TL;DR

Between March and April 2026, three separate supply chain campaigns compromised packages across npm, PyPI, and GitHub Actions — exposing billions of weekly downloads to credential-stealing malware. If your business runs Node.js, Python, or any CI/CD pipeline and you haven't verified your lockfiles this month, you may already be affected. Here's what happened, what to check, and how to harden your defences today.​‌‌‌​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​​​‍​‌‌‌​​​​‍​‌‌​‌‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​‌‌​​​​‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌‌​‌​​‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​‌​‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​​​​‍​‌‌​‌‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌‌‌​​‌‍​‌‌‌​​​​‍​‌‌​‌​​‌‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌​‌​​​‍​‌‌‌​‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​‍​​‌​‌‌​‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌​​‍​‌‌​​‌​​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​​​​‍​‌‌‌​​‌​‍​​‌‌​​‌​‍​​‌‌‌​​‌

Three Attacks, One Objective: Your Secrets

Supply chain attacks don't target your firewall. They target the packages you trust and install every day. Between March and April 2026, attackers executed three coordinated campaigns across npm, PyPI, and Docker Hub. Every payload had the same goal: steal credentials from developer machines and CI/CD pipelines.

The Axios npm RAT (March 2026). Attackers compromised the npm publish credentials for Axios — an HTTP client library with over 100 million weekly downloads — and pushed versions 1.14.1 and 0.30.4 containing a cross-platform remote access trojan. The malicious versions were live for approximately three hours before removal. Any project that ran npm install during that window may have i

nstalled the compromised package. The RAT could establish persistent remote access, exfiltrate data, and execute arbitrary commands.​‌‌‌​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​​​‍​‌‌‌​​​​‍​‌‌​‌‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​‌‌​​​​‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌‌​‌​​‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​‌​‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​​​​‍​‌‌​‌‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌‌‌​​‌‍​‌‌‌​​​​‍​‌‌​‌​​‌‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌​‌​​​‍​‌‌‌​‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​‍​​‌​‌‌​‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌​​‍​‌‌​​‌​​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​​​​‍​‌‌‌​​‌​‍​​‌‌​​‌​‍​​‌‌‌​​‌

TeamPCP Cross-Platform Campaign (March–April 2026). A threat actor group tracked as TeamPCP systematically moved across ecosystems. They compromised the Trivy container security scanner, deployed a self-propagating npm worm across 40+ packages, pivoted to backdoor releases of LiteLLM and Telnyx on PyPI, and trojanised Checkmarx KICS Docker images and VS Code extensions. Each stage harvested credentials from the environment to fund the next compromise. The group's npm worm — tracked as CanisterSprawl — even jumped from npm to PyPI when it found cross-ecosystem publish tokens on victim machines.

elementary-data PyPI Hijack (April 2026). An attacker didn't need to phish a maintainer. Instead, they posted a malicious comment on a GitHub pull request that exploited a GitHub Actions script injection flaw in the project's workflow. This exposed the repository's GITHUB_TOKEN, which was then used to forge a signed commit and trigger the project's legitimate release pipeline. The result: a backdoored version 0.23.3 published to PyPI and a poisoned Docker image pushed to GitHub Container Registry — both appearing as official releases. The payload stole SSH keys, cloud credentials, crypto wallets, and environment variables.

What This Means for Australian SMBs

You don't need to be a Fortune 500 company to be in the blast radius. If you run a web app built with Node.js or Python, use Docker containers, or have a CI/CD pipeline on GitHub Actions, you're directly exposed.

The Axios compromise alone affected projects worldwide within hours. The elementary-data attack — with 1.1 million monthly downloads — primarily targeted data and analytics engineers, a role common in Australian fintech, healthtech, and SaaS companies. And the TeamPCP campaign's compromise of Trivy and Checkmarx KICS means your security tooling itself may have been weaponised against you.

Australian businesses face additional pressure from the Security of Critical Infrastructure Act 2018 and the growing expectations of the Australian Cyber Security Centre (ACSC). A supply chain compromise that leads to a data breach may trigger mandatory reporting obligations under the Privacy Act 1988 (Notifiable Data Breach scheme).

What to Do Right Now

1. Audit your lockfiles. Check package-lock.json, yarn.lock, and requirements.txt for the known compromised versions:

  • Axios: 1.14.1, 0.30.4
  • elementary-data: 0.23.3
  • Any @bitwarden/cli version 2026.4.0
  • Checkmarx KICS images tagged 1.20 or 1.21 between March and April 2026

If found, update immediately and rotate all credentials that were accessible during the exposure window.

2. Pin your dependencies to exact versions and commit SHAs. Floating version ranges (^1.0.0, >=1.0.0) are how compromised releases get silently pulled into your project. Pin to exact versions in production. For GitHub Actions, pin to full commit SHAs rather than tags:

# Insecure — tags can be force-pushed
uses: actions/checkout@v4

# Secure — pinned to an immutable commit
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11

3. Enable automated dependency monitoring. Set up Dependabot or Renovate to open pull requests for dependency updates. This gives you visibility into what's changing and lets you review updates before they merge. However, be aware that automated bots can also fast-track malicious updates — always review changelogs before merging.

4. Harden your GitHub Actions workflows. The elementary-data attack succeeded because a pull request comment injected shell code into a workflow. Audit your workflows for untrusted input: never pass ${{ github.event.pull_request.title }} or similar variables directly into run: blocks. Use github.event.pull_request.title via environment variables instead. Set permissions: to minimum required scope on every workflow.

5. Rotate credentials proactively. If you ran any of the compromised packages, rotate all exposed secrets: npm tokens, PyPI tokens, GitHub PATs, AWS/GCP/Azure keys, SSH keys, and any API keys stored in environment variables.

FAQ

Can this happen even if I use private registries? Yes. Dependency confusion attacks exploit package name resolution between private and public registries. If a private package doesn't exist in your public registry configuration, an attacker can publish a malicious public package with the same name and a higher version number — and your build tool will install it automatically. Use scoped registries and explicitly configure resolution order.

How do I know if I'm already compromised? Check your lockfiles for the known compromised versions listed above. Review CI/CD logs from March and April 2026 for unexpected outbound connections, process spawning, or file access patterns. Scan developer machines for the indicators of compromise (IOCs) published in the StepSecurity and Socket advisories linked below.

Is Dependabot enough to protect me? Dependabot alerts you to known vulnerabilities, but it doesn't prevent you from installing a brand-new malicious package that hasn't been catalogued yet. The Axios RAT was live for three hours before removal — faster than most vulnerability databases could flag it. You need lockfile pinning, CI pipeline controls, and credential rotation as complementary layers.

What's the minimum viable supply chain security for a small team? Pin exact versions. Enable Dependabot. Pin GitHub Actions to commit SHAs. Run npm audit or pip-audit in CI. Review every dependency update before merging. Rotate credentials quarterly. That's the baseline. Anything less is rolling the dice.

Conclusion

Supply chain attacks in 2026 aren't theoretical. They're happening weekly, they're automated, and they're targeting the exact tools Australian businesses rely on every day. The blast radius of a single compromised package can cascade through your entire build pipeline, your cloud credentials, and your customer data.

The good news: the defences are straightforward. Pin versions, audit lockfiles, harden your CI workflows, and rotate credentials regularly. The bad news: most SMBs haven't done any of this yet.

Don't wait for a breach notification. Start with the checklist above, and if you need help assessing your exposure or hardening your pipeline, visit consult.lil.business for a free cybersecurity assessment.

References

  1. No Off Season: Three Supply Chain Campaigns Hit npm, PyPI, and Docker Hub in 48 Hours — GitGuardian
  2. PyPI package with 1.1M monthly downloads hacked to push infostealer — BleepingComputer
  3. The npm Threat Landscape: Attack Surface and Mitigations — Palo Alto Unit 42
  4. Software Supply Chain Attacks 2025–2026 — Cyber Army Security Research

TL;DR (Too Long; Didn't Read)

  • Trivy is a popular security scanner used by developers
  • Bad guys hacked the way Trivy connects to GitHub (not Trivy itself)
  • This let them steal passwords and keys from thousands of projects
  • It's like someone tampering with the security guard's uniform to sneak into buildings
  • If you use GitHub Actions, you need to check if this affected you

Imagine a Security Guard with a Fake Uniform

Picture a security guard company. The guards are good at their job. They check IDs, watch cameras, and keep buildings safe.

Now imagine someone breaks into the guard company's uniform supply. They add hidden pockets to the uniforms that copy every key the guards touch. The guards don't notice — they still do their job perfectly — but now someone is stealing copies of all the keys.

That's what happened to Trivy.

Trivy itself (the security scanner) wasn't hacked. The "wrapper" that lets Trivy work with GitHub Actions was compromised. And that wrapper had access to all the secrets and keys in thousands of projects.

What Is Trivy and Why Do Developers Use It?

Trivy is a tool that developers use to check their code for security problems. Think of it like a spell-checker, but for security vulnerabilities.

Developers use it because:

  • It finds known security issues automatically
  • It's free and open-source
  • It works with many programming languages
  • It integrates with GitHub Actions (automated workflows)

Trivy is used by thousands of projects worldwide.

What Are GitHub Actions?

GitHub is where developers store their code. GitHub Actions is a feature that lets developers automate tasks like:

  • Testing code when someone makes a change
  • Building and deploying applications
  • Running security checks (like Trivy)

When a developer adds an action to their project, they're essentially saying: "When X happens, run this tool for me."

The problem? GitHub Actions run with access to the project's secrets — passwords, API keys, cloud credentials, and other sensitive information.

How the Attack Worked

Here's what happened, step by step:

Step 1: The Bad Guys Got Access

Attackers somehow got control of the GitHub Action for Trivy. This might have been through:

  • Stealing a maintainer's password
  • Tricking someone into giving access
  • Exploiting a weakness in the system

Step 2: They Added Malicious Code

The attackers modified the action to do something extra: steal secrets. When the action ran, it would:

  1. Do its normal job (scanning for vulnerabilities)
  2. Secretly copy all the environment variables and secrets
  3. Send them to the attacker's server

Step 3: Thousands of Projects Were Affected

Every project that used the compromised version of the action had its secrets exposed. This includes:

  • Cloud provider credentials (AWS, Azure, Google Cloud)
  • Database passwords
  • API keys for services
  • Tokens that grant access to code repositories

Step 4: The Secrets Were Exploited

With these secrets, attackers could:

  • Access cloud servers
  • Read or modify databases
  • Push malicious code to repositories
  • Pivot to attack other systems

Why Supply Chain Attacks Are So Nasty

This type of attack is called a "supply chain attack" because it targets the tools and services that businesses rely on, rather than attacking the business directly.

Why they're so effective:

  1. Scale — Hack one tool, affect thousands of users
  2. Trust — People trust popular tools, so they don't think to check them
  3. Stealth — The tool still works normally, so nothing looks wrong
  4. Access — These tools often have privileged access to sensitive systems

It's like poisoning a popular brand of flour at the factory instead of breaking into individual bakeries. One attack affects every bakery that uses that flour.

How to Protect Your Business

If your business uses GitHub Actions (or similar tools), here are practical steps to stay safer:

1. Pin Actions to Specific Versions

Instead of using a version tag that can be changed (like @v2), use a specific commit SHA (like @a1b2c3d).

Bad:

uses: aquasecurity/trivy-action@v0.20.0

Better:

uses: aquasecurity/trivy-action@a1b2c3d4e5f6...

Why? Tags can be moved. An attacker could change what @v2 points to. But a commit SHA is like a fingerprint — it always refers to the exact same code.

2. Audit What Actions You Use

Make a list of every third-party action in your workflows. Ask:

  • Do we really need this action?
  • Is it maintained by someone reputable?
  • When was it last updated?
  • Are we using a tag or a SHA?

3. Limit What Secrets Actions Can Access

Don't give every workflow access to every secret. Use GitHub's environment protection features to:

  • Scope secrets to specific environments
  • Require approval for deployments
  • Limit which actions can access sensitive credentials

4. Rotate Secrets Regularly

If you think you might have been affected:

  1. Change all your passwords and keys immediately
  2. Revoke old API tokens
  3. Generate new credentials

Think of it like changing your locks if you think someone might have copied your keys.

5. Monitor for Unusual Activity

Watch your cloud provider logs for:

  • Logins from unexpected locations
  • API calls at unusual times
  • New resources being created
  • Data being accessed in strange patterns

What If You Were Affected?

If your project used the compromised Trivy action:

  1. Assume your secrets are compromised — even if you're not sure
  2. Rotate all credentials immediately — passwords, API keys, tokens
  3. Check your cloud provider logs for unauthorized access
  4. Review what data those credentials could access
  5. Consider if you need to notify customers (depending on what data was at risk)

Don't wait to be sure — act fast. The cost of rotating credentials is low. The cost of having stolen credentials used against you is high.

FAQ (Frequently Asked Questions)

No! The core Trivy security scanner wasn't compromised. The attack targeted the GitHub Action wrapper that integrates Trivy into CI/CD workflows. If you run Trivy locally on your computer (not through GitHub Actions), you weren't affected by this specific attack.

Check your GitHub Actions workflow files. If they reference aquasecurity/trivy-action with a version tag (like @v0.20.0) instead of a commit SHA, and if those workflows ran during the attack window (March 2026), you should assume you were affected and rotate your secrets.

A version tag (like v1.0.0) is a pointer that can be moved. An attacker who controls the repository can point v1.0.0 at malicious code. A commit SHA is a unique identifier for a specific version of code. It can't be changed without changing the identifier. Pinning to a SHA means you always get exactly the code you reviewed.

No! GitHub Actions is still a useful and popular tool. The key is to use it securely: pin to SHAs, limit secret access, monitor for unusual activity, and stay informed about security advisories.

Not completely — that's the nature of using third-party tools. But you can significantly reduce your risk by: pinning dependencies, using the principle of least privilege, monitoring for anomalies, and having an incident response plan.

The Bottom Line

Supply chain attacks are scary because they exploit trust. We trust popular tools, so we don't always verify them. But in today's world, that trust needs to be paired with verification.

Key takeaways:

  • Pin your actions to specific, immutable versions (SHAs)
  • Limit what secrets your workflows can access
  • Have a plan for rotating credentials quickly
  • Monitor for unusual activity
  • Stay informed about security incidents in tools you use

Security is about layers. No single protection is perfect, but together they make you a much harder target.

Worried about supply chain attacks on your development tools? lilMONSTER helps small businesses audit their CI/CD security, implement best practices, and respond to incidents like this. We make security simple and practical.

Book a supply chain security assessment →

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation