that seems odd. And if you don’t have these protections built in already, it’s going to be hard to stand them up.” ®
