{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/software-compromise/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["TeamPCP"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["supply-chain","software-compromise","github"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eIn early 2026, a surge in supply chain attacks has been observed, impacting widely used open-source libraries and tools. Notably, Axios, a popular HTTP client library for JavaScript with 100 million weekly downloads, was maliciously modified. Additionally, the \u0026ldquo;chaos-as-a-service\u0026rdquo; group TeamPCP injected malicious code into hijacked GitHub repositories for open-source projects, including Trivy, a security scanner. The Talos 2025 Year in Review indicated that nearly 25% of the top 100 targeted vulnerabilities affected widely used frameworks and libraries. React2Shell became the top-targeted vulnerability of 2025. These incidents highlight the fragility of the software supply chain and the potential for widespread downstream impact, affecting numerous organizations relying on these compromised components. Defenders face the challenge of identifying and remediating deeply integrated malicious code within their environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise:\u003c/strong\u003e TeamPCP compromises GitHub repositories of open-source projects like Trivy.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCode Injection:\u003c/strong\u003e Malicious code is injected into the project\u0026rsquo;s codebase within the compromised GitHub repository.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePackage Build and Distribution:\u003c/strong\u003e The compromised code is included in a new version of the software package during the build process.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDistribution via Package Managers:\u003c/strong\u003e The malicious package is distributed through package managers like npm, becoming available for download by developers.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDownstream Consumption:\u003c/strong\u003e Developers unknowingly download and integrate the compromised package into their applications.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution in Downstream Environments:\u003c/strong\u003e The malicious code executes within the developers\u0026rsquo; applications and environments.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement/Data Exfiltration/Ransomware:\u003c/strong\u003e The injected code performs malicious actions such as data exfiltration or establishing a reverse shell for lateral movement.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The attacker achieves their objectives, such as data theft, system compromise, or ransomware deployment across numerous downstream victims.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe compromise of widely used libraries and frameworks like Axios and Trivy can have a vast impact, potentially affecting millions of users and organizations. The Axios library alone receives 100 million downloads weekly. The successful exploitation of the React2Shell vulnerability demonstrates the speed at which these attacks can reach massive scale. The resulting damage can range from data breaches and system compromise to ransomware deployment, affecting organizations across various sectors. The integration of these utilities often makes full cataloging and remediation challenging, leading to prolonged exposure and increased risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eSecure CI/CD pipelines to prevent compromises from occurring, addressing the attack vector used by TeamPCP.\u003c/li\u003e\n\u003cli\u003eImplement robust logging to monitor for suspicious activity related to compromised packages and aid in incident response.\u003c/li\u003e\n\u003cli\u003eOrganizations must inventory the software libraries and frameworks they employ and rapidly implement patching and other mitigations when security incidents are reported.\u003c/li\u003e\n\u003cli\u003eImplement robust multi-factor authentication (MFA) to protect developer accounts on platforms like GitHub.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T17:31:42Z","date_published":"2026-04-03T17:31:42Z","id":"/briefs/2026-04-supply-chain-attacks/","summary":"Multiple supply chain attacks, including the compromise of Axios and Trivy via hijacked GitHub repositories by TeamPCP, demonstrate the increasing threat to open-source software.","title":"Rise in Software Supply Chain Attacks Targeting Open-Source Libraries","url":"https://feed.craftedsignal.io/briefs/2026-04-supply-chain-attacks/"}],"language":"en","title":"CraftedSignal Threat Feed — Software-Compromise","version":"https://jsonfeed.org/version/1.1"}