supply chain attack
4 mentions across all digests
A supply chain attack is a cyberattack that compromises a trusted software package or maintainer account to distribute malicious code to downstream users, as demonstrated by the March 2026 axios npm compromise and the Trivy scanner incident where stolen credentials were used to exfiltrate pipeline secrets.
Widely used Trivy scanner compromised in ongoing supply-chain attack
Aqua Security's Trivy vulnerability scanner was compromised via stolen credentials, allowing attackers to inject malware into 75+ pipeline action tags that silently exfiltrate GitHub tokens, cloud credentials, and SSH keys to attacker servers.
OpenAI's response to the Axios developer tool compromise
Compromised Axios library exposed OpenAI's macOS app-signing pipeline in March 2026, risking counterfeit app distribution despite no user data breach—forcing swift certificate updates and mandatory client upgrades.
Post Mortem: axios NPM supply chain compromise
Axios maintainer account compromised via RAT malware, injecting remote access trojans into npm versions 1.14.1 and 0.30.4 via fake plain-crypto-js dependency for 3 hours on March 31.
Hackers slipped a trojan into the code library behind most of the internet. Your team is probably affected
Hackers compromised the axios maintainer token to distribute a remote access trojan through npm, exposing nearly all JavaScript projects and CI/CD pipelines worldwide to direct attacker access.