Software supply chain attacks have evolved from opportunistic tampering to structured, repeatable campaigns targeting the trust fabric of modern software delivery. The current wave is not defined solely by malicious packages but also includes maintainer social engineering, CI/CD compromise, tag hijacking, secret harvesting from runners, malicious artifact publication, and lateral movement across interconnected tools.
Recent incidents—including the Axios npm compromise [1] [2], the Shai-Hulud 2.0 npm campaign [3], the tj-actions/reviewdog GitHub Actions compromise [4] [5], and the TeamPCP cascading campaign affecting Trivy, LiteLLM, KICS, and related ecosystems [6] [7]—demonstrate a consistent attacker model:
This post focuses on what actually happened, how these compromises unfolded, and what defenders, developers, and platform engineers should do in response.
The defining characteristic of the current threat landscape is transitive trust exploitation. Attackers no longer need to target hardened production systems directly—they compromise the systems and people that software pipelines already trust [8] [9]. This includes package maintainers, package registries and release channels, CI/CD actions and runners, open-source scanning and security tooling, developer workstations, and IDE extensions. Once inside, attackers inherit trust relationships that defenders themselves created for speed and automation.
A targeted social engineering attack led to maintainer endpoint compromise, allowing attackers to hijack authenticated sessions and publish malicious package versions outside the normal CI workflow [1] [2]. The payload was staged through a dependency (plain-crypto-js), which evolved from benign to malicious and delivered cross-platform second-stage malware during installation—while preserving expected Axios functionality [1] [2].
A large-scale campaign leveraging compromised maintainer accounts to modify hundreds of legitimate packages [3]. Malicious code executed during preinstall, bootstrapped its own runtime (Bun), deployed tooling (including GitHub runner components), and actively harvested secrets using tools like TruffleHog [3]. Exfiltration was staged via attacker-controlled repositories, turning package installs into pipeline compromise.
An upstream action compromise enabled secret theft from CI runners, including a bot token used to inject malicious code into downstream repositories [4] [5]. The attacker used commit impersonation and tag rewriting to distribute the payload at scale [4]. Malicious logic exposed secrets via memory dumping and workflow logs, impacting any workflows relying on mutable tags.
A multi-stage supply chain attack beginning with CI workflow misconfiguration (pull_request_target), leading to token exposure, incomplete credential rotation, and persistent access [6] [7]. Attackers hijacked tags, poisoned releases, and distributed malicious binaries while preserving expected tool behavior [6]. Stolen secrets enabled lateral movement into adjacent ecosystems (e.g., LiteLLM, KICS), demonstrating full trust-chain compromise across tools [7].
Malicious packages—often using name confusion—execute during install or import to enumerate environments and extract credentials (registry tokens, cloud keys, config files) [10] [11]. These campaigns focus on developer environments as initial access points, with quiet exfiltration over standard web traffic and minimal visibility.
Compromised or malicious extensions gain execution within the IDE, accessing source code, local files, tokens, and workspace context [12]. Persistence is maintained through auto-update and startup triggers, enabling continuous data access and potential pivot into repositories, CI systems, or cloud environments.
Attackers publish public packages matching internal dependency names with higher version numbers, causing unintended resolution during builds [13]. These packages execute at install time, enabling environment profiling and credential theft. Success depends on namespace and registry misconfiguration rather than advanced exploitation.
|
Attack Pattern |
Axios |
Shai-Hulud 2.0 |
tj-actions / reviewdog |
TeamPCP |
PyPI Campaigns |
VS Code Abuse |
Dependency Confusion |
|
Maintainer / Publisher Compromise |
✔️ |
✔️ |
✔️ |
✔️ |
❌ |
✔️ |
❌ |
|
Social Engineering Entry Point |
✔️ |
✔️ |
❌ |
❌ |
❌ |
❌ |
❌ |
|
CI/CD or Automation Abuse |
✔️ |
✔️ |
✔️ |
✔️ |
❌ |
❌ |
✔️ |
|
Install / Preinstall Execution |
✔️ |
✔️ |
❌ |
✔️ |
✔️ |
❌ |
✔️ |
|
Secret Harvesting |
✔️ |
✔️ |
✔️ |
✔️ |
✔️ |
✔️ |
✔️ |
|
Preserve Expected Behavior |
✔️ |
✔️ |
✔️ |
✔️ |
✔️ |
✔️ |
✔️ |
|
Release / Tag Abuse |
✔️ |
✔️ |
✔️ |
✔️ |
❌ |
❌ |
❌ |
|
Transitive Trust Exploitation |
✔️ |
✔️ |
✔️ |
✔️ |
✔️ |
✔️ |
✔️ |
|
Cross-Tool Propagation |
✔️ |
✔️ |
✔️ |
✔️ |
✔️ |
✔️ |
✔️ |
|
Technique ID |
Technique Name |
Description / Example |
|
T1195 |
Supply Chain Compromise |
Malicious code or malicious release behavior inserted into trusted packages, actions, or artifacts |
|
T1552 |
Unsecured Credentials |
Theft of CI secrets, bot tokens, package registry credentials, and developer-side secrets |
|
T1059 |
Command and Scripting Interpreter |
Execution through install hooks, shell commands, setup scripts, and CI task logic |
|
T1027 |
Obfuscated/Compressed Files and Information |
Encoded or disguised payload logic to resist static review and simple scanning |
|
T1071 |
Application Layer Protocol |
Exfiltration and command traffic over standard web protocols |
|
T1078 |
Valid Accounts |
Abuse of authenticated maintainer, bot, registry, or CI identities after compromise |
These behaviors map into familiar ATT&CK categories, but the supply chain context shifts the control plane upstream into:
Identity and trust for maintainers, bots, and publishers
Dependency and action governance
CI/CD architecture and workflow design
Build-time and install-time execution control
Developer tooling and extension governance
Security teams must operate in these areas in partnership with developers and platform engineers.
The current wave of software supply chain attacks succeeds because attackers understand how modern software delivery works. They target the humans, bots, workflows, and distribution channels that defenders already trust. They preserve normal functionality, steal authenticated context, and expand laterally across adjacent tooling ecosystems—exploiting the fact that many organizations still separate software trust, cloud trust, CI trust, and endpoint trust into different silos.
The incidents covered here—Axios, Shai-Hulud 2.0, tj-actions/reviewdog, TeamPCP, PyPI credential-harvesting campaigns, VS Code extension abuse, and dependency confusion attacks—share a common attacker model: gain upstream access, inherit trust, harvest secrets, and propagate downstream. Defending against this requires treating dependency resolution, CI workflow design, maintainer identity, and extension governance as first-class security controls—not afterthoughts.