The Week That Changed Things

Between 19 and 31 March 2026, the software supply chain suffered a sequence of coordinated, cascading attacks that exposed a systemic vulnerability at the very heart of modern software development: the implicit trust we place in the open-source tools and packages we install every day without reading.

Within a 12-day window, four of the most widely used tools in software development and AI engineering were compromised. A security scanner used by millions of CI/CD pipelines. An AI model routing library downloaded 3.4 million times per day. The flagship coding tool of the world's leading AI safety company. And the most popular JavaScript HTTP client in existence, with 100 million weekly downloads. Each incident was technically distinct. But taken together, they tell a single coherent story about where modern information security and GRC frameworks are dangerously behind the threat landscape.

🚨
Scope of Impact — March 2026
Trivy (March 19) → Checkmarx KICS (March 23) → LiteLLM PyPI (March 24) → Claude Code source leak (March 31) → Axios npm RAT (March 31). Five incidents in 12 days. At least two distinct threat actor groups. Combined weekly download exposure: over 103 million packages per week. Hundreds of thousands of credentials likely compromised.
100M+
Weekly downloads
Axios alone
3.4M
Daily downloads
LiteLLM at time of attack
~3hrs
Avg window before
malicious packages removed
513K
Lines of source code
exposed — Claude Code

This article is a practitioner's analysis — not a news report. My intent is to go beyond the headlines, examine what these incidents reveal about the structural weaknesses in how organisations consume open-source software, and set out a clear, actionable framework for what information security and GRC teams must do in response. Some of these lessons are uncomfortable. The tools we use to secure our software were themselves the attack vector. That tells us something profound about the current state of software supply chain security.

Incident 1 — Axios npm: State-Sponsored RAT Delivery

On 31 March 2026, between 00:21 and 03:20 UTC — a window of less than three hours — the most trusted JavaScript HTTP client in the world was turned into a malware delivery vehicle by a North Korean state-sponsored threat actor.

01
Axios npm Supply Chain Compromise
31 March 2026 · npm Registry · JavaScript Ecosystem · CVE: GHSA-fw8c-xr5c-95f9
Critical
Attack Vector
Attacker compromised the npm account of the primary Axios maintainer (the primary maintainer's account) — changing the registered email to an attacker-controlled ProtonMail address. Published malicious versions 1.14.1 and 0.30.4 simultaneously across both the current and legacy release branches. Injected a hidden dependency, [email protected], which was pre-staged 18 hours earlier to establish publishing history and evade "brand-new package" alarms. The dependency was never imported by Axios runtime code — it existed solely to trigger a postinstall hook executing a malicious install script.
Payload & Impact
The postinstall dropper used reversed Base64 encoding and XOR cipher obfuscation to evade static analysis. On execution, it downloaded the a cross-platform backdoor from [C2 domain] — a cross-platform RAT targeting Windows, macOS, and Linux simultaneously. The RAT beaconed every 60 seconds, providing remote shell execution, binary injection, directory browsing, process listing, and system reconnaissance. The malware self-cleaned after execution: any post-infection inspection of the installed package shows a completely clean manifest. Google Threat Intelligence attributed this to UNC1069, a North Korea-nexus financially motivated threat actor.
Weekly Downloads
100M+ (Axios)
Exposure Window
~3 hours
Threat Actor
UNC1069 (DPRK)
Safe Versions
≤1.14.0 / ≤0.30.3
C2 Infrastructure
[C2 domain]

What Makes This Particularly Dangerous

Three aspects of this attack warrant specific attention from security practitioners. First, the attack vector bypasses every traditional perimeter defence. The threat didn't come from a phishing email, an unpatched server, or a malicious website. It came from a developer running npm install — an action that happens hundreds of millions of times per week, in CI/CD pipelines, on developer workstations, in production rebuild environments. No firewall blocks npm install. No endpoint protection flags it as suspicious. No user training prevents it.

Second, the malware was forensically designed to be undetectable after execution. Wiz researchers confirmed that after execution, the malicious package self-deletes and replaces its own package.json with a completely clean manifest. Running npm audit or manually reviewing installed packages after the fact reveals nothing. Traditional post-incident investigation methods fail completely.

Third, the attacker specifically targeted both release branches simultaneously — the current 1.x branch and the legacy 0.x branch — maximising exposure across an ecosystem where projects span years of version history. This is not opportunistic. This is operational planning.

For any organisation that had Axios installed or updated in CI/CD pipelines during the 00:21–03:20 UTC window on 31 March, the guidance from every major vendor (Microsoft, Google, Tenable, Wiz) is unambiguous: treat the environment as fully compromised, rotate all credentials, and rebuild from a known-clean state. Do not attempt to scan or clean — the malware was designed to defeat that approach.

Incident 2 — LiteLLM PyPI: The Cascading Compromise

The LiteLLM attack is, in many ways, the most instructive of the three incidents covered here — because it shows exactly how modern supply chain attacks cascade through the software ecosystem. This was not a direct attack on LiteLLM. It was an attack on a security tool that LiteLLM trusted.

02
LiteLLM PyPI Supply Chain Compromise
24 March 2026 · PyPI Registry · Python Ecosystem · Threat Actor: TeamPCP (Phase 09)
Critical
Attack Vector & Root Cause
TeamPCP — a financially motivated criminal group active since December 2025 — compromised the Trivy security scanner on March 19 by force-pushing 76 malicious release tags to the trivy-action repository. LiteLLM's CI/CD pipeline used Trivy as part of its build process, pulling it without a pinned version. The compromised Trivy action exfiltrated LiteLLM's PyPI publishing tokens from the GitHub Actions runner environment. TeamPCP then used those stolen tokens to publish malicious versions 1.82.7 and 1.82.8 directly to PyPI — bypassing LiteLLM's normal GitHub Actions CI/CD workflow entirely.
Payload: Three-Stage Attack
Stage 1 — Credential Harvesting: Malicious code embedded in a core library file targeted SSH keys, cloud credentials (GCP ADC, AWS, Azure tokens), Kubernetes configs, API keys, .env files, shell history, and crypto wallets. Version 1.82.8 added a a malicious initialisation file file that auto-executed on every Python process startup — a fork bomb error in the malware inadvertently exposed it by crashing affected systems. Stage 2 — Kubernetes Lateral Movement. Stage 3 — Persistent systemd backdoor polling for remote payloads. Exfiltration target: models.litellm[.]cloud — a domain impersonating LiteLLM's legitimate infrastructure.
Daily Downloads
~3.4M (LiteLLM)
Exposure Window
~40 minutes (PyPI quarantine)
Threat Actor
TeamPCP (Phase 09)
Downstream Victim
Mercor ($10B AI startup)
Root Compromise
Trivy security scanner

The Cascading Compromise Pattern

What makes the LiteLLM attack distinctively important for security practitioners is the attack cascade pattern: a security tool was compromised first, and that compromise was used as the entry point to attack a downstream target. The sequence matters enormously, and it raises a question that every security team must now answer honestly: Do we know the security posture of the tools we use to secure our software?

LiteLLM's team used Trivy — a widely-trusted, open-source vulnerability scanner — as part of their CI/CD security workflow. That's exactly what security best practice recommends: automate security scanning in your pipeline. The attack exploited that best practice as the attack vector. This creates a deeply uncomfortable paradox: the organisations that had done the right thing — integrating security scanning into their pipelines — were more exposed than those that hadn't.

There is a further downstream dimension. Because LiteLLM is increasingly deployed as a centralised LLM gateway — holding API credentials for multiple model providers simultaneously — a single compromise of a LiteLLM instance gives an attacker access to a credential set broader than almost any other single-package compromise would. Mercor, a $10 billion AI recruiting startup working with OpenAI and Anthropic, confirmed it was one of thousands of companies affected. The extortion group Lapsus$ claimed responsibility for a subsequent data exfiltration, suggesting a multi-actor exploitation of the initial TeamPCP compromise.

💡
The Paradox of Security Tooling as Attack Surface
The LiteLLM compromise did not originate from a vulnerability in LiteLLM itself. It originated from a compromised security scanner — Trivy — which LiteLLM used to check for vulnerabilities. The lesson: every tool in your security toolchain is itself an attack surface. Your SAST scanner, your SCA tool, your container image scanner, your DAST platform — all of these are potential entry points. If they are not dependency-pinned, not hash-verified, and not subject to their own security review, they are a blind spot in your security posture.

Incident 3 — Claude Code: The Source Code That Got Away

The Claude Code incident is categorically different from the supply chain attacks above — it was not a malicious attack. It was a human error: a packaging misconfiguration that accidentally included a 59.8 MB JavaScript source map in a public npm release. What happened next, however, illuminates how even non-malicious security failures become attack vectors in the hands of a motivated threat landscape.

03
Anthropic Claude Code Source Code Exposure
31 March 2026 · npm Registry · Accidental Exposure via Source Map · ~04:00 UTC
High — Intellectual Property & Security Blueprint Exposure
What Happened
Anthropic released Claude Code v2.1.88 to npm. The release, built on the Bun JavaScript runtime (acquired by Anthropic in late 2025), included a full debugging JavaScript source map — a 59.8 MB .map file — due to a known Bun bug (issue #28001) that serves source maps in production builds and a missing exclusion in the .npmignore configuration. The source map referenced a complete ZIP of original TypeScript sources hosted on Anthropic's Cloudflare R2 bucket. A security researcher discovered the source map and posted to X within hours, triggering a global rush. The code was downloaded, mirrored to GitHub, and forked tens of thousands of times within hours. 513,000 lines of TypeScript across 1,906 files. Claude Code creator Boris Cherny confirmed: "there was a manual deploy step that should have been better automated."
What Was Exposed & Downstream Risk
Exposed: Complete agent orchestration logic, tool-call loops, permission and execution layer, MCP server integration, environment variable handling, slash command libraries, internal model codenames (Capybara/Mythos), and beta API version strings. Not exposed: Model weights, training data, customer data, credentials. Secondary attack surface: The leak triggered malicious GitHub repositories distributing Vidar infostealer under the guise of "unlocked Claude Code." Security researchers confirmed CVE-2026-21852 — a pre-trust API key exfiltration vulnerability — became significantly easier to weaponise with full source visibility. A clean-room rewrite hit 50,000 GitHub stars in two hours — the fastest-growing repository in GitHub history.
Code Exposed
513,000 lines TypeScript
GitHub Forks
Tens of thousands (hours)
Root Cause
Human error / Bun bug / npmignore
Prior Incident
Second similar leak (Feb 2025)
Anthropic ARR
~$19B at time of incident

The Compounding Risk of the Same-Day Overlap

The timing of the Claude Code leak — occurring on the same day as the Axios RAT attack, and within the same npm ecosystem — created a compounding risk that VentureBeat and multiple security firms flagged immediately. Users who installed or updated Claude Code via npm on 31 March 2026 between 00:21 and 03:29 UTC may have simultaneously pulled the compromised Axios dependency as a transitive package. The two incidents, while entirely unrelated in origin, intersected at the npm registry on the same day, in the same time window, affecting the same developer population.

The broader lesson from the Claude Code incident is not specifically about Anthropic's packaging process — it is about what the incident reveals for every organisation building and deploying software. When source code is exposed, the consequences do not end when the code is taken down. The internet does not forget. Thousands of mirrors, forks, and analyses persist permanently. And they become the raw material for two categories of ongoing risk: targeted vulnerability discovery (attackers with full source visibility can find and weaponise vulnerabilities with dramatically less effort) and social engineering via trust impersonation (malicious repositories masquerading as official or "unlocked" versions to distribute malware to curious developers).

The Full Attack Chain: Trivy → Checkmarx → LiteLLM → Axios

The individual incidents described above did not occur in isolation. TeamPCP (also identified as PCPcat, Persy_PCP, ShellForce, and DeadCatx3) executed a methodical, multi-phase campaign across 12 days, with consistent infrastructure — the same RSA key pair, same payload naming conventions, and the same tpcp-docs-prefixed GitHub repositories as dead-drop C2 staging across every operation.

PRE
December 2025 – February 2026
TeamPCP Tooling Development & Initial Access
TeamPCP developed and refined their credential-harvesting toolkit (credential-harvesting malware). In late February 2026, actor MegaGame10418 exploited a misconfigured pull_request_target workflow in Trivy's CI to exfiltrate the aqua-bot Personal Access Token. Aqua Security disclosed on March 1 and rotated credentials — but the rotation was not atomic, leaving a window where the attacker could have captured newly rotated secrets.
1
19 March 2026 · CVE-2026-33634 · CVSS 9.4
Trivy GitHub Actions Compromise
TeamPCP used still-valid credentials from the incomplete Aqua rotation to force-push 76 of 77 release tags in the trivy-action repository to malicious commits. Every automated pipeline using Trivy for security scanning now became a credential-harvesting endpoint. SSH keys, cloud tokens, and CI/CD secrets exfiltrated via AES-256-CBC encrypted bundles to attacker infrastructure. The security scanner had become the attacker's harvesting agent.
2
23 March 2026
Checkmarx KICS GitHub Actions Compromise
The same TeamPCP infrastructure was used to compromise Checkmarx's KICS (Keep Infrastructure as Code Secure) GitHub Actions. The attacker registered [attacker-controlled impersonation domain] — impersonating the Checkmarx security company — as C2 infrastructure. Another major security tool compromised in the CI/CD pipeline. The pattern is now clear: TeamPCP is specifically targeting security tooling used in automated pipelines.
3
24 March 2026
LiteLLM PyPI Compromise (Phase 09)
LiteLLM's CI/CD pipeline ran Trivy as part of its build process — pulling it without a pinned version. The compromised Trivy action exfiltrated LiteLLM's PyPI publishing tokens. TeamPCP used those tokens to publish malicious versions 1.82.7 and 1.82.8 to PyPI, bypassing LiteLLM's own CI/CD entirely. The attack had now shifted from pipeline infiltration to direct downstream execution — code running on developer machines and in production environments worldwide.
~
31 March 2026 · ~04:00 UTC
Claude Code Source Map Exposure (Separate — Anthropic Human Error)
Unrelated to TeamPCP. Anthropic released Claude Code v2.1.88 with an accidentally bundled source map, exposing 513,000 lines of TypeScript. The incident coincided with the Axios attack in the same npm ecosystem on the same day, amplifying developer confusion and expanding the social engineering surface area for both incidents.
4
31 March 2026 · 00:21 – 03:20 UTC
Axios npm RAT Deployment (UNC1069 — North Korean State Actor)
A separate, state-sponsored threat actor (UNC1069, DPRK-nexus) compromised the primary Axios npm maintainer's account and published the backdoor malware RAT-carrying versions 1.14.1 and 0.30.4 across both current and legacy release branches. This attack is attributed to a different actor from TeamPCP — indicating that multiple sophisticated threat actors were simultaneously operating against the npm ecosystem on the same day.

The fact that UNC1069 and TeamPCP operated independently — on the same day, in overlapping ecosystems — is not coincidental serendipity. It reflects a broader intelligence picture: the software supply chain is under sustained, multi-actor attack from threat groups who understand that poisoning a trusted package is, from a cost-benefit perspective, one of the most efficient attack vectors available. A single compromised maintainer account, or a single unguarded CI/CD secret, can yield millions of downstream installations.

Why AI Development Tools Are the New Crown Jewel Target

There is a non-obvious reason why LiteLLM and Claude Code are more attractive targets than a typical npm or PyPI package — even one with comparable download volumes. It is not simply about scale. It is about what AI development tools have access to.

A standard web application library might have access to a database connection string and an API key. An AI development tool like LiteLLM, operating as a centralised LLM gateway, typically holds API credentials for every major AI provider simultaneously: OpenAI, Anthropic, Google, Azure OpenAI, Cohere, and more. It may also have access to the context and data being passed to those models — which may include proprietary business data, personal data, and confidential communications. A single successful compromise of a production LiteLLM deployment is worth orders of magnitude more to an attacker than a standard credential harvest.

Claude Code presents a different but equally significant risk profile. As an AI coding agent operating in the terminal, it has more access to developer systems than almost any other developer tool: it can read files, execute shell commands, write code, access environment variables, connect to external services, and interact with version control. The source code exposure revealed that some of this capability operates with permissions established before user trust prompts appear — creating pre-trust initialisation windows that are now documented attack surfaces.

🎯
The AI Tool Attack Surface Equation
Traditional threat modelling asks: "what data does this application access?" For AI development tools, the question is: "what does this tool have access to, what can it do autonomously, what credentials does it hold, and what would an attacker gain by compromising it or the developers using it?" LiteLLM's architecture — as a proxy between applications and multiple AI providers — makes it a credential aggregator. Claude Code's architecture — as an autonomous coding agent — makes it a system access aggregator. Both are higher-value targets than their package names suggest.

Security Analysis: What These Incidents Really Reveal

Beneath the technical details of each individual incident, these attacks collectively expose seven structural weaknesses in how the industry currently approaches software security. These are not novel vulnerabilities in any specific product. They are systemic patterns of trust misplacement that the industry has known about for years but has not yet resolved at scale.

1. The Implicit Trust Problem

Every one of these attacks succeeded because of trust that was implicit rather than verified. Developers trust packages on npm and PyPI to be what they claim to be because they were published by a known maintainer. CI/CD pipelines trust GitHub Actions to pull from the correct repository because they have in the past. LiteLLM trusted Trivy because it is a widely used security tool. That implicit trust — the assumption of integrity without verification — is the root vulnerability. The perimeter model of security (trust what is inside, distrust what is outside) has no meaningful concept of "inside" when your software supply chain spans thousands of open-source packages maintained by individuals globally.

2. Maintainer Account Compromise as the Critical Weak Point

Both the Axios and LiteLLM attacks hinged on compromised maintainer accounts. In Axios's case, the primary maintainer's npm credentials were stolen. In LiteLLM's case, the PyPI publishing token was exfiltrated from a CI/CD environment. In neither case was the application code itself vulnerable — the compromise happened at the identity layer, not the application layer. The software was clean; the publishing mechanism was not. This is a fundamental shift in the threat model for open-source security: the question is no longer "is this code safe?" but "was this code published by who we think it was, through a process we can verify?"

3. The Security Scanner Paradox

The most alarming pattern in the TeamPCP campaign is the deliberate targeting of security tooling. Trivy. Checkmarx KICS. Both are tools organisations specifically use to improve their security posture. By compromising these tools first — and using them as the entry point for downstream attacks — TeamPCP demonstrated that security tooling is not just an attack surface; it is a privileged attack surface. Security tools run in CI/CD with elevated permissions. They are trusted by default. They are rarely themselves subject to security review. And they have access to exactly the kind of credentials — publishing tokens, cloud credentials, deployment keys — that make a high-value exfiltration target.

4. The SBOM Gap — We Don't Know What We're Running

A Software Bill of Materials (SBOM) is the inventory of every software component in your supply chain. Regulatory frameworks — the US Executive Order on Cybersecurity (2021), the EU Cyber Resilience Act, and NIST guidance — have all begun requiring SBOM practices. But having an SBOM and acting on it are different things. The organisations most severely affected by the Axios attack were those running automated CI/CD pipelines that pulled "latest compatible" versions. They had no real-time visibility into what was being installed, no automated detection when a new malicious version appeared on the registry, and no process to verify the integrity of packages against a known-good state. An SBOM that is not actively monitored is an audit artefact, not a security control.

5. The Window Problem — Detection Lags Behind Exposure

Both the Axios and LiteLLM attacks had exposure windows of approximately three hours. In that window, developers running npm install or pip install in CI/CD pipelines worldwide were compromised. Detection of both attacks came through manual observation — a security researcher examining Axios packages, and a developer's machine crashing due to a fork-bomb bug in the LiteLLM malware (the bug that exposed the attack was an error in the malware itself, not a security control). Neither was detected by automated security tooling in real time. For practitioners, this underscores the inadequacy of periodic scanning alone. The threat actor's operational window is measured in hours. Detection and response must operate in the same timeframe.

6. Credential Aggregation as an Existential Risk

Both the Axios RAT and LiteLLM credential stealer were designed to exfiltrate the broadest possible set of credentials from compromised machines: SSH keys, cloud tokens, API keys, environment variables, Kubernetes configurations, wallet files, shell history. The goal is not just the immediate credentials on one machine — it is the lateral movement opportunity those credentials enable. A stolen GitHub token can be used to compromise repositories. A stolen AWS key can pivot into a cloud environment. A stolen CI/CD secret can be used exactly as TeamPCP used Trivy's stolen token: to publish malicious packages under a trusted name. The exfiltrated credentials from March 2026 will generate downstream incidents for months.

7. AI-Specific Risk: The Source Code Exposure Vector

The Claude Code leak introduces a category of risk that is specifically relevant to AI systems and that traditional security frameworks are not yet equipped to handle: the operational blueprint as an attack enabler. When a conventional application's source code is exposed, attackers gain visibility into the application's logic. When an AI agent's source code is exposed, attackers gain visibility into how the agent interprets instructions, how it establishes trust, when it executes commands without user confirmation, and precisely which inputs can be crafted to trigger unintended actions. Pre-trust initialisation windows, permission escalation paths, and MCP server integration points are now documented and publicly analysed. This is not a catastrophic breach — but it is a meaningful, permanent shift in the security posture of the tool.

GRC Framework: Where Compliance Must Catch Up

The incidents described above expose significant gaps between the current state of GRC frameworks and the actual threat landscape for software supply chain security. ISO 27001, NIST CSF, and SOC 2 were all designed before the open-source software supply chain became the dominant software delivery model. They are not wrong — but they are incomplete. Here is where each major framework currently falls short, and what organisations must do beyond compliance requirements.

ISO 27001 / ISO 27002

ISO 27002:2022 introduced Annex A control 8.8 (Management of technical vulnerabilities) and 5.23 (Information security for use of cloud services). Neither addresses the supply chain attack vector as it manifested in March 2026. Control 8.8 focuses on vulnerability management for deployed software — it does not address the integrity of software during the installation or build process. A passing ISO 27001 audit does not mean your organisation has validated the integrity of every package it installs in CI/CD, has implemented dependency pinning, or has any visibility into the real-time security status of its package registry dependencies.

Organisations seeking genuine supply chain security under ISO 27001 should extend their ISMS scope to explicitly cover software dependency management — including the tools used to build and deploy software (including security tools like vulnerability scanners). This is a control gap that the upcoming ISO 27001:2025 revision will need to address more directly.

NIST Cybersecurity Framework (CSF) 2.0

NIST CSF 2.0, released in February 2024, added a "Govern" function and strengthened supply chain risk management (GV.SC). NIST SP 800-218 (Secure Software Development Framework) provides more specific SBOM and supply chain guidance. However, the guidance remains at the policy level. The technical controls needed to defend against the March 2026 attacks — real-time package registry monitoring, cryptographic hash verification of installed packages, isolated CI/CD environments with allowlisted network egress — are not prescribed in detail. Compliance with NIST CSF GV.SC requirements is achievable without implementing any of these controls.

The EU Cyber Resilience Act & EU AI Act

The EU Cyber Resilience Act (CRA), entering into force in 2027, will impose mandatory SBOM requirements and vulnerability disclosure obligations on software manufacturers. For the first time, open-source component maintainers who receive commercial support will bear legal obligations for security. The LiteLLM and Axios incidents are exactly the scenario the CRA was designed to address. Organisations with EU customers or EU operations should be treating CRA compliance preparation as a current priority, not a 2027 problem.

The EU AI Act additionally requires providers of high-risk AI systems to maintain technical documentation and implement risk management systems covering the entire supply chain of their AI applications. If your organisation deploys AI systems that use LiteLLM as an LLM gateway, the LiteLLM compromise is a direct supply chain risk event that your AI Act risk management framework should have detected and responded to.

ISO 42001 — AI Management Systems

ISO 42001, the AI Management System standard, addresses AI risk management, including risks from AI-specific supply chain elements. The Claude Code incident — and the broader AI tool compromise pattern — demonstrates exactly why Clause 6.1 (Actions to address risks and opportunities) and Annex A controls covering AI system integrity must be extended to cover the integrity of AI coding tools used in the development workflow. If your developers use AI coding agents, those agents are part of your AI supply chain. Their security posture is your security posture.

The Practitioner Action Plan

Theory matters, but action matters more. Here is the structured response framework that information security and GRC practitioners should be executing in the immediate, short-term, and medium-term following these incidents.

Immediate Actions (This Week)

Immediate 01
Verify Axios Version Integrity
Search all project lockfiles (package-lock.json, yarn.lock, bun.lockb) for [email protected] or [email protected], and for any occurrence of the malicious dependency package. Any environment where these were installed should be treated as fully compromised. Rebuild from a clean snapshot. Do not attempt to clean in-place.
Immediate 02
Audit LiteLLM in All Environments
Check all environments — local, CI/CD, Docker, production — for litellm versions 1.82.7 or 1.82.8. Check for a persistence script persistence artefacts and malicious pods pods in Kubernetes. Rotate all credentials on affected systems. Upgrade to v1.83.0 (rebuilt on CI/CD v2 pipeline).
Immediate 03
Credential Rotation Protocol
For any environment exposed to the Axios or LiteLLM compromises: revoke (not rotate) all credentials present on affected machines — API keys, SSH keys, cloud tokens, npm tokens, GitHub tokens, Kubernetes configs. Rotation is insufficient. Revoke and reissue from a clean environment. Check for lateral movement using compromised credentials.
Immediate 04
Security Toolchain Version Audit
Audit all CI/CD security tools for pinned, verified versions. Specifically: Trivy (ensure you are not running the compromised action tags from March 19), Checkmarx KICS, and any GitHub Actions pulling from external repositories without pinned SHA references. Every security tool in your pipeline is an attack surface.
Immediate 05
AI Coding Tool Usage Assessment
Inventory which AI coding tools (Claude Code, Cursor, GitHub Copilot, Windsurf) your developers are using. Understand what access each tool has — file system, command execution, environment variables, network. Review permission mode settings. Pin versions. Do not auto-update AI coding tools without testing and security review.
Immediate 06
Monitor for Secondary Threats
The credentials exfiltrated during the March window will be leveraged in downstream attacks for months. Monitor for anomalous API usage on all AI provider accounts. Block outbound connections to known IOCs: [C2 domain], [C2 IP address], models.litellm[.]cloud. Review GitHub for repositories with docs-tpcp naming pattern — a TeamPCP C2 artefact.

Short-Term Actions (30–90 Days)

  • Implement dependency pinning organisation-wide. Remove ^ and ~ version prefixes from all production package.json and requirements files. Use exact versions. Lock files must be committed and CI must use npm ci (not npm install) to enforce lockfile integrity. For Python, use pip install --require-hashes with cryptographic verification of every package.
  • Deploy real-time Software Composition Analysis (SCA). Implement tools (Snyk, Dependabot with alerting, Socket.dev) that provide real-time monitoring of package registry status — not just periodic scanning. The March 2026 attacks had three-hour exposure windows. Periodic scanning that runs weekly or daily provides no meaningful protection against that threat profile.
  • Harden CI/CD secret management. Transition all long-lived CI/CD tokens to short-lived credentials using OIDC Trusted Publishing. Eliminate stored API keys and tokens from GitHub Actions, GitLab CI, and similar environments. The LiteLLM attack succeeded because a long-lived PyPI publishing token was accessible to the CI/CD runner. With OIDC, that token would not exist to be stolen.
  • Implement network egress controls for build environments. Build pipelines should have allowlisted, controlled network egress. The Axios RAT communicated with [C2 domain]. The LiteLLM exfiltrator communicated with models.litellm[.]cloud. Neither of these domains would be in a correctly configured allowlist for a build pipeline. Restricting outbound connections from CI/CD and build environments is one of the most effective mitigations against supply chain malware that has no bearing on legitimate build processes.
  • Establish an AI tool security governance policy. Define which AI coding tools are approved for use, at which versions, with which permission profiles. Require security review before any AI tool version update is deployed to developer workstations. AI tools are developer infrastructure — they should be managed with the same rigour as any other infrastructure component.
  • Build and maintain a living SBOM. Implement SBOM generation as part of the CI/CD pipeline for every application. The SBOM must be actively monitored — integrated with vulnerability intelligence feeds that alert in near-real-time when a component in your SBOM appears in a known-malicious registry entry. A static SBOM generated at release time does not protect against attacks that occur between releases.

Medium-Term Actions (90–180 Days)

  • Extend your ISMS scope to cover the software supply chain explicitly. Under ISO 27001, define assets to include your package dependency inventory. Include software supply chain risk in your risk register. Assess the control effectiveness of your current dependency management practices against the threat scenarios demonstrated in March 2026.
  • Begin EU Cyber Resilience Act readiness assessment. If your organisation develops software with components available in the EU market, or if you process data of EU residents, the CRA's SBOM and vulnerability disclosure requirements will apply. Start gap assessment now — the 2027 enforcement date is closer than it appears from a remediation standpoint.
  • Implement AI-specific risk controls under ISO 42001. Extend your AI management system to include the AI tools used in the development workflow. Claude Code, Cursor, and GitHub Copilot are part of your AI supply chain. Their access permissions, version management, and security posture are AI governance questions, not just IT security questions.
  • Run supply chain attack scenarios in tabletop exercises. Include the "compromised security tool as attack vector" scenario specifically. Most organisations have never tested their incident response against the pattern demonstrated by TeamPCP: security scanner compromised → CI/CD secrets exfiltrated → downstream package registry poisoned → developer machine and production environment compromised. Test your detection, response, and communication playbooks against this scenario.

What the Industry Must Do Next

The events of March 2026 are not an anomaly. Software supply chain attacks more than doubled globally during 2025, with roughly 30% of all data breaches now linked to third-party or supply chain components. What changed in March 2026 is the target profile: the attacks moved from generic infrastructure packages to the specific tools used by AI developers — and in doing so, they exploited a trust relationship that the security industry has not yet adequately addressed.

The conventional security model assumes that the things you use to build and secure your software are themselves trustworthy. The TeamPCP campaign demonstrated that this assumption is wrong — systematically, deliberately, and profitably wrong. The security scanner you installed to find vulnerabilities in your dependencies was itself the attack vector. This is not a theoretical concern. It happened, in production, at scale, to some of the most security-conscious engineering teams in the industry.

For information security leaders, the strategic implication is clear: the perimeter of your security programme must extend to encompass the entire software supply chain, including the tools used to build, test, deploy, and secure your software. Every tool that has privileged access to your build environment — your SAST scanner, your SCA tool, your container image builder, your AI coding agent — is a potential attack vector. If it is not version-pinned, hash-verified, network-controlled, and monitored, it is a trust assumption that an adversary can exploit.

For GRC leaders, the implication is equally clear: current compliance frameworks are not sufficient to detect or prevent the attack patterns demonstrated in March 2026. A passing ISO 27001 audit, a clean SOC 2 report, or a compliant NIST CSF implementation does not mean your software supply chain is secure against these attacks. The frameworks must be extended — through explicit supply chain risk management, real-time SBOM monitoring, OIDC-based credential management, and AI-specific security governance.

The good news is that the defensive controls are known, practical, and deployable now. Dependency pinning, cryptographic hash verification, OIDC Trusted Publishing, network egress controls, and real-time SCA monitoring are not experimental technologies. They are available, mature, and relatively inexpensive to implement. The organisations that execute these controls will be significantly less exposed when the next campaign — and there will be a next campaign — targets the next trusted tool in their supply chain.

📌
The One Sentence Summary for Boards and Executives
The tools your developers use to write and secure code — including AI coding assistants, security scanners, and open-source packages — are now primary targets for sophisticated, state-sponsored, and criminal threat actors. Managing this risk requires the same rigour you apply to your production infrastructure: inventory, verification, access control, and continuous monitoring.
JK
Written by Juno David K
Strategic Delivery Leader specialising in Information Security, GRC, AI governance, and enterprise program delivery. With 18+ years of hands-on experience in ISMS implementation, ISO 27001 lead auditing, and cloud security, I write for practitioners who need to act on these developments — not just read about them.
Discuss Your Security Programme → All Articles