惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

TaoSecurity Blog
TaoSecurity Blog
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
F
Fortinet All Blogs
Cisco Talos Blog
Cisco Talos Blog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
S
Secure Thoughts
美团技术团队
雷峰网
雷峰网
Hugging Face - Blog
Hugging Face - Blog
博客园_首页
C
CXSECURITY Database RSS Feed - CXSecurity.com
Engineering at Meta
Engineering at Meta
人人都是产品经理
人人都是产品经理
月光博客
月光博客
T
Tor Project blog
P
Privacy & Cybersecurity Law Blog
Recorded Future
Recorded Future
I
Intezer
博客园 - 【当耐特】
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
GbyAI
GbyAI
罗磊的独立博客
V
V2EX
Google DeepMind News
Google DeepMind News
D
DataBreaches.Net
Last Week in AI
Last Week in AI
T
Tailwind CSS Blog
www.infosecurity-magazine.com
www.infosecurity-magazine.com
A
About on SuperTechFans
Scott Helme
Scott Helme
Vercel News
Vercel News
Spread Privacy
Spread Privacy
T
Threat Research - Cisco Blogs
Recent Announcements
Recent Announcements
Hacker News: Ask HN
Hacker News: Ask HN
C
CERT Recently Published Vulnerability Notes
G
Google Developers Blog
B
Blog
博客园 - 叶小钗
WordPress大学
WordPress大学
博客园 - 聂微东
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Jina AI
Jina AI
IT之家
IT之家
C
Cybersecurity and Infrastructure Security Agency CISA
P
Palo Alto Networks Blog
小众软件
小众软件
博客园 - Franky
Microsoft Azure Blog
Microsoft Azure Blog
AWS News Blog
AWS News Blog

Martin Alderson

Winners and losers in the coming AI margin collapse (part 2) GLM 5.2 and the coming AI margin collapse (part 1) Expert-aware quantisation: near-Q4 quality at near-Q2 size? A brief history of KV cache compression developments xAI is looking more like a datacentre REIT than a frontier lab Is datacentre sovereignty really that important? I went on the Built for Turbulence podcast What's going on with Gemini? Managed agents are the new Lambda Open weights are quietly closing up - and that's a problem 29th August 2026: a scenario Figma's woes compound with Claude Design A little tool to visualise MoE expert routing Has Mythos just broken the deal that kept the internet safe? What next for the compute crunch? Using agents and Wine to move off Windows Why Claude's new 1M context length is a big deal How to use the Qwen 3.5 LLMs to OCR documents No, it doesn't cost Anthropic $5k per Claude Code user Is the AI Compute Crunch Here? Why on-device agentic AI can't keep up Using OpenCode in CI/CD for AI pull request reviews Which web frameworks are most token-efficient for AI agents? Who fixes the zero-days AI finds in abandoned software? Attack of the SaaS clones How to generate good looking reports with Claude Code, Cowork or Codex Self-improving CLAUDE.md files Wall Street just lost $285 billion because of 13 markdown files Two kinds of AI users are emerging. The gap between them is astonishing. Turns out I was wrong about TDD Why sandboxing coding agents is harder than you think The Coming AI Compute Crunch Which programming languages are most token-efficient? I ported Photoshop 1.0 to C# in 30 minutes Why I'm building my own CLIs for agents Travel agents took 10 years to collapse. Developers are 3 years in. Are we dismissing AI spend before the 6x lands? Minification isn't obfuscation - Claude Code proves it AI agents are starting to eat SaaS Has the cost of building software just dropped 90%? Are we in a GPT-4-style leap that evals can't see? I Finally Found a Use for IPv6 How I use Claude Code to manage sysadmin tasks Could Excel agents unlock $1T in economic value? Are we really repeating the telecoms crash with AI datacenters? A non-technical CFO is shipping better code than the agencies he hired Tracking MCP Server Growth Notes from MCP Dev Summit Europe: Where the Protocol Is Headed How I make CI/CD (much) faster and cheaper Google AI Studio API has been unreliable for the past 2 weeks What happens when coding agents stop feeling like dialup? Solving Claude Code's API Blindness with Static Analysis Tools Are OpenAI and Anthropic Really Losing Money on Inference? I gave Claude Code a folder of tax documents and used it as a professional tax agent Beyond the Hype: Real-World MCP Support Across Major AI APIs Welcome to My Blog
Telnyx, LiteLLM and Axios: the supply chain crisis
Martin Alderson · 2026-03-31 · via Martin Alderson

While the world's been watching physical supply chains, a different kind of supply chain attack has been escalating in the open source ecosystem.

The issue

Over the past week a group of bad actors have been compromising various open source projects, pushing malicious versions of libraries which inject a trojan that collects sensitive data from systems that install the malicious version.

Ironically, the first attack started with Trivy, an open source package for finding security vulnerabilities.

The scale of the issue is growing and is alarming. This wave of attacks started with some smaller libraries, then started to hit more popular packages in the supply chain with Telnyx, a popular package for voice and SMS integration. This had ~150k/week downloads on the affected package.

LiteLLM was next - a much more popular package for calling various APIs. This had ~22M/week downloads.

Finally, and most concerning, the npm package for axios - an incredibly widely used library for calling APIs, was attacked on March 31st. This has at least 100M downloads a week and is a very core piece of software that is used in millions of apps.

There was a rapid reaction to each of these attacks to remove the malicious versions, but even in the hours they were up, tens of thousands of machines (and potentially far more) were likely compromised.

The attackers are leveraging stolen credentials from the previous attack(s) to then infect more packages in the supply chain. This creates a vicious cycle of compromises that continues to grow.

Equally, other systems are at risk - for every system that the attack compromises who happens to also be a developer of another software library, there are probably thousands of other developers who have unfortunately leaked very sensitive data to the attackers.

Not a new issue

This is not a new issue, and last year we saw the Shai-Hulud v1 and v2 attacks against the npm ecosystem which in two waves backdoored over 1,000 packages. The aim of this attack appears to have been to steal crypto - with reports suggesting $8.5m was stolen.

The infrastructure providers behind this supply chain did respond by putting various mitigations in place. The primary two were requiring published packages to use short-lived tokens - which reduces the impact of "old" credentials being able to publish new packages. It appears this has not solved the issue - given it seems these packages have managed to be published regardless.

The more invasive one is to allow developers to not install "brand new" packages. Instead, they get held for a time period - say 24 hours - with the idea being the community will (hopefully) detect malicious versions in the 24 hours and revoke them before they are installed.

This is a double edged sword though - as often you need rapid response to a vulnerable package to avoid security issues. This can be overridden manually - but it does introduce some overhead to response to urgent security flaws.

Finally, npm are rolling out staged publishing. This requires a separate step when publishing new versions of packages for a "trusted" human to do a check on the platform with two step verification to avoid automated attacks. However, given it seems developers computers' are being compromised it is not implausible to suggest that the attacker could also perform this step.

The broader picture

I'm extremely concerned about the cybersecurity risk LLMs pose, which I don't think is sufficiently priced in on the impact it is going to have outside of niche parts of the tech community. While it's hard to know for sure how the initial attacks were discovered, I strongly suspect they have been aided by LLMs to find the exploit(s) in the first place and develop subsequent attacks.

While this is conjecture, the number of exploits being found by non-malicious actors is exploding. I found one myself - which I wrote up in a recent post, still unpatched - in less than half an hour. There's endless other examples online.

So it seems to me that LLMs are acting as an accelerant:

Firstly, they make finding security vulnerabilities far easier - which allows the whole supply chain attack cycle to start. And the leaked rumours about the new Mythos model from Anthropic being a step change better than Opus 4.6 (which is already exceptionally good at finding security issues) means the direction of travel is only going one way.

Secondly, they allow attackers to build far more sophisticated attacks far quicker than before - for example, one of the attacks in this recent wave hid one exploit in an audio file.

Next, this is all happening while the infrastructure providers of the software supply chain are on the back foot with improving mitigations.

xkcd 2347: Dependency - all of modern digital infrastructure resting on a project some random person in Nebraska has been thanklessly maintaining since 2003

xkcd 2347

Finally, so much of the software ecosystems' critical security infrastructure is maintained by volunteers who are often unpaid. As always, the above image illustrates the point far better than words can.

To reiterate - it may be that this is just a well resourced group that could have done all this without LLMs. But given adoption of coding agents is so high in the broader developer community, it seems far fetched to say they wouldn't be used for nefarious means.

Fundamentally, these attacks are possible because OSes (by default) are far too permissive and designed in a world where software is either trusted or not. The attempts to secure this - by trusting certain publishers - falls down for both agents and supply chain attacks because agents can use trusted software in unexpected ways, and if the trusted authors of the software are compromised it bypasses everything.

We need a new(ish) OS

Thinking a few steps ahead here, it seems to me that the core mitigations are (mostly) insufficient.

  • Any delay to publishing packages can backfire and introduce delays in responding to real security incidents
  • There is too much software - maintained or unmaintained - which is likely to be vulnerable
  • Much of this software, if it is maintained, is poorly resourced and is likely to burn out volunteers trying to resolve a flood of security issues in the near term

There are some things however that would help with the supply chain in particular:

  • Frontier labs donating compute and tokens to automatically scan every package update for potential signs of compromise before publishing. This would be an excellent use of their leading models

To me though I keep coming back to the realisation that the difficulty of sandboxing agents faces very similar challenges to helping mitigate the impact of this security issue.

iOS and Android were designed with this approach in mind - each app has very limited access to other apps and the OS as a whole. I think we need to move desktop and server operating systems to a similar model for this new world.

While this won't resolve all issues, it will dramatically reduce the "blast impact" of each attack and prevent the "virality" of many exploits from gathering traction.

The OS should know that npm install should only write package files to a certain set of folders and reject everything else. The OS should know a baseline of services a CI/CD run and what network calls it makes, to avoid connections to random command and control services. And like mobile OSes, one program shouldn't be able to read another programs files and data without explicit opt in.

If you've used sandbox mode in a coding agent, you will be familiar with this approach - all the pieces are there already. Qubes OS is probably the closest thing outside of mobile OSes to what I'm thinking we need to move to - a security focused Linux operating system which runs each app in a total self-contained VM.

It's an enormous undertaking to migrate the world's software to run like this, and perhaps governments should be allocating significant resources to open source projects to help them adopt this.