Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

The JavaScript ecosystem experienced a significant supply chain incident on 31 March 2026 when two newly published Axios versions were found to contain a malicious dependency. Axios is one of the most widely used HTTP clients in both browser and Node.js environments, with weekly downloads ranging from 80 to over 100 million. The compromise impacted organisations across sectors that rely on the package for service integration and automation.

The LiteLLM supply chain compromise of March 24, 2026, is not an isolated incident. It is the latest and perhaps most dangerous chapter in an evolving attacker playbook that JFrog Security Research has been tracking for years. The target has shifted from developers to the AI agents that developers now rely on to build software.

On March 31, 2026, two malicious versions of axios, the enormously popular JavaScript HTTP client with over 100 million weekly downloads, were briefly published to npm via a compromised maintainer account. The packages contained a hidden dependency that deployed a cross-platform remote access trojan (RAT) to any machine that ran npm install (or equivalent in other package managers like Bun) during a two-hour window. The malicious versions (1.14.1 and 0.30.4) were removed from npm by 03:29 UTC.

Security vendors have linked recent incidents involving trusted software components to a supply chain attack campaign by TeamPCP, a cloud-focused threat actor group. The reported activity involved three widely used types of development components, which include.

Part 1 covered CanisterWorm, the self-spreading npm worm. Part 2 covered the malicious LiteLLM package and its.pth persistence. This post covers the third wave: a compromised telnyxPyPI package that hides its payload inside audio files and delivers entirely different malware depending on the victim’s operating system.

Supply chain attacks cascade through ecosystems in ways traditional metrics hardly capture. GitGuardian evaluates the PCP Team incidents and finds damage spread to thousands of public targets.

A supply chain compromise that impacted the Python package LiteLLM, with malicious versions 1.82.7 and 1.82.8 was published to PyPI on March 24, 2026. Bitsight Threat Intelligence, public reporting and vendor disclosures indicate the malicious releases included credential harvesting, Kubernetes-focused lateral movement, and persistence mechanisms, creating serious risk for cloud-native and AI-related environments that installed or ran the affected versions.

Learn how to detect compromise, assess your exposure to the LiteLLM supply chain attack, and use GitGuardian to orchestrate rapid incident response and secret remediation.

The threat actor TeamPCP has recently launched a coordinated campaign targeting security tools and open-source developer infrastructure by pivoting with stolen CI/CD secrets and signing credentials (such as GitHub Actions tokens and release signing keys). At the time of writing, repositories for Trivy, Checkmarx, and LiteLLM have been impacted, and reports indicate that at least 1,000 enterprise software-as-a-service (SaaS) environments may be affected by this threat campaign.