A surge of supply-chain attacks over the past week is exposing how quickly localized compromises can cascade across the modern software ecosystem. According to Vulnerable U's Matt Johansen, multiple large-scale incidents have unfolded in rapid succession, affecting npm and PyPI packages, developer tools and even widely used libraries like Axios.
What stands out is not just the volume, but the overlap. These incidents are not tied to a single threat actor or campaign. Instead, multiple groups appear to be exploiting the same structural weaknesses in how software is built, distributed, and trusted.
The result: a growing sense across the security community that this is less a series of isolated breaches and more a systemic event.
From Pipeline Compromise to Ecosystem Exposure
In a livestream Thursday, Johansen delivered a timeline that begins with the compromise of Trivy, a widely used security scanning tool, through abuse of GitHub and CI/CD pipelines. Attackers reportedly obtained GitHub tokens, enabling them to push malicious code into trusted release channels.
Once those releases were pulled into downstream environments, the attack chain expanded quickly. Compromised pipelines led to credential harvesting, which in turn enabled further access across Docker Hub, npm, and PyPI ecosystems.
A key inflection point came with LiteLLM, which sits centrally in many AI-driven application stacks. Because it interacts with multiple services and environments, it provided attackers with access to a broad set of secrets, including API keys and authentication tokens.
At that stage, the campaign shifted from initial compromise to large-scale collection – gathering credentials and access points that could be used well beyond the initial intrusion.
Johansen's analysis comes on the heels of a recent CYBR.SEC.CAST appearance where industry veteran Theresa Lanowitz warned that the software supply chain has quietly become one of the most critical and least controlled risk areas in cybersecurity.
“We’re advancing rapidly in innovation,” Lanowitz said. “But many of the same core issues are still there. We’ve just changed the form, from SQL injection to prompt injection.”
That shift — from traditional vulnerabilities to AI-driven risks — is reshaping how organizations think about security. AI is accelerating code generation at unprecedented speed, but it’s also introducing new, less visible risks into the software supply chain. Developers are no longer just writing code — they’re assembling it from open-source repositories, third-party components, and increasingly, AI-generated outputs.
The result is a sprawling, fragmented ecosystem where visibility is limited and accountability is unclear.
Read more about that and listen to Lanowitz's podcast appearance here:
Bill Brenner
Bill Brenner
Downstream Impact Spreads Across Vendors
The effects are now surfacing across multiple organizations. Johansen points to downstream exposure involving companies such as Checkmarx, LiteLLM, Mercor and Cisco, where sensitive data — including SSH keys, AWS credentials, Kubernetes secrets, and TLS certificates — has been accessed.
Some of this data is already being monetized or used in follow-on attacks, while other portions may remain dormant. That uncertainty is a defining feature of the current situation: defenders are dealing not only with confirmed compromise, but with unknown future risk tied to stolen credentials.
Compounding the issue, a separate supply-chain attack attributed to North Korean actors targeted Axios, a widely used npm package. While unrelated to the earlier incidents, it followed a similar model, leveraging trusted software distribution channels to propagate malicious code.
Related:
Bill Brenner
No Clear Way to Scope the Damage
For security teams, the immediate challenge is visibility. Organizations may not know whether they have been affected, particularly if compromised components were introduced indirectly through dependencies.
Even teams that do not directly use tools like Trivy or Axios may still be exposed through upstream or downstream integrations. This interconnectedness makes traditional incident scoping difficult, if not impossible, in the short term.
Johansen’s guidance reflects that reality: assume compromise and act accordingly. That includes rotating API keys, tokens, and other credentials tied to GitHub, CI/CD pipelines, and environment variables.
The urgency is driven by timing. Attackers are still assessing what they’ve obtained, meaning additional exploitation may follow in the coming weeks.
A Structural Problem, Not a One-Off
Taken together, these incidents highlight a deeper issue in software security. Modern development relies heavily on automated trust—pulling code from repositories, integrating third-party packages, and deploying updates with minimal friction.
That model enables speed and scale, but also creates systemic risk. When attackers gain access to trusted components, they can move laterally across ecosystems with little resistance.
As multiple threat actors converge on the same attack surface, the software supply chain is becoming a primary battleground, one where defenders currently lack clear lines of containment.
Given the current malignant geopolitical situation, supply chain compromises will increasingly become the trenches where cyber warfare is fought.
