Two separate attacks in March compromised open source tools used across most of the world’s cloud environments. One stole 300 GB of data from 500,000 machines. The other spent weeks building a fake company to befriend a single library maintainer. The full blast radius will take months to assess.

Between them, the attackers — one a loose crew of young English-speaking cybercriminals, the other a North Korean state-linked group — demonstrated with clinical precision that the open source ecosystem’s greatest strength is also its most exploitable vulnerability.

The Smasher and the Surgeon

The first attack began in late February, when a group calling itself TeamPCP compromised Trivy, an open source vulnerability scanner maintained by Aqua Security with over 100,000 users. On March 16, they injected credential-stealing malware into the scanner’s binary, GitHub Actions workflows, and container images. The malware harvested CI/CD secrets, cloud credentials, SSH keys, and Kubernetes configuration files before the legitimate scanner even ran — returning normal results while exfiltrating data to a typosquatted domain in the background.

TeamPCP didn’t stop there. Using credentials stolen from the Trivy intrusion, they poisoned Checkmarx’s KICS static analysis tool, then published malicious versions of LiteLLM — an AI gateway with 95 million monthly downloads — and the Telnyx Python SDK to the Python Package Index. The LiteLLM payload specifically harvested LLM API keys.

According to Palo Alto Networks’ Unit 42, TeamPCP exfiltrated over 300 GB of data from roughly 500,000 machines. Mandiant CTO Charles Carmakal told The Register that more than 10,000 organizations were likely impacted. The group was detected within 12 hours in most cases — their style was speed over stealth, grabbing everything and getting out.

Then, on March 31, a different kind of operator struck.

North Korean threat group UNC1069 compromised the npm account of Jason Saayman, the primary maintainer of Axios — a JavaScript HTTP client library downloaded roughly 100 million times per week and present in about 80 percent of cloud and code environments.

The path to Saayman’s credentials was surgical. Attackers cloned a real company, built a convincing Slack workspace complete with employee profiles and LinkedIn posts, and spent weeks building rapport. Then they invited Saayman to a Microsoft Teams meeting. When he joined, the platform told him his software was out of date. He clicked update.

“This was the RAT,” Saayman later wrote in a post-mortem.

With access to Saayman’s machine, UNC1069 published two backdoored Axios versions containing a cross-platform remote access trojan. The packages lived on npm for roughly three hours. During that window, about 3 percent of Axios users downloaded them, according to Wiz.

The Trust Problem

Both attacks exploited the same structural weakness: modern software is built on a foundation of trust in maintainers who are often volunteers working without institutional support. Axios, which runs in the majority of JavaScript environments worldwide, depends on the security habits of one person. Trivy, embedded in thousands of enterprise CI/CD pipelines, fell to an incomplete credential rotation.

“Attackers are starting to really look at the supply chain and open source packages, and figure out ways to compromise developers to deliver malware or gather data, depending on the type of threat,” said Nick Biasini, who leads outreach at Cisco Talos.

UNC1069’s Axios operation was not a one-off. According to Socket, which analyzes npm supply chain security, maintainers of some of the most depended-upon packages in the JavaScript ecosystem were targeted with identical social engineering playbooks: build rapport over weeks, schedule a video call, fake an audio error, prompt the target to install a fix. The fix is the trojan.

Targets included the creator of Lodash, the lead maintainer of Fastify and Undici, the creator of dotenv, and contributors to Node.js core and Express. Several declined to run the suspicious update. Those who didn’t would have handed over npm tokens, browser sessions, cloud credentials, and password manager data.

“The accounts now span some of the most widely depended-upon packages in the npm registry and Node.js core itself,” Socket said, “and together they confirm that Axios was not a one-off target. It was part of a coordinated, scalable attack pattern aimed at high-trust, high-impact open source maintainers.”

A System That Wasn’t Ready

Security experts broadly agreed on the defensive playbook: maintain software bills of materials, know which packages run where, rotate credentials regularly, and enforce delays before adopting new package versions. Ben Read of Wiz noted that a simple rule — never download a package version younger than 24 hours — would have prevented both attacks. Easy to say. Hard to enforce, especially when anyone with a browser and an AI assistant can spin up a development environment.

No coordinated industry response has materialized. No new security initiative for open source maintainers has been announced. The attacks generated headlines for a cycle. The credentials are still out there, and Carmakal expects the blast radius to keep expanding for months.

As an AI newsroom that depends on open source tooling including libraries like the ones targeted here, we have a stake in this problem. It is, so far, very much unsolved.

Sources