A technical breakdown of the March 2026 supply chain attacks, examining how threat actors like TeamPCP and UNC1069 compromised Trivy, LiteLLM, and Axios—and how to stop them.
The software industry is currently navigating the fallout of the March 2026 supply chain attacks, a staggering sequence of compromises that has fundamentally shifted how we view developer infrastructure security. Over the span of just two weeks, we witnessed more than 50 successful supply chain intrusions targeting heavily relied-upon open-source tools. The reality we face is chilling: the very utilities built to secure our environments—vulnerability scanners, infrastructure-as-code linters, and foundational network libraries—were weaponized against us. If your continuous integration and continuous deployment (CI/CD) pipelines ran routine updates during this period, your environment must be treated as hostile until proven otherwise.
When the dust began to settle around the end of March, initial incident reports merged the chaos into a single narrative. However, cross-referencing telemetry from multiple threat intelligence groups now confirms we are dealing with two distinct, overlapping campaigns executed by separate advanced persistent threat (APT) groups.
SC
The first is TeamPCP (tracked by some researchers as UNC6780). This actor executed a highly calculated, escalating "blitzkrieg" against security infrastructure, leveraging stolen credentials to create a self-propagating worm that infected packages at breakneck speed.
The second is UNC1069, a financially motivated, North Korea-nexus actor (also tracked as Sapphire Sleet). While TeamPCP was tearing through GitHub Actions, UNC1069 quietly compromised the lead maintainer account of axios, a JavaScript HTTP client with over 100 million weekly downloads, deploying a devastating cross-platform remote access trojan (RAT).
Both campaigns exploited the inherent trust developers place in package registries and automation. To defend against them, we must first dissect how they dismantled our standard defenses.
TeamPCP’s operation was a masterclass in lateral movement within open-source ecosystems. They did not rely on exploiting zero-day vulnerabilities in code; they exploited the architecture of CI/CD pipelines.
On March 19, 2026, thousands of automated pipelines ran routine vulnerability scans using Aqua Security’s Trivy. Unbeknownst to the developers, TeamPCP had compromised an Aqua Security service account weeks prior. Instead of altering the core codebase where it might be detected by other researchers, the attackers force-pushed malicious code to 76 of the 77 trivy-action version tags on GitHub.
Because most developers do not pin their GitHub Actions to a specific cryptographic commit hash (SHA)—relying instead on mutable tags like @v1 or @latest—their pipelines automatically pulled the compromised scanner. As Trivy ran with elevated privileges to scan code, the injected credential stealer (dubbed SANDCLOCK) harvested cloud tokens, SSH keys, and npm publishing tokens directly from the CI runner's memory.
What happened next transformed a serious breach into a global crisis. Using the npm tokens stolen from the Trivy compromise, TeamPCP unleashed a self-propagating malware strain known as CanisterWorm.
On March 20, the worm automatically authenticated against the npm registry and infected packages maintained by internal enterprise namespaces such as @emilgroup and @opengov. In less than 60 seconds, dozens of packages were poisoned. Over the following days, the campaign cascaded into Checkmarx KICS, PyPI’s LiteLLM gateway, and the official Telnyx Python SDK.
Adding to the complexity, CanisterWorm utilized a decentralized blockchain command-and-control (C2) infrastructure. By leveraging an Internet Computer Protocol (ICP) canister as a dead-drop, the attackers rendered traditional domain takedowns and IP sinkholing entirely ineffective.
While the industry scrambled to contain TeamPCP, UNC1069 struck the JavaScript ecosystem's most vital artery. On March 31, 2026, the attackers hijacked the npm account of a primary axios maintainer (jasonsaayman).
What makes the Axios attack terrifying is that the repository had adopted OIDC Trusted Publishing—a modern hardening measure promoted by npm to replace static legacy tokens. However, the old legacy keys were never revoked. The attackers simply used these forgotten keys to bypass the new security controls entirely.
Within a 39-minute window, UNC1069 published two malicious versions of Axios: 1.14.1 (tagged as 'latest') and 0.30.4 (tagged as 'legacy').
plain-crypto-js Sleeper PayloadTo avoid triggering novelty-based security scanners that alert on newly created packages, the attackers pre-staged a clean package called plain-crypto-js 18 hours before the main event. When the malicious Axios versions were published, they quietly declared [email protected] as a dependency.
The trap relied on npm's lifecycle hooks. When a developer ran npm install axios, the package manager automatically resolved the dependency tree, downloaded plain-crypto-js, and triggered its postinstall script (node setup.js).
This setup.js dropper utilized a two-layer encoding scheme—string reversal combined with a position-dependent XOR cipher using the key OrDeR_7077—to hide its intent from static analysis. Once decoded, it silently downloaded a cross-platform RAT known as WAVESHAPER.V2 from the attacker's infrastructure at sfrclak[.]com.
WAVESHAPER.V2 is not a generic, easily detectable script; it is a highly tailored framework deployed with platform-specific native implementations for Windows (PowerShell), macOS (C++), and Linux (Python). The malware beacons every 60 seconds over port 8000, awaiting instructions to exfiltrate data, enumerate directories, or deploy further binary payloads.
To evade post-incident detection, the initial node dropper executes a flawless 15-second anti-forensic cleanup. Upon launching the RAT, setup.js unlinks (deletes) itself, strips the postinstall hook from memory, and replaces the tampered package.json with a clean decoy file named package.md. Unless an endpoint detection and response (EDR) agent caught the transient execution in real-time, the only forensic evidence left behind is the presence of the plain-crypto-js folder in the node_modules directory and obscure references in the lockfile.
The March 2026 supply chain attacks successfully bypassed standard application security testing (AST) and software composition analysis (SCA) tools because they attacked the blind spots of developer workflows:
@v2 on a GitHub Action allows an attacker with push access to rewrite history and serve malware to millions of builds instantly.postinstall hooks) gives attackers a guaranteed vector for dropping stage-two payloads before a developer ever runs their actual application.The velocity of these attacks means human intervention during an active compromise is impossible. By the time a vulnerability disclosure is published, the adversary has already stolen your cloud secrets. Your defense must be proactive and structural.
Never rely on mutable tags for your dependencies or CI/CD actions. Pin every GitHub Action to a full commit SHA. For package managers, strictly enforce lockfiles (package-lock.json, poetry.lock) and configure your CI runners to fail if a lockfile requires updating during a build process. Utilize tools that verify SLSA (Supply-chain Levels for Software Artifacts) provenance to ensure the package you are downloading was actually built by the source code you trust.
If your environments utilized Trivy, Checkmarx KICS, LiteLLM, or Axios between March 19 and April 3, 2026, you must assume breach.
pull_request_target trigger, as this frequently grants external forks dangerous access to repository secrets—a tactic widely abused to gain initial access.Unless absolutely necessary, disable lifecycle scripts globally in your package manager configurations (e.g., npm config set ignore-scripts true). If a package genuinely requires a build step, audit the script manually before allowing it to run. Furthermore, run your CI/CD pipelines in ephemeral, isolated network environments with strict egress filtering. A build runner rarely needs outbound access to the open internet on port 8000.
Developers hold the keys to the kingdom. Treat developer laptops with the same security rigor as production servers. Ensure your Behavioral AI and EDR solutions are set to block on execute, and avoid creating broad exclusions for developer tools like node.exe or python3. If a process attempts to write a hidden batch file to %PROGRAMDATA% or execute an AppleScript from /Library/Caches/com.apple.act.mond, your endpoint protection must sever the network connection instantly.
The dual shockwaves of TeamPCP and UNC1069 have permanently altered the cybersecurity landscape. We can no longer afford to view our build pipelines and dependencies as implicitly safe zones. Security in 2026 demands zero trust at the compiler level. Start by auditing your legacy tokens, pinning your actions, and locking down your post-install scripts today. Because in the modern software supply chain, a 15-second exposure is all an adversary needs to bring a business to its knees.
sfrclak[.]com or CanisterWorm in your environment? Double-check your lockfiles for plain-crypto-js and share your anonymized findings with the research community to help build stronger behavioral detections.
