Skip to content
Close
SEARCH
Get a Demo
Get a Demo
Gradient dark mesh
banner-siem
Guardsix Command Centre
Your sovereign ready
SecOps platform

Built for the hidden defenders who keep society running

Explore
Command Centre
Other
How mature is your cybersecurity posture?

Take the test, win a badge and strenghten your security posture!

Take assessment
Gradient dark mesh
g6-website-banners-integrations
Integrations
Connect what you already
run without friction

Your tools stay. Your control stays. Your security outcomes improve.

Explore
Platform outcomes
Use cases
Supply Chain Attack - Featured Image
John CoughlanMay 11, 2026 10:21:18 AM6 min read

Supply Chain Attacks - abusing good nature for profit

Executive Summary

Software supply chain attacks have evolved from opportunistic tampering to structured, repeatable campaigns targeting the trust fabric of modern software delivery. The current wave is not defined solely by malicious packages but also includes maintainer social engineering, CI/CD compromise, tag hijacking, secret harvesting from runners, malicious artifact publication, and lateral movement across interconnected tools.

Recent incidents—including the Axios npm compromise [1] [2], the Shai-Hulud 2.0 npm campaign [3], the tj-actions/reviewdog GitHub Actions compromise [4] [5], and the TeamPCP cascading campaign affecting Trivy, LiteLLM, KICS, and related ecosystems [6] [7]—demonstrate a consistent attacker model:

  • Gaining access to a trusted upstream actor or component
  • Abusing release and automation workflows
  • Preserving expected functionality to reduce suspicion
  • Harvesting secrets and authenticated context
  • Propagating through downstream trust relationships

This post focuses on what actually happened, how these compromises unfolded, and what defenders, developers, and platform engineers should do in response.

 

The 2025 Supply Chain Threat Landscape

The defining characteristic of the current threat landscape is transitive trust exploitation. Attackers no longer need to target hardened production systems directly—they compromise the systems and people that software pipelines already trust [8] [9]. This includes package maintainers, package registries and release channels, CI/CD actions and runners, open-source scanning and security tooling, developer workstations, and IDE extensions. Once inside, attackers inherit trust relationships that defenders themselves created for speed and automation.

Attack Pattern Breakdowns

 

Axios npm Compromise

A targeted social engineering attack led to maintainer endpoint compromise, allowing attackers to hijack authenticated sessions and publish malicious package versions outside the normal CI workflow [1] [2]. The payload was staged through a dependency (plain-crypto-js), which evolved from benign to malicious and delivered cross-platform second-stage malware during installation—while preserving expected Axios functionality [1] [2].

 

Shai-Hulud 2.0 npm Campaign

A large-scale campaign leveraging compromised maintainer accounts to modify hundreds of legitimate packages [3]. Malicious code executed during preinstall, bootstrapped its own runtime (Bun), deployed tooling (including GitHub runner components), and actively harvested secrets using tools like TruffleHog [3]. Exfiltration was staged via attacker-controlled repositories, turning package installs into pipeline compromise.

 

tj-actions / reviewdog GitHub Actions Compromise

An upstream action compromise enabled secret theft from CI runners, including a bot token used to inject malicious code into downstream repositories [4] [5]. The attacker used commit impersonation and tag rewriting to distribute the payload at scale [4]. Malicious logic exposed secrets via memory dumping and workflow logs, impacting any workflows relying on mutable tags.

 

TeamPCP Cascading Campaign

A multi-stage supply chain attack beginning with CI workflow misconfiguration (pull_request_target), leading to token exposure, incomplete credential rotation, and persistent access [6] [7]. Attackers hijacked tags, poisoned releases, and distributed malicious binaries while preserving expected tool behavior [6]. Stolen secrets enabled lateral movement into adjacent ecosystems (e.g., LiteLLM, KICS), demonstrating full trust-chain compromise across tools [7].

 

PyPI Credential-Harvesting Campaigns

Malicious packages—often using name confusion—execute during install or import to enumerate environments and extract credentials (registry tokens, cloud keys, config files) [10] [11]. These campaigns focus on developer environments as initial access points, with quiet exfiltration over standard web traffic and minimal visibility.

 

VS Code / Extension Marketplace Abuse

Compromised or malicious extensions gain execution within the IDE, accessing source code, local files, tokens, and workspace context [12]. Persistence is maintained through auto-update and startup triggers, enabling continuous data access and potential pivot into repositories, CI systems, or cloud environments.

 

Dependency Confusion Attacks

Attackers publish public packages matching internal dependency names with higher version numbers, causing unintended resolution during builds [13]. These packages execute at install time, enabling environment profiling and credential theft. Success depends on namespace and registry misconfiguration rather than advanced exploitation.

 

Recurring Attack Patterns Across Recent Incidents

Attack Pattern

Axios

Shai-Hulud 2.0

tj-actions / reviewdog

TeamPCP

PyPI Campaigns

VS Code Abuse

Dependency Confusion

Maintainer / Publisher Compromise

✔️

✔️

✔️

✔️

✔️

Social Engineering Entry Point

✔️

✔️

CI/CD or Automation Abuse

✔️

✔️

✔️

✔️

✔️

Install / Preinstall Execution

✔️

✔️

✔️

✔️

✔️

Secret Harvesting

✔️

✔️

✔️

✔️

✔️

✔️

✔️

Preserve Expected Behavior

✔️

✔️

✔️

✔️

✔️

✔️

✔️

Release / Tag Abuse

✔️

✔️

✔️

✔️

Transitive Trust Exploitation

✔️

✔️

✔️

✔️

✔️

✔️

✔️

Cross-Tool Propagation

✔️

✔️

✔️

✔️

✔️

✔️

✔️

 

Mapping to MITRE ATT&CK

Technique ID

Technique Name

Description / Example

T1195

Supply Chain Compromise

Malicious code or malicious release behavior inserted into trusted packages, actions, or artifacts

T1552

Unsecured Credentials

Theft of CI secrets, bot tokens, package registry credentials, and developer-side secrets

T1059

Command and Scripting Interpreter

Execution through install hooks, shell commands, setup scripts, and CI task logic

T1027

Obfuscated/Compressed Files and Information

Encoded or disguised payload logic to resist static review and simple scanning

T1071

Application Layer Protocol

Exfiltration and command traffic over standard web protocols

T1078

Valid Accounts

Abuse of authenticated maintainer, bot, registry, or CI identities after compromise

 

These behaviors map into familiar ATT&CK categories, but the supply chain context shifts the control plane upstream into:

  • Identity and trust for maintainers, bots, and publishers

  • Dependency and action governance

  • CI/CD architecture and workflow design

  • Build-time and install-time execution control

  • Developer tooling and extension governance

Security teams must operate in these areas in partnership with developers and platform engineers.

 

Conclusion

The current wave of software supply chain attacks succeeds because attackers understand how modern software delivery works. They target the humans, bots, workflows, and distribution channels that defenders already trust. They preserve normal functionality, steal authenticated context, and expand laterally across adjacent tooling ecosystems—exploiting the fact that many organizations still separate software trust, cloud trust, CI trust, and endpoint trust into different silos.

The incidents covered here—Axios, Shai-Hulud 2.0, tj-actions/reviewdog, TeamPCP, PyPI credential-harvesting campaigns, VS Code extension abuse, and dependency confusion attacks—share a common attacker model: gain upstream access, inherit trust, harvest secrets, and propagate downstream. Defending against this requires treating dependency resolution, CI workflow design, maintainer identity, and extension governance as first-class security controls—not afterthoughts.

 

References

  1. Microsoft – Axios Supply Chain Compromise
    https://www.microsoft.com/en-us/security/blog/2026/04/01/mitigating-the-axios-npm-supply-chain-compromise/
  2. Google Threat Intelligence – Axios npm Attack
    https://cloud.google.com/blog/topics/threat-intelligence/north-korea-threat-actor-targets-axios-npm-package
  3. Microsoft – Shai-Hulud 2.0 Campaign
    https://www.microsoft.com/en-us/security/blog/2025/12/09/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack/
  4. Palo Alto Unit 42 – GitHub Actions Compromise
    https://unit42.paloaltonetworks.com/github-actions-supply-chain-attack/
  5. Wiz Research – tj-actions Supply Chain Attack (CVE-2025-30066)
    https://www.wiz.io/blog/github-action-tj-actions-changed-files-supply-chain-attack-cve-2025-30066
  6. Snyk – Trivy / TeamPCP Compromise
    https://snyk.io/articles/trivy-github-actions-supply-chain-compromise/
  7. SecurityWeek – TeamPCP Ecosystem Expansion
    https://www.securityweek.com/from-trivy-to-broad-oss-compromise-teampcp-hits-docker-hub-vs-code-pypi/
  8. BleepingComputer – Axios Social Engineering Compromise
    https://www.bleepingcomputer.com/news/security/axios-npm-hack-used-fake-teams-error-fix-to-hijack-maintainer-account/
  9. Trend Micro – Axios Attack Timeline
    https://www.trendmicro.com/en_us/research/26/c/axios-npm-package-compromised.html
  10. Datadog Security Labs – npm Campaign Research
    https://securitylabs.datadoghq.com
  11. Socket.dev – Malicious Package Detection
    https://socket.dev
  12. OpenSSF
    https://openssf.org
  13. SLSA Framework
    https://slsa.dev
avatar
John Coughlan

RELATED ARTICLES