Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: supply-chain (85 articles)Clear

Axios npm package compromised - cross-platform RAT deployed via hijacked maintainer account

Attackers hijacked the npm account of Axios's lead maintainer and published two poisoned versions of one of JavaScript's most popular libraries - 83 million weekly downloads. Versions 1.14.1 and 0.30.4 inject a hidden dependency called plain-crypto-js that drops a cross-platform RAT targeting macOS, Windows, and Linux. The malware phones home within seconds of npm install, then deletes itself to avoid detection. Both release branches were hit within 39 minutes of each other.

Check
Check if any project or CI/CD pipeline installed Axios in the last 48 hours.
Affected
axios 1.14.1 and 0.30.4 on npm. Also @shadanai/openclaw and @qqbrowser/openclaw-qbot which bundle the same payload.
Fix
Downgrade to axios 1.14.0 or 0.30.3. Remove plain-crypto-js from node_modules. Rotate all credentials on affected systems. Block sfrclak[.]com and 142.11.206.73 on port 8000.

Cisco breached through Trivy supply chain attack - source code and AWS keys stolen

The TeamPCP supply chain campaign has claimed its biggest victim yet. Attackers used credentials stolen from the Trivy vulnerability scanner compromise to breach Cisco's internal development environment, stealing source code belonging to both Cisco and its customers. Multiple AWS keys were also taken and used for unauthorized activity across Cisco's cloud accounts. The company expects continued fallout from the follow-on LiteLLM and Checkmarx compromises in the same campaign.

Check
If your CI/CD pipelines used Trivy, LiteLLM, or Checkmarx KICS between March 19-27, audit for unauthorized access immediately.
Affected
Any organization that ran compromised versions of Trivy (v0.69.4+), LiteLLM (1.82.7-1.82.8), or Checkmarx KICS GitHub Actions during the exposure windows.
Fix
Pin Trivy to v0.69.3, trivy-action to v0.35.0, setup-trivy to v0.2.6. Rotate all pipeline secrets, AWS keys, SSH keys, and tokens. Block scan.aquasecurtiy[.]org and 45.148.10.212. Search GitHub orgs for repositories named tpcp-docs - their presence means data was exfiltrated.

Chinese hackers exploited TrueConf video conferencing zero-day to backdoor Southeast Asian governments (CVE-2026-3502)

Check Point uncovered Operation TrueChaos - a Chinese-nexus espionage campaign that turned a video conferencing platform's update mechanism into a malware delivery system. The attackers compromised a central on-premises TrueConf server used by a government IT department, then swapped the legitimate client update with a weaponized package that deployed the Havoc post-exploitation framework. Every connected government agency pulled the poisoned update automatically, no individual endpoint compromise needed.

Check
Check if your organization uses TrueConf for video conferencing, especially in on-premises deployments.
Affected
TrueConf Windows client versions 8.1.0 through 8.5.2. On-premises deployments are at highest risk since the attack requires control of the TrueConf server.
Fix
Update TrueConf Windows client to version 8.5.3 or later. Audit TrueConf servers for unauthorized modifications. Check endpoints for IOCs: unsigned trueconf_windows_update.exe, files named poweriso.exe or 7z-x64.dll, and connections to 43.134.90.60, 43.134.52.221, or 47.237.15.197.

TeamPCP compromises Telnyx Python SDK on PyPI - malware hidden inside sound files

Hackers compromised the Telnyx Python SDK on PyPI and hid malware inside .wav sound files - disguised as audio to bypass security scanners. Versions 4.87.1 and 4.87.2 were poisoned - just importing the package triggers the attack. It grabs SSH keys, cloud credentials, and can hijack Kubernetes clusters. The malicious versions were live for about 6 hours before PyPI quarantined them.

Check
Audit your Python environments for the Telnyx package.
Affected
telnyx 4.87.1 and 4.87.2 on PyPI.
Fix
Downgrade to telnyx 4.87.0. Rotate all credentials on any system that ran the poisoned versions.

TeamPCP's 9-day supply chain rampage - Trivy to LiteLLM to Checkmarx to Telnyx

One group, four major compromises, nine days. TeamPCP started by backdooring Aqua Security's Trivy vulnerability scanner on March 19 - then used the stolen CI/CD credentials to poison LiteLLM, Checkmarx tools, and Telnyx one after another. Each compromised tool handed them the keys to the next target. They've now partnered with the Vect ransomware gang to turn stolen access into extortion.

Check
Audit any CI/CD pipeline that used Trivy, LiteLLM, or Telnyx between March 19-27.
Affected
Trivy (compromised tags March 19), LiteLLM 1.82.7-1.82.8, Checkmarx KICS GitHub Actions (March 23), Telnyx 4.87.1-4.87.2.
Fix
Pin all open-source dependencies to exact versions. Rotate all credentials exposed in affected pipelines. Treat affected environments as fully compromised.