Three months into 2026, four significant software supply chain attacks have already been disclosed.

The targets: Trivy, a widely used container scanner. LiteLLM, a PyPI package. Telnyx, with over one million monthly downloads. And Axios, a widely used npm package.

These are not obscure packages. They sit inside CI/CD pipelines, developer environments, and production systems across the open-source ecosystem.

Software supply chain attacks continue to increase in frequency and impact, targeting widely used open-source packages and developer tooling. The early months of 2026 show exactly how that plays out in practice.

The Pattern Across All Four

In each case, attackers did not create fake packages. They gained unauthorized access to trusted projects or maintainer accounts and introduced malicious code into official releases. The malicious versions appeared authentic because they moved through the same registries, GitHub releases, and CI/CD integrations that teams rely on every day.

Once distributed, the injected payloads executed automatically. They ran during installation, import, or pipeline execution. No unusual behavior. No user interaction required.

The objective in every case: credential theft. Cloud keys, SSH keys, Kubernetes secrets, and environment variables were consistently targeted.

In the LiteLLM compromise, cryptocurrency wallet files were also collected. In multiple incidents, stolen credentials were then used to publish additional malicious packages, propagating the attack further across ecosystems.

Four Incidents, One Underlying Problem

Trivy v0.69.4 — CVE-2026-33634 · CISA KEV

Between February 27 and March 22, 2026, a threat group carried out a multi-phase attack that also affected more than 60 npm packages. It began with unauthorized repository access that persisted due to incomplete credential rotation. Attackers pushed a malicious release through official channels, then force-pushed tags on trivy-action and setup-trivy. Existing version references in thousands of workflows silently resolved to attacker-controlled code. The compromise has since been formally assigned CVE-2026-33634 and added to CISA's Known Exploited Vulnerabilities catalog.

LiteLLM 1.82.7 / 1.82.8

Compromised across two consecutive PyPI versions. The first embedded malicious code in the proxy server module, executing on import. The second introduced a malicious .pth file that executed automatically at Python interpreter startup, requiring no explicit import. Both versions matched the real project's metadata and did not correspond to any official GitHub release.

Telnyx 4.87.1 / 4.87.2

Delivered payloads hidden inside WAV audio files using steganography. On Windows, the payload installed a persistent executable in the Startup folder. On Linux and macOS, it collected sensitive data, encrypted it using AES-256-CBC and RSA-4096, and exfiltrated it via HTTP. With over one million monthly downloads, this was a high-impact compromise.

Axios 1.14.1 / 0.30.4

Compromised through a maintainer account takeover. Attackers pushed two unauthorized releases directly to npm. Those releases introduced a malicious dependency that connected to an external command-and-control server during installation. It then deployed a cross-platform remote access trojan across macOS, Windows, and Linux. Any environment that ran a standard install while those versions were live executed the payload automatically. Google Cloud Threat Intelligence, Microsoft, and Mandiant have since attributed this attack to a North Korean state-linked threat actor.

Why Security Tooling Is Now a Target

The Trivy compromise stands out for one specific reason.

Trivy is a security scanner. It runs inside CI pipelines specifically to find vulnerabilities. In early 2026, it was used as the delivery mechanism for credential-stealing malware across thousands of workflows.

The tools teams use to check for risk are not automatically exempt from it.

A scanner running with access to CI secrets is a high-value target. If it is not version-pinned, not monitored, and not isolated from production credentials, it is an exposure. Scanners should be treated like any other software dependency in the pipeline.

What These Incidents Require

These incidents highlight that preventing supply chain attacks requires both dependency hygiene and strong CI/CD security controls. The following practices help reduce exposure and limit the impact of compromised packages.

How RapidFort Is Addressing This