Two different attackers poisoned popular open source tools
Two separate attackers poisoned Trivy and Axios open source tools in March 2026, stealing secrets from tens of
Summary
In March 2026, two distinct threat groups compromised popular open source projects: TeamPCP infected Trivy (vulnerability scanner with 100K+ users) and subsequently KICS, LiteLLM, and Telnyx via stolen CI/CD credentials; North Korean-linked attackers separately compromised Axios (100M weekly downloads, 80% of cloud environments). Both campaigns used social engineering and malware injection to steal credentials, API keys, and SSH keys from developer environments, with impacts expected to unfold over months.
Full text
Security 29 Two different attackers poisoned popular open source tools - and showed us the future of supply chain compromise 29 Time to start dropping SBOMs Jessica Lyons Sat 11 Apr 2026 // 11:11 UTC FEATURE Two supply chain attacks in March infected open source tools with malware and used this access to steal secrets from tens of thousands – if not more – organizations. We won't know the full blast radius for months. Both targeted popular open source projects that are used by a ton of organizations and integrated into countless software products, apps, and developer environments. First, attackers hit Trivy, a vulnerability scanner with more than 100,000 users and contributors that is embedded in thousands of CI/CD pipelines. Up next: Axios, an open-source JavaScript library that has about 100 million weekly downloads and runs in 80 percent of cloud and code environments. <a href="https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ad2vTO_m7On79BNuEd1YyQAAA4w&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0" target="_blank"> <img src="https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ad2vTO_m7On79BNuEd1YyQAAA4w&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0" alt=""> </a> "Both of these campaigns will likely play out over several months," Mandiant Consulting CTO Charles Carmakal told The Register. "The data that was taken a few weeks ago will likely be leveraged this week, next week, next month – probably for several months – and the blast radius will continue to expand." <a href="https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ad2vTO_m7On79BNuEd1YyQAAA4w&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0" target="_blank"> <img src="https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ad2vTO_m7On79BNuEd1YyQAAA4w&t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0" alt=""> </a> <a href="https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ad2vTO_m7On79BNuEd1YyQAAA4w&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0" target="_blank"> <img src="https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ad2vTO_m7On79BNuEd1YyQAAA4w&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0" alt=""> </a> Although executed by different attackers – Axios by North Korean-linked goons, and Trivy et al. by a loosely knit band of smash-and-grab miscreants called TeamPCP – both had similar end goals, a deep understanding of developer environments, and advanced social engineering skills. According to security experts, the incidents demonstrate the future of supply-chain attacks. <a href="https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ad2vTO_m7On79BNuEd1YyQAAA4w&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0" target="_blank"> <img src="https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ad2vTO_m7On79BNuEd1YyQAAA4w&t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0" alt=""> </a> "We are seeing more and more developers targeted by this type of activity," Cisco Talos outreach lead Nick Biasini told The Register. "Attackers are starting to really look at the supply chain and open source packages, and figure out ways to compromise developers to deliver malware or gather data, depending on the type of threat." It's going to become even more frequent as attackers use AI to make their social engineering campaigns more believable and hyper-personalized to targeted people and organizations, Biasini added. "In today's world, with AI and the kind of public personas that people keep, it's increasingly easy to build attacks," he said. "If there's a lot of money at stake, there's going to be a lot of people running to cash in. So with this success, I expect to see more." Vuln scanner as initial attack vector TeamPCP compromised Trivy, an open source vulnerability scanner maintained by Aqua Security in late February, then injected credential-stealing malware into the scanner on March 16 through the binary, GitHub Actions, and container images. This malware hoovered up CI/CD secrets, cloud credentials, SSH keys, and Kubernetes configuration files, and planted persistent backdoors on developers' machines. It also gave the attacks an initial access vector into several other open source tools. Then, on March 23, the same crew used CI/CD secrets stolen from the Trivy intrusion to inject the same malware into open source static analysis tool KICS, maintained by Checkmarx. Days later, TeamPCP published malicious versions of LiteLLM and Telnyx to the Python Package Index (PyPI), both of which use Trivy in their CI/CD pipeline. <a href="https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ad2vTO_m7On79BNuEd1YyQAAA4w&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0" target="_blank"> <img src="https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ad2vTO_m7On79BNuEd1YyQAAA4w&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0" alt=""> </a> "I think they went after security tools deliberately," Ben Read, who leads the cyber threat intel team at Wiz, told The Register. "It could be giving the finger to people and brashness, or they saw a market opportunity because odd things happen in security environments, and they don't get watched as closely. But the bigger picture is: This stuff is very accessible." TeamPCP, the group behind the Trivy and other open source supply chain attacks, first showed up on the cybercrime scene at the end of 2025, targeting cloud environments in data-theft and extortion operations. Their style was very much smash-and-grab. It was primarily about speed, just grabbing everything, and getting out quickly. Researchers at Flare, a threat exposure management provider, were among the first to sound the alarm about TeamPCP. In December, Flare detailed how the hacking crew exploited misconfigured Docker APIs, Kubernetes APIs, Ray dashboards, Redis servers, and vulnerable React/Next.js applications. After compromising one workload, the criminals used that access to move laterally across entire clusters, monetizing stolen data for ransom and using exposed infrastructure for crypto-mining, proxy networks, scanning, and data hosting. "The operation's goals were to build a distributed proxy and scanning infrastructure at scale, then compromise servers to exfiltrate data, deploy ransomware, conduct extortion, and mine cryptocurrency," Flare analysts wrote at the time. "Initially, there's not a ton to distinguish them from the other, relatively noisy, financially motivated groups claiming stuff online," Read said. Infosec researchers believe TeamPCP is a loosely knit group of young people, primarily English speakers inspired by influencer culture and YouTube trends. The miscreants like to brag about their exploits o
Indicators of Compromise
- malware — Credential-stealing malware (Trivy/KICS injections)