TL;DR

March 2026 showed how fast software supply-chain attacks can jump from one toolchain to another: poisoned GitHub Actions, backdoored PyPI releases, and malicious npm packages all hit within days. If your business runs Node, Python or GitHub Actions, the immediate priorities are to pin Actions to commit SHAs, verify lockfiles in CI, rotate any secrets exposed to builds, and turn on automated dependency monitoring with Dependabot or Renovate.​‌‌‌​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​​​‍​‌‌‌​​​​‍​‌‌​‌‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​‌‌​​​​‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​​​​‍​‌‌​‌‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌‌‌​​‌‍​‌‌‌​​​​‍​‌‌​‌​​‌‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌​‌​​​‍​‌‌‌​‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​​‌‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

Why this matters for Australian SMBs right now

Most Australian SMBs do not build software from scratch anymore. They assemble it from npm packages, PyPI libraries, GitHub Actions, Docker images and SaaS integrations. That is efficient, but it also means one poisoned dependency can land inside production, CI runners or developer laptops before anyone notices.

What changed in March 2026 was the speed and chaining. Attackers did not just publish fake packages. They moved through trusted release pipelines, stole tokens from CI environments, and used those credentials to compromise legitimate projects downstream. For SMBs, that means the blast radius is no longer limited to “developers using obscure packages”. It can hit your website, internal apps, customer portal, billing

workflows and cloud credentials in one go.​‌‌‌​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​​​‍​‌‌‌​​​​‍​‌‌​‌‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​‌‌​​​​‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​​​​‍​‌‌​‌‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌‌‌​​‌‍​‌‌‌​​​​‍​‌‌​‌​​‌‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌​‌​​​‍​‌‌‌​‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​​‌‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

Incident 1: GitHub Actions hijacking turned CI into the attack path

One of the biggest wake-up calls was the compromise of widely used GitHub Actions connected to Trivy and later Checkmarx-related workflows. Reports indicate attackers force-moved version tags to malicious commits, meaning teams using references such as @v1 or @main could unknowingly pull attacker-controlled code into their pipeline.

The blast radius was ugly because CI runners are high-trust systems. They commonly hold cloud credentials, package publishing tokens, container registry secrets and deployment keys. In practice, a poisoned Action can read environment variables, dump secrets from runner memory, and exfiltrate tokens while the job still appears to complete normally.

What SMBs should do now:

  • Replace tag-based Action references with full commit SHAs.
  • Restrict GITHUB_TOKEN permissions to the minimum required per workflow.
  • Review workflows using pull_request_target, especially where untrusted code can execute.
  • Rotate any secrets available to CI runners if affected Actions ran during the exposure window.

For example, this is safer:

- uses: aquasecurity/trivy-action@57a97c7e4c9b...

Not this:

- uses: aquasecurity/[email protected]

Incident 2: PyPI compromises showed “install” can be enough

The PyPI compromises involving litellm and telnyx were especially dangerous because they were not typo-squats. They were malicious releases of legitimate packages. In the LiteLLM case, reporting indicates one release used a .pth file so code executed automatically when the Python interpreter started. That is worse than a normal malicious import because the payload can run even if the package is not directly called in the obvious way.

The likely blast radius included developer machines, CI workers, containers and any host that installed the affected versions. Once executed, the malware reportedly targeted environment variables, SSH keys, cloud credentials, Kubernetes data and other local secrets.

What SMBs should do now:

  • Search artefacts, Dockerfiles and lockfiles for affected versions.
  • Treat any host that installed those versions as potentially credential-exposed.
  • Rebuild affected containers from clean base images.
  • Rotate PyPI tokens, cloud keys and SSH credentials that were reachable from those environments.
  • Prefer trusted publishing and minimise long-lived package registry tokens.

For Python teams, lock dependencies tightly and review transitive changes with every update, not just top-level packages.

Incident 3: npm backdoors proved one package can hit millions fast

The axios incident was a reminder that npm’s scale turns a short-lived malicious release into a mass exposure event. Backdoored versions were reportedly pushed via a compromised maintainer account, with malware delivered through dependency and install-chain behaviour. For any SMB using Node-based websites, API back ends, serverless functions or internal tooling, a package like axios is exactly the kind of dependency that spreads everywhere.

The real risk is not only direct use. Transitive dependencies can pull in a poisoned version during a normal install if your lockfile changes, a fresh environment resolves differently, or a permissive version range such as ^1.x is allowed to float.

What SMBs should do now:

  • Commit lockfiles and fail CI if they change unexpectedly.
  • Use npm ci in CI, not npm install, so builds match the committed lockfile.
  • Review lifecycle scripts and consider blocking unnecessary postinstall execution.
  • Audit for unexpected new dependencies after every update.

For Node teams, a simple detection step is powerful:

  • Run git diff package-lock.json or pnpm-lock.yaml on every PR.
  • Alert on new packages, publisher changes, or unexpected script hooks.
  • Compare lockfile integrity hashes between trusted and current builds.

What your business should implement this week

First, lock down dependency resolution. Node teams should use npm ci or pnpm install --frozen-lockfile. Python teams should use pinned requirements, hashes where practical, and reproducible builds.

Second, automate safe updates. Turn on Dependabot or Renovate so updates arrive in small, reviewable pull requests instead of giant quarterly catch-ups. Configure them to:

  • group patch updates sensibly;
  • require CI to pass before merge;
  • label high-risk updates for manual review;
  • block GitHub Actions updates unless pinned to SHAs.

Third, add CI guardrails:

  • verify lockfiles are unchanged unless intentionally updated;
  • fail builds if GitHub Actions are not SHA-pinned;
  • scan for new install scripts, .pth files, or unexpected package contents;
  • keep secrets out of build environments unless absolutely required.

Fourth, assume exposed tokens are burned. If a compromised dependency or Action touched a runner, rotate credentials immediately. Minimal permissions matter: read-only tokens, short-lived credentials and separate publishing identities reduce the damage.

FAQ

Yes. Attackers often go after scale, not brand name. If your business uses common developer tooling, you can be collateral damage in a mass campaign even if nobody is targeting you specifically.

No. Several March 2026 incidents involved legitimate, widely trusted projects. Trusting the package name alone is no longer a control.

Pin every third-party Action to a full commit SHA and reduce token permissions. That cuts off one of the most common workflow-hijack paths.

No. One is enough if configured properly. The important part is automated, reviewable dependency updates with CI enforcement and lockfile verification.

Conclusion

The March 2026 supply-chain incidents were not isolated bugs. They were proof that npm, PyPI and GitHub Actions now sit on the front line of business risk. For Australian SMBs, the practical response is clear: pin Actions to SHAs, enforce lockfile integrity, automate dependency updates safely, and rotate any secrets exposed to CI or developer machines.

If your team wants help checking whether your current Node, Python and CI pipeline setup would survive the next wave, visit consult.lil.business for a free cybersecurity assessment.

References

  1. Datadog Security Labs: LiteLLM and Telnyx compromised on PyPI
  2. GitLab: Pipeline security lessons from March supply chain incidents
  3. GitHub Docs: Use immutable releases and pin GitHub Actions to a full-length commit SHA
  4. ACSC: Software supply chain security guidance
  5. PyPI Docs: Trusted Publishers
  6. Dependabot documentation

TL;DR

Bad actors are sneaking dangerous code into trusted software libraries—like swapping real books on a library shelf with trick copies that spy on whoever reads them. The campaign is called GlassWorm, and businesses can protect themselves by checking their software ingredients and locking down developer accounts.

What Is GlassWorm? (The Library Bookshelf Analogy)

Imagine your favourite library. You trust every book on the shelves because the librarians picked them out. Now imagine someone steals a librarian's ID badge, walks in after hours, and swaps a popular book with a fake copy that looks identical on the outside. When you borrow that book, a hidden camera inside starts watching everything you do at home.

That's basically what GlassWorm does to software [1][2]. Programmers build apps using shared code libraries—think of them as bookshelves full of useful tools hosted on sites like npm and PyPI. GlassWorm's operators stole the credentials of real "librarians" (package maintainers) and pushed out poisoned updates that developers pulled in without suspecting a thing [3][9].

How Does GlassWorm Hide Its Secret Instructions?

Here's the clever part. When the fake book needs to phone home for new orders, it doesn't call a regular phone number that could be disconnected. Instead, it checks a public bulletin board that nobody can erase—the Solana blockchain [1]. The attacker writes a tiny note inside a blockchain transaction, and the malware reads it to learn where to send stolen data. Because blockchain entries are permanent, defenders can't simply delete the note the way they'd take down a website [2].

What Does GlassWorm Actually Do Once It's Inside?

The attack happens in stages—like chapters in that trick book. First, it settles in quietly. Then it starts copying your saved passwords, cryptocurrency wallets, and information about your computer [1][2]. In the final stage, it installs a remote control tool (called a RAT) that lets the attacker see your screen, record your keystrokes, and even trick you into handing over hardware wallet codes for devices like Ledger and Trezor [1]. It also adds a fake Chrome extension pretending to be "Google Docs Offline" that watches almost everything you do in your browser—cookies, bookmarks, screenshots, and thousands of history entries [2][7].

How Can Businesses Stay Safe?

The good news: you don't need a massive security team to protect yourself. Think of it as better library hygiene [4][6][10]:

  • Check the books before shelving them. Use tools that scan your software dependencies for known bad packages [3][5].
  • Protect the librarian badges. Turn on multi-factor authentication for every developer account so attackers can't steal credentials easily [4][10].
  • Keep a list of every book on the shelf. Maintaining a Software Bill of Materials (SBOM) means you can quickly find and remove a bad package when one is discovered [6].
  • Lock the browser extension shelf. Only allow approved Chrome extensions through your organization's policy [7].

Taking these steps isn't about being scared—it's about running a tighter ship so you can focus on building great products with confidence [8].

FAQ

A supply chain attack is when bad actors sneak malicious code into trusted software libraries or tools that developers use to build applications. Instead of attacking your business directly, they compromise the building blocks your software depends on [4][9].

Yes. If any software your business uses was built with compromised packages from npm or PyPI, it could carry GlassWorm's malicious payload. This is why maintaining a Software Bill of Materials (SBOM) matters—so you know exactly what ingredients are in the software you rely on [3][6].

GlassWorm writes its command-and-control instructions into Solana blockchain transaction memos. Because blockchain entries are permanent and decentralised, security teams cannot simply take down a website or block a domain to cut the malware's communication line [1][2].

Start with three steps: enable multi-factor authentication on all developer and admin accounts, use dependency scanning tools to check software packages before deploying them, and restrict Chrome extension installations to an approved list only [4][6][10].

Want help checking your software supply chain? Schedule a free consultation.

References

[1] I. Makari, "GlassWorm: Chrome Extension RAT Using Solana Dead Drops," Aikido Security Blog, Mar. 2026. [Online]. Available: https://www.aikido.dev/blog/glassworm-chrome-extension-rat

[2] R. Lakshmanan, "GlassWorm Malware Uses Solana Dead Drops to Deliver RAT and Steal Browser, Crypto Data," The Hacker News, Mar. 25, 2026. [Online]. Available: https://thehackernews.com/2026/03/glassworm-malware-uses-solana-dead.html

[3] Sonatype, "State of the Software Supply Chain Report 2025," Sonatype, 2025. [Online]. Available: https://www.sonatype.com/state-of-the-software-supply-chain

[4] CISA, "Defending Against Software Supply Chain Attacks," Cybersecurity and Infrastructure Security Agency, Apr. 2023. [Online]. Available: https://www.cisa.gov/sites/default/files/publications/defending_against_software_supply_chain_attacks_508_1.pdf

[5] Synopsys, "Open Source Security and Risk Analysis Report 2025," Synopsys, 2025. [Online]. Available: https://www.synopsys.com/software-integrity/resources/analyst-reports/open-source-security-risk-analysis.html

[6] NIST, "Software Supply Chain Security Guidance," NIST SP 800-218, Feb. 2022. [Online]. Available: https://csrc.nist.gov/publications/detail/sp/800-218/final

[7] Google, "App-Bound Encryption for Chrome Cookies," Google Security Blog, 2024. [Online]. Available: https://security.googleblog.com/2024/07/improving-security-of-chrome-cookies.html

[8] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach

[9] European Union Agency for Cybersecurity (ENISA), "Threat Landscape for Supply Chain Attacks," ENISA, 2021. [Online]. Available: https://www.enisa.europa.eu/publications/threat-landscape-for-supply-chain-attacks

[10] OpenSSF, "Package Repository Security Best Practices," Open Source Security Foundation, 2024. [Online]. Available: https://openssf.org/blog/package-repository-security/

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation