TL;DR

Between March and April 2026, three separate supply chain campaigns compromised packages across npm, PyPI, and GitHub Actions — exposing billions of weekly downloads to credential-stealing malware. If your business runs Node.js, Python, or any CI/CD pipeline and you haven't verified your lockfiles this month, you may already be affected. Here's what happened, what to check, and how to harden your defences today.​‌‌‌​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​​​‍​‌‌‌​​​​‍​‌‌​‌‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​‌‌​​​​‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌‌​‌​​‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​‌​‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​​​​‍​‌‌​‌‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌‌‌​​‌‍​‌‌‌​​​​‍​‌‌​‌​​‌‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌​‌​​​‍​‌‌‌​‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

Three Attacks, One Objective: Your Secrets

Supply chain attacks don't target your firewall. They target the packages you trust and install every day. Between March and April 2026, attackers executed three coordinated campaigns across npm, PyPI, and Docker Hub. Every payload had the same goal: steal credentials from developer machines and CI/CD pipelines.

The Axios npm RAT (March 2026). Attackers compromised the npm publish credentials for Axios — an HTTP client library with over 100 million weekly downloads — and pushed versions 1.14.1 and 0.30.4 containing a cross-platform remote access trojan. The malicious versions were live for approximately three hours before removal. Any project that ran npm install during that window may have i

nstalled the compromised package. The RAT could establish persistent remote access, exfiltrate data, and execute arbitrary commands.​‌‌‌​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​​​‍​‌‌‌​​​​‍​‌‌​‌‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​‌‌​​​​‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌‌​‌​​‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​‌​‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​​​​‍​‌‌​‌‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌‌‌​​‌‍​‌‌‌​​​​‍​‌‌​‌​​‌‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌​‌​​​‍​‌‌‌​‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

TeamPCP Cross-Platform Campaign (March–April 2026). A threat actor group tracked as TeamPCP systematically moved across ecosystems. They compromised the Trivy container security scanner, deployed a self-propagating npm worm across 40+ packages, pivoted to backdoor releases of LiteLLM and Telnyx on PyPI, and trojanised Checkmarx KICS Docker images and VS Code extensions. Each stage harvested credentials from the environment to fund the next compromise. The group's npm worm — tracked as CanisterSprawl — even jumped from npm to PyPI when it found cross-ecosystem publish tokens on victim machines.

elementary-data PyPI Hijack (April 2026). An attacker didn't need to phish a maintainer. Instead, they posted a malicious comment on a GitHub pull request that exploited a GitHub Actions script injection flaw in the project's workflow. This exposed the repository's GITHUB_TOKEN, which was then used to forge a signed commit and trigger the project's legitimate release pipeline. The result: a backdoored version 0.23.3 published to PyPI and a poisoned Docker image pushed to GitHub Container Registry — both appearing as official releases. The payload stole SSH keys, cloud credentials, crypto wallets, and environment variables.

What This Means for Australian SMBs

You don't need to be a Fortune 500 company to be in the blast radius. If you run a web app built with Node.js or Python, use Docker containers, or have a CI/CD pipeline on GitHub Actions, you're directly exposed.

The Axios compromise alone affected projects worldwide within hours. The elementary-data attack — with 1.1 million monthly downloads — primarily targeted data and analytics engineers, a role common in Australian fintech, healthtech, and SaaS companies. And the TeamPCP campaign's compromise of Trivy and Checkmarx KICS means your security tooling itself may have been weaponised against you.

Australian businesses face additional pressure from the Security of Critical Infrastructure Act 2018 and the growing expectations of the Australian Cyber Security Centre (ACSC). A supply chain compromise that leads to a data breach may trigger mandatory reporting obligations under the Privacy Act 1988 (Notifiable Data Breach scheme).

What to Do Right Now

1. Audit your lockfiles. Check package-lock.json, yarn.lock, and requirements.txt for the known compromised versions:

  • Axios: 1.14.1, 0.30.4
  • elementary-data: 0.23.3
  • Any @bitwarden/cli version 2026.4.0
  • Checkmarx KICS images tagged 1.20 or 1.21 between March and April 2026

If found, update immediately and rotate all credentials that were accessible during the exposure window.

2. Pin your dependencies to exact versions and commit SHAs. Floating version ranges (^1.0.0, >=1.0.0) are how compromised releases get silently pulled into your project. Pin to exact versions in production. For GitHub Actions, pin to full commit SHAs rather than tags:

# Insecure — tags can be force-pushed
uses: actions/checkout@v4

# Secure — pinned to an immutable commit
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11

3. Enable automated dependency monitoring. Set up Dependabot or Renovate to open pull requests for dependency updates. This gives you visibility into what's changing and lets you review updates before they merge. However, be aware that automated bots can also fast-track malicious updates — always review changelogs before merging.

4. Harden your GitHub Actions workflows. The elementary-data attack succeeded because a pull request comment injected shell code into a workflow. Audit your workflows for untrusted input: never pass ${{ github.event.pull_request.title }} or similar variables directly into run: blocks. Use github.event.pull_request.title via environment variables instead. Set permissions: to minimum required scope on every workflow.

5. Rotate credentials proactively. If you ran any of the compromised packages, rotate all exposed secrets: npm tokens, PyPI tokens, GitHub PATs, AWS/GCP/Azure keys, SSH keys, and any API keys stored in environment variables.

FAQ

Can this happen even if I use private registries? Yes. Dependency confusion attacks exploit package name resolution between private and public registries. If a private package doesn't exist in your public registry configuration, an attacker can publish a malicious public package with the same name and a higher version number — and your build tool will install it automatically. Use scoped registries and explicitly configure resolution order.

How do I know if I'm already compromised? Check your lockfiles for the known compromised versions listed above. Review CI/CD logs from March and April 2026 for unexpected outbound connections, process spawning, or file access patterns. Scan developer machines for the indicators of compromise (IOCs) published in the StepSecurity and Socket advisories linked below.

Is Dependabot enough to protect me? Dependabot alerts you to known vulnerabilities, but it doesn't prevent you from installing a brand-new malicious package that hasn't been catalogued yet. The Axios RAT was live for three hours before removal — faster than most vulnerability databases could flag it. You need lockfile pinning, CI pipeline controls, and credential rotation as complementary layers.

What's the minimum viable supply chain security for a small team? Pin exact versions. Enable Dependabot. Pin GitHub Actions to commit SHAs. Run npm audit or pip-audit in CI. Review every dependency update before merging. Rotate credentials quarterly. That's the baseline. Anything less is rolling the dice.

Conclusion

Supply chain attacks in 2026 aren't theoretical. They're happening weekly, they're automated, and they're targeting the exact tools Australian businesses rely on every day. The blast radius of a single compromised package can cascade through your entire build pipeline, your cloud credentials, and your customer data.

The good news: the defences are straightforward. Pin versions, audit lockfiles, harden your CI workflows, and rotate credentials regularly. The bad news: most SMBs haven't done any of this yet.

Don't wait for a breach notification. Start with the checklist above, and if you need help assessing your exposure or hardening your pipeline, visit consult.lil.business for a free cybersecurity assessment.

References

  1. No Off Season: Three Supply Chain Campaigns Hit npm, PyPI, and Docker Hub in 48 Hours — GitGuardian
  2. PyPI package with 1.1M monthly downloads hacked to push infostealer — BleepingComputer
  3. The npm Threat Landscape: Attack Surface and Mitigations — Palo Alto Unit 42
  4. Software Supply Chain Attacks 2025–2026 — Cyber Army Security Research

TL;DR

  • Bad actors snuck harmful code into a popular AI tool called LiteLLM that thousands of businesses use [1].
  • The attack stole passwords, secret keys, and digital wallets from anyone who installed the poisoned version [1].
  • They did it by first compromising a security tool that LiteLLM trusted — like poisoning the water at the treatment plant [2].
  • Here is what it means for your business and how to stay safe.

What Is LiteLLM?

Imagine you run a restaurant and instead of ordering from one food supplier, you want to compare prices from ten different ones. LiteLLM is like a universal ordering app that lets businesses talk to different AI services — ChatGPT, Claude, Gemini — all through one simple connection.

Thousands of companies use it to build AI features into their products [1].

What Went Wrong?

A group of hackers called TeamPCP figured out something clever. Instead of breaking into LiteLLM directly, they first broke into a security scanner called Trivy — a tool that LiteLLM used to check itself for bugs [2].

Think of it this way: imagine a locksmith who checks all the locks in your building gets compromised. Now the attacker does not need to pick any locks — they have the locksmith's master key.

Once inside, TeamPCP published two fake versions of LiteLLM (versions 1.82.7 and 1.82.8) to PyPI, the online store where developers download software [1]. Anyone who downloaded these versions unknowingly installed malware that:

  • Collected passwords and secret keys stored on their computers [1]
  • Spread to other computers on the same network [1]
  • Set up a hidden door that let the hackers come back anytime they wanted [1]

Why Should You Care?

You might not use LiteLLM directly, but your business probably relies on software that works the same way — built from dozens of smaller pieces, each one downloaded from the internet.

According to security research firm Sonatype, attacks on these software building blocks increased by 156% in just one year [3]. And IBM found that when hackers steal login credentials this way, the average cleanup cost is $4.81 million [4].

The Australian Cyber Security Centre has flagged these kinds of attacks as one of the top threats businesses face today [5].

What Can You Do?

Ask your IT team or provider three questions:

  1. "Do we pin our software to specific versions so updates do not happen automatically?" — This stops poisoned updates from sneaking in.

  2. "Do we have tools that scan our software for known threats?" — Free and paid tools exist that check every package you download against a database of known attacks [6].

  3. "If a tool we depend on gets compromised, how quickly would we know?" — The answer tells you whether your business would catch something like this in hours or months.

If you do not have an IT team: Start by keeping an inventory of the software your business uses. Know what you depend on. That awareness alone puts you ahead of most small businesses.

The Simple Takeaway

Every AI tool and every piece of software your business uses is built from smaller parts. If any of those parts gets poisoned, the whole thing becomes dangerous. The best protection is knowing what you depend on and having someone who watches for these threats.

It is like food safety — you trust your suppliers, but smart restaurants still check what arrives at the loading dock.

FAQ

Instead of attacking your business directly, hackers attack the tools or software your business depends on. When you update or install that trusted software, you unknowingly install the attacker's code too. It is like someone tampering with ingredients at a factory — every product made with those ingredients gets affected.

If anyone in your organisation uses Python and has LiteLLM installed, check the version number. Versions 1.82.7 and 1.82.8 were the compromised ones. Run pip list | grep litellm to check. If you see those versions, contact an IT professional immediately.

Very common and growing fast. Sonatype tracked a 156% increase in software supply chain attacks in 2025 [3]. The LiteLLM incident is the fifth software ecosystem TeamPCP has targeted, showing these attackers are becoming more ambitious [2].

No. AI tools can genuinely help your business work smarter and save money. The key is using them with proper safeguards — verified versions, dependency scanning, and regular security reviews. Think of it like driving: cars are useful, but you still wear a seatbelt.

References

[1] Endor Labs, "TeamPCP Isn't Done — LiteLLM Supply Chain Attack Analysis," Endor Labs Research, Mar. 24, 2026. [Online]. Available: https://www.endorlabs.com/learn/teampcp-isnt-done

[2] R. Lakshmanan, "TeamPCP Backdoors LiteLLM Versions 1.82.7–1.82.8 Likely via Trivy CI/CD Compromise," The Hacker News, Mar. 24, 2026. [Online]. Available: https://thehackernews.com/2026/03/teampcp-backdoors-litellm-versions.html

[3] Sonatype, "2025 State of the Software Supply Chain Report," Sonatype, 2025. [Online]. Available: https://www.sonatype.com/state-of-the-software-supply-chain

[4] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach

[5] Australian Cyber Security Centre, "Annual Cyber Threat Report 2024-2025," Australian Signals Directorate, 2025. [Online]. Available: https://www.cyber.gov.au/about-us/reports-and-statistics/annual-cyber-threat-report

[6] Socket Security, "TeamPCP Targeting Security Tools Across OSS Ecosystem," Socket Blog, Mar. 2026. [Online]. Available: https://socket.dev/blog/teampcp-targeting-security-tools-across-oss-ecosystem

[7] JFrog, "LiteLLM Compromised by TeamPCP — Supply Chain Attack Analysis," JFrog Security Research, Mar. 24, 2026. [Online]. Available: https://research.jfrog.com/post/litellm-compromised-teampcp/

[8] McKinsey & Company, "The State of AI in 2025," McKinsey Global Institute, 2025. [Online]. Available: https://www.mckinsey.com/capabilities/quantumblack/our-insights/the-state-of-ai

Wondering if your business software is safe? Talk to lilMONSTER — we help businesses understand their technology risks in plain language.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation