TL;DR

March 2026 showed how fast software supply-chain attacks can jump from one toolchain to another: poisoned GitHub Actions, backdoored PyPI releases, and malicious npm packages all hit within days. If your business runs Node, Python or GitHub Actions, the immediate priorities are to pin Actions to commit SHAs, verify lockfiles in CI, rotate any secrets exposed to builds, and turn on automated dependency monitoring with Dependabot or Renovate.​‌‌‌​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​​​‍​‌‌‌​​​​‍​‌‌​‌‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​‌‌​​​​‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​​​​‍​‌‌​‌‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌‌‌​​‌‍​‌‌‌​​​​‍​‌‌​‌​​‌‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌​‌​​​‍​‌‌‌​‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​​‌‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

Why this matters for Australian SMBs right now

Most Australian SMBs do not build software from scratch anymore. They assemble it from npm packages, PyPI libraries, GitHub Actions, Docker images and SaaS integrations. That is efficient, but it also means one poisoned dependency can land inside production, CI runners or developer laptops before anyone notices.

What changed in March 2026 was the speed and chaining. Attackers did not just publish fake packages. They moved through trusted release pipelines, stole tokens from CI environments, and used those credentials to compromise legitimate projects downstream. For SMBs, that means the blast radius is no longer limited to “developers using obscure packages”. It can hit your website, internal apps, customer portal, billing

workflows and cloud credentials in one go.​‌‌‌​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​​​‍​‌‌‌​​​​‍​‌‌​‌‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​‌‌​​​​‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​​​​‍​‌‌​‌‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌‌‌​​‌‍​‌‌‌​​​​‍​‌‌​‌​​‌‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌​‌​​​‍​‌‌‌​‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​​‌‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

Incident 1: GitHub Actions hijacking turned CI into the attack path

One of the biggest wake-up calls was the compromise of widely used GitHub Actions connected to Trivy and later Checkmarx-related workflows. Reports indicate attackers force-moved version tags to malicious commits, meaning teams using references such as @v1 or @main could unknowingly pull attacker-controlled code into their pipeline.

The blast radius was ugly because CI runners are high-trust systems. They commonly hold cloud credentials, package publishing tokens, container registry secrets and deployment keys. In practice, a poisoned Action can read environment variables, dump secrets from runner memory, and exfiltrate tokens while the job still appears to complete normally.

What SMBs should do now:

  • Replace tag-based Action references with full commit SHAs.
  • Restrict GITHUB_TOKEN permissions to the minimum required per workflow.
  • Review workflows using pull_request_target, especially where untrusted code can execute.
  • Rotate any secrets available to CI runners if affected Actions ran during the exposure window.

For example, this is safer:

- uses: aquasecurity/trivy-action@57a97c7e4c9b...

Not this:

- uses: aquasecurity/trivy-action@v0.35.0

Incident 2: PyPI compromises showed “install” can be enough

The PyPI compromises involving litellm and telnyx were especially dangerous because they were not typo-squats. They were malicious releases of legitimate packages. In the LiteLLM case, reporting indicates one release used a .pth file so code executed automatically when the Python interpreter started. That is worse than a normal malicious import because the payload can run even if the package is not directly called in the obvious way.

The likely blast radius included developer machines, CI workers, containers and any host that installed the affected versions. Once executed, the malware reportedly targeted environment variables, SSH keys, cloud credentials, Kubernetes data and other local secrets.

What SMBs should do now:

  • Search artefacts, Dockerfiles and lockfiles for affected versions.
  • Treat any host that installed those versions as potentially credential-exposed.
  • Rebuild affected containers from clean base images.
  • Rotate PyPI tokens, cloud keys and SSH credentials that were reachable from those environments.
  • Prefer trusted publishing and minimise long-lived package registry tokens.

For Python teams, lock dependencies tightly and review transitive changes with every update, not just top-level packages.

Incident 3: npm backdoors proved one package can hit millions fast

The axios incident was a reminder that npm’s scale turns a short-lived malicious release into a mass exposure event. Backdoored versions were reportedly pushed via a compromised maintainer account, with malware delivered through dependency and install-chain behaviour. For any SMB using Node-based websites, API back ends, serverless functions or internal tooling, a package like axios is exactly the kind of dependency that spreads everywhere.

The real risk is not only direct use. Transitive dependencies can pull in a poisoned version during a normal install if your lockfile changes, a fresh environment resolves differently, or a permissive version range such as ^1.x is allowed to float.

What SMBs should do now:

  • Commit lockfiles and fail CI if they change unexpectedly.
  • Use npm ci in CI, not npm install, so builds match the committed lockfile.
  • Review lifecycle scripts and consider blocking unnecessary postinstall execution.
  • Audit for unexpected new dependencies after every update.

For Node teams, a simple detection step is powerful:

  • Run git diff package-lock.json or pnpm-lock.yaml on every PR.
  • Alert on new packages, publisher changes, or unexpected script hooks.
  • Compare lockfile integrity hashes between trusted and current builds.

What your business should implement this week

First, lock down dependency resolution. Node teams should use npm ci or pnpm install --frozen-lockfile. Python teams should use pinned requirements, hashes where practical, and reproducible builds.

Second, automate safe updates. Turn on Dependabot or Renovate so updates arrive in small, reviewable pull requests instead of giant quarterly catch-ups. Configure them to:

  • group patch updates sensibly;
  • require CI to pass before merge;
  • label high-risk updates for manual review;
  • block GitHub Actions updates unless pinned to SHAs.

Third, add CI guardrails:

  • verify lockfiles are unchanged unless intentionally updated;
  • fail builds if GitHub Actions are not SHA-pinned;
  • scan for new install scripts, .pth files, or unexpected package contents;
  • keep secrets out of build environments unless absolutely required.

Fourth, assume exposed tokens are burned. If a compromised dependency or Action touched a runner, rotate credentials immediately. Minimal permissions matter: read-only tokens, short-lived credentials and separate publishing identities reduce the damage.

FAQ

Yes. Attackers often go after scale, not brand name. If your business uses common developer tooling, you can be collateral damage in a mass campaign even if nobody is targeting you specifically.

No. Several March 2026 incidents involved legitimate, widely trusted projects. Trusting the package name alone is no longer a control.

Pin every third-party Action to a full commit SHA and reduce token permissions. That cuts off one of the most common workflow-hijack paths.

No. One is enough if configured properly. The important part is automated, reviewable dependency updates with CI enforcement and lockfile verification.

Conclusion

The March 2026 supply-chain incidents were not isolated bugs. They were proof that npm, PyPI and GitHub Actions now sit on the front line of business risk. For Australian SMBs, the practical response is clear: pin Actions to SHAs, enforce lockfile integrity, automate dependency updates safely, and rotate any secrets exposed to CI or developer machines.

If your team wants help checking whether your current Node, Python and CI pipeline setup would survive the next wave, visit consult.lil.business for a free cybersecurity assessment.

References

  1. Datadog Security Labs: LiteLLM and Telnyx compromised on PyPI
  2. GitLab: Pipeline security lessons from March supply chain incidents
  3. GitHub Docs: Use immutable releases and pin GitHub Actions to a full-length commit SHA
  4. ACSC: Software supply chain security guidance
  5. PyPI Docs: Trusted Publishers
  6. Dependabot documentation

TL;DR

  • A popular tool for programmers had a bad version that stole secret passwords
  • The bad code was hidden inside a helpful extension called Trivy
  • It specifically targeted AI coding assistants to steal information
  • Any business using this tool needs to change all their passwords right now

What Is Trivy and Why Do Programmers Use It?

Imagine you have a robot helper that checks your homework for mistakes before you turn it in. Trivy is like that robot, but for computer programmers. It looks through their code to find security problems so they can fix them before bad guys find them first [1].

Programmers install Trivy as an extension in their coding software (called VS Code)—kind of like adding a new app to your phone. Extensions are supposed to be safe and helpful. But someone found a way to sneak bad code into version 1.8.12 of the Trivy extension [2].

It's like if someone replaced your homework-checking robot with a fake that secretly copies your work and sends it to strangers.

How Did the Bad Code Steal Secrets?

Here's where it gets tricky. Modern programming often uses AI assistants—like smart helpers that can write code, answer questions, and help programmers work faster [3]. These AI assistants need to see the code you're working on to help you.

The bad code in Trivy was designed to spy on these AI assistants. Every time the AI looked at the code to help, the bad code was also watching—stealing passwords, secret keys, and private information [4].

Think of it like this: imagine you have a study buddy who helps you with homework. But someone sneaks a tape recorder into your study buddy's bag. Now everything you say and write is being secretly recorded and sent to strangers.

Why This Is So Dangerous

This attack is scary for three big reasons:

1. It Came from a Trusted Tool

Programmers trusted Trivy to help them stay safe. They didn't expect it to be the thing attacking them. It's like trusting your locker to keep your backpack safe, but someone secretly cut a hole in the back [5].

2. It Stole Everything Important

The stolen secrets weren't just passwords—they were the keys to everything: cloud accounts, databases, private files. It's like someone stealing not just your house key, but your school locker, your diary, and your phone passcode all at once [6].

3. No One Noticed Right Away

This isn't like someone breaking a window. The bad code was quietly hiding in plain sight, doing its stealing without making any noise. That's why it's called a "supply chain attack"—it attacks the tools you trust, not your computer directly [7].

What Businesses Need to Do Right Now

If your business uses programming tools or has developers who code, here's what needs to happen:

1. Find and Remove the Bad Version

Check if version 1.8.12 of the Trivy extension is installed anywhere. If it is, remove it immediately—like finding a rotten apple and throwing it out before it spoils the whole bunch [8].

2. Change Every Password That Might Have Been Stolen

Every password, every secret key, every login that could have been seen while the bad code was running needs to be changed. It's a lot of work, but it's like changing all the locks on your house after losing your keys [9].

3. Check for Strange Activity

Look at the records of where your computers have been connecting. Are there connections to places you don't recognize? That might be the bad code sending your secrets to strangers [10].

4. Be Careful What You Install

Just because an extension is popular doesn't mean it's always safe. Check who made it, read reviews, and only install from sources you trust. It's like not accepting candy from strangers—you have to be careful about what you let into your computer [11].

The Big Lesson: Even Helpful Tools Can Be Tricky

The scary thing about this attack is that Trivy was supposed to help programmers stay safe. It was a tool designed to find security problems. But someone figured out how to turn it into a weapon [12].

This is happening more and more as we use AI and smart tools in everything we do. Every tool that has access to your information is like a door—and bad guys are always looking for doors they can sneak through [13].

FAQ

Yes, but not version 1.8.12. Other versions are safe. The bad version has been removed from the app store. If you update to a newer version, you're protected [14].

If your company has programmers who use VS Code and they installed the Trivy extension around March 2026, you need to check which version they have. Version 1.8.12 is the dangerous one [15].

Sometimes attackers want to steal secrets to sell them. Other times they want to break into systems later using the stolen passwords. And sometimes they just want to cause trouble. Whatever the reason, they're looking for ways to get into places they shouldn't be [16].

This attack specifically targeted programming tools. But the same idea—tricking people into installing bad software—happens with regular apps and games too. That's why you should only download from official sources and be careful with permissions [17].

References

[1] OffSec Radar, "CVE-2026-28353: CWE-506: Embedded Malicious Code in aquasecurity trivy-vscode-extension," OffSec Threat Radar, March 5, 2026. [Online]. Available: https://radar.offseq.com/threat/cve-2026-28353-cwe-506-embedded-malicious-code-in--facddd89

[2] Ibid.

[3] Flashpoint, "Navigating 2026's Converged Threats: Insights from Flashpoint's Global Threat Intelligence Report," Flashpoint, March 11, 2026. [Online]. Available: https://flashpoint.io/blog/global-threat-intelligence-report-2026/

[4] OffSec Radar, "CVE-2026-28353," 2026.

[5] CISA, "Software Supply Chain Security," Cybersecurity and Infrastructure Security Agency, 2025. [Online]. Available: https://www.cisa.gov/software-supply-chain-security

[6] OffSec Radar, "CVE-2026-28353," 2026.

[7] CISA, "Software Supply Chain Security," 2025.

[8] OffSec Radar, "CVE-2026-28353," 2026.

[9] Ibid.

[10] NIST, "Computer Security Incident Handling Guide (SP 800-61 Rev. 2)," National Institute of Standards and Technology, 2025. [Online]. Available: https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final

[11] OffSec Radar, "CVE-2026-28353," 2026.

[12] Ibid.

[13] Flashpoint, "Navigating 2026's Converged Threats," 2026.

[14] OffSec Radar, "CVE-2026-28353," 2026.

[15] Ibid.

[16] CISA, "Software Supply Chain Security," 2025.

[17] Flashpoint, "Navigating 2026's Converged Threats," 2026.

Worried about your development tools? Book a free cybersecurity consultation at consult.lil.business—we'll help you build a secure development environment.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation