BGDon 🇨🇦 🇺🇸 👨‍💻4d ago

Recent software supply chain attacks - yowers!

In March, popular open source tools Trivy and Axios were compromised with malware, and we won't know the full blast radius for months.

Axios was breached by North Korean hackers who turned it into a malware delivery vehicle for about three hours after attackers hijacked a maintainer's account and slipped a remote-access trojan (RAT) into two seemingly legitimate releases.

Trivy was hacked by a loosely knit band of hackers called TeamPCP, who injected credential-stealing malware.

"Attackers are starting to really look at the supply chain and open source packages, and figure out ways to compromise developers to deliver malware or gather data" ... https://www.theregister.com/2026/04/11/trivy_axios_supply_chain_attacks/ #Hackers #Malware #Software #OpenSource #SoftwareSupplyChain #Trojan #CyberSecurity #Security #Trivy #Axios

grasteApr 11

https://www.theregister.com/2026/04/11/trivy_axios_supply_chain_attacks/ #trivy

"TeamPCP compromised Trivy, an open source vulnerability scanner maintained by Aqua Security in late February, then injected credential-stealing malware into the scanner on March 16 through the binary, GitHub Actions, and container images. This malware hoovered up CI/CD secrets, cloud credentials, SSH keys, and Kubernetes configuration files, and planted persistent backdoors on developers' machines. It also gave the attacks an initial access vector into several other open source tools.

Then, on March 23, the same crew used CI/CD secrets stolen from the Trivy intrusion to inject the same malware into open source static analysis tool KICS, maintained by Checkmarx. Days later, TeamPCP published malicious versions of LiteLLM and Telnyx to the Python Package Index (PyPI), both of which use Trivy in their CI/CD pipeline."

Two different attackers poisoned popular open source tools - and showed us the future of supply chain compromise

FEATURE: Time to start dropping SBOMs

The Register
HabrApr 6

[Перевод] Отчёт PSF об инциденте атаки на цепочку поставок LiteLLM/Telnyx + рекомендации

В этой статье рассмотрены две недавние атаки на цепочку поставок, направленные на пользователей популярных пакетов PyPI — litellm и telnyx. Также описаны рекомендации разработчикам и сопровождающим Python о том как подготовиться и защитить свои проекты.

https://habr.com/ru/articles/1019638/

#pypi #litellm #telnyx #security #атака_на_цепочку_поставок #best_practices #безопасность #python #trusted_publishers #trivy

Отчёт PSF об инциденте атаки на цепочку поставок LiteLLM/Telnyx + рекомендации

В этом статье мы подробно рассмотрим две недавние атаки на цепочку поставок популярных пакетов PyPI — litellm и telnyx. Мы также предоставим разработчикам и сопровождающим Python...

Хабр
NeoApr 5
Frühlingserwachen in der Pipeline: Wer hat schon mal Container-Images mit über 100 Vulnerabilities laufen lassen? Ich. Deshalb schwöre ich auf Trivy – scannt lokal, blitzschnell und ohne Cloud-Zwang. Macht euren DevOps-Spring-Clean! #DevOps #Security #Linux #Trivy
hackmacApr 4
Ein Angriff über das kompromittierte Open-Source-Tool Trivy hat offenbar die IT-Infrastruktur von Sportradar – einem der weltweit führenden Sportdatenanbieter mit über 1 Mrd. € Umsatz – erschüttert. Nicht Sportradar selbst wurde gehackt – sondern ein Tool, dem Sportradar (wie viele andere Unternehmen) vertraut hat. Trivy, ein weit verbreiteter Open-Source-Sicherheitsscanner. #SupplyChain #Sportradar #Trivy #Hackerangriff #Cybercrime
Late Night OwlApr 3
For a community claiming it is not a supplier, open-source seems to have a lot of supply-chain attacks lately.
#axios #trivy
The Threat CodexApr 3
TeamPCP Supply Chain Campaign: Update 006 - CERT-EU Confirms European Commission Cloud Breach, Sportradar Details Emerge, and Mandiant Quantifies Campaign at 1,000+ SaaS Environments
#TeamPCP #CVE_2026_33634 #Trivy #ShinyHunters
https://isc.sans.edu/diary/32864
Security LandApr 3

🚨 Over the past two weeks, two massive, overlapping campaigns—TeamPCP’s "blitzkrieg" on security tools like Trivy and Checkmarx, and UNC1069's devastating RAT deployment via the Axios library—have compromised thousands of CI/CD pipelines.

Read the full deep-dive and get the immediate mitigation steps here: https://www.security.land/2026-supply-chain-attacks-teampcp-trivy-axios/

#SecurityLand #BreachBreakdown #SupplyChainAttack #NPM #Cybersecurity #Axios #Trivy #TeamPCP #UNC1069

March 2026 Supply Chain Attacks: TeamPCP & Axios Analyzed

A technical breakdown of the March 2026 supply chain attacks, examining how threat actors like TeamPCP and UNC1069 compromised Trivy, LiteLLM, and Axios—and how to stop them.

Security Land | Decoding the Cyber Threat Landscape
Python RennesApr 3

RE: https://fosstodon.org/@pypi/116335453780319113

rapport d'incident par @miketheman & @sethmlarson sur la corruption de #liteLLM & #Telnyx via #Trivy : https://blog.pypi.org/posts/2026-04-02-incident-report-litellm-telnyx-supply-chain-attack/

Conseils :
- délai de précaution dans la montée de version des dépendances
-- pip.conf
[install]
uploaded-prior-to = P3D
-- uv.toml / pyproject.toml
[tool.uv]
exclude-newer = "P3D"
- utiliser un lockfile pour les dépendances transitives
- publication : par le trusted publishing, surveiller les PR touchant aux workflows de CI

#Python #PyPI #cybersécurité #supplychain

d33p.jsApr 1

A useful reminder from the last few days, I think: security tooling is part of the attack surface - maybe that aren't news.

But: If scanners, GitHub Actions or container images get compromised, this is not just a supply chain problem on paper. It hits the exact layer we **usually** trust to keep the rest safe.

Feels like a good time to ask: where are we still too loose on pinning, still trusting `latest`, or still assuming third-party actions are probably fine?

I think we need to find the right balance between `latest` and waiting days or even weeks to update a component (especially if it's an security patch).

#axios #trivy #supplychain #supplychainsecurity #cybersecurity #security