A Ten-Day Streak of Supply Chain Failures
Within a single ten-day window, the software industry witnessed a disturbing series of supply chain compromises and self-inflicted exposures. Attackers struck the Trivy security-scanner project and the widely used Axios JavaScript package, the KICS static-code analyzer maintained by Checkmarx, and the open source LiteLLM Python library. Then, capping the streak, human error led to Anthropic accidentally publishing more than half a million lines of source code belonging to its flagship Claude Code npm package.
Individually, each event might be dismissed as an isolated incident. Collectively, they expose deep and systemic weaknesses in how the global software supply chain is built, maintained, and secured — weaknesses that security researchers say will not be fixed by patching any single component.
How Each Incident Unfolded
Trivy: Misconfigured GitHub Actions and Credential Harvesting
Attackers exploited a misconfigured GitHub Action in the Trivy project, then capitalized on the development team's failure to fully recover from the initial incident. This allowed the threat actors to capture the credentials needed to push malicious code downstream. Once inside, they moved quickly — harvesting additional credentials, pivoting laterally across services, and seeding malicious code throughout connected systems.
Axios: A Compromised Maintainer Account
The Axios JavaScript package — which carries more than 70,000 direct dependencies — was compromised after attackers successfully targeted the lead maintainer's account. The result was backdoor-installing Trojans landing in developer environments across the ecosystem. Because of Axios's massive dependency footprint, security researchers warn the blast radius of that compromise will likely produce significant fallout for some time, particularly within container images.
KICS and LiteLLM: More Pipeline Victims
Checkmarx's open source KICS static-analysis tool was also breached via GitHub Actions. In response, Checkmarx urged developers to revoke and rotate secrets and to audit their GitHub Actions pipelines for suspicious indicators. The open source LiteLLM Python library was similarly caught up in the wave of incidents affecting development tooling.
Anthropic's Claude Code: Half a Million Lines Exposed
Unlike the other incidents, Anthropic's leak was not the result of an external attack. Human error led to the publishing of more than 500,000 lines of source code for the Claude Code npm package — a 59.8MB source map uploaded to a public registry because the publish process lacked a basic content check. Anthropic acknowledged the leak and issued copyright violation notices to nearly 100 mirrors on GitHub, while allowing others — including at least one user who employed AI agents to refactor and translate the code into Python and Rust — to continue hosting the software.
According to Jun Zhou, full stack engineer at agentic AI security firm Straiker, which published an analysis of the incident, the leak was particularly striking given the sophistication of Claude Code's own defenses.
"Claude Code had 25-plus bash security validators in its runtime — which is genuinely sophisticated security engineering — but shipped a 59.8MB source map to a public registry because the publish process lacked a basic content check," Zhou said.
Developer Environments: High-Trust, Low-Visibility Targets
Zhou characterizes developer workstations as "credential-rich, high-trust, low-visibility zones," noting that AI coding agents operating inside them are compounding the exposure. This framing highlights a fundamental shift in attacker strategy: rather than targeting end-user systems or even production environments, threat actors are increasingly focused on compromising the pipeline itself.
Rami McCarthy, a principal security researcher at Wiz — a cloud cybersecurity firm and subsidiary of Google — points out that the root causes across these incidents vary considerably. Misconfigured GitHub Actions, social engineering of maintainers, and lapses in credential hygiene each played a role in different breaches. But McCarthy argues that the more serious problem is the cascade of downstream consequences each incident unleashes.
"We've built a global software infrastructure that relies heavily on the volunteer efforts of open source maintainers, which creates an incredibly uneven security surface," McCarthy said. "When an attacker targets the weakest link in a chain of transitive dependencies, the downstream impact is massive, making what should be a 'simple' fix a complex, ecosystem-wide coordination problem."
CI/CD: Continuous Integration, Continuous Exposure
The incidents collectively underscore that CI/CD environments have become a primary target for sophisticated threat actors. These complex pipelines must not only protect sensitive credentials but also manage trusted distribution paths — a setup that, when compromised, allows malware to be pushed downstream to every project that depends on the affected package.
McCarthy advocates treating the software supply chain as critical infrastructure. "This means stronger security around maintainers and publishing, CI/CD environments that assume untrusted dependencies, and ecosystem-wide detection that can surface abnormal package behavior fast," he said.
The Patching Paradox: Newest Is Not Always Safest
One counterintuitive finding from past research compounds the problem. Development teams have broadly interpreted the push to eliminate vulnerabilities as a mandate to always update open source components to the latest version. However, prior studies have found that older versions frequently offer a better balance of patched code and fewer known vulnerabilities — with the third-most-recent version often proving to be the most secure on average.
Tim Mackey, head of software supply chain risk strategy at Black Duck, a software-security firm, notes that the reflexive drive to apply immediate patches is understandable but flawed. "Immediate patching seem[s] reasonable, but in reality teams need to perform a risk-based analysis of their dev processes [since the impact of] the Axios attack may linger for some time — particularly where container images are concerned," he said.
The scale of the problem is reflected in Black Duck's Open Source Security and Risk Analysis (OSSRA) report, which found that in 2025, nearly two-thirds of organizations — 65% — admitted to being a victim of a software supply chain attack in the past 12 months.
Why the Claude Code Leak Has Long-Term Implications
The exposure of Claude Code's source is not just an embarrassing disclosure for Anthropic — it represents a potential long-term security liability. Jesus Ramon, an AI red team member at Straiker, explains that the leaked code revealed the full architecture of Claude Code's context pipeline, sandbox boundaries, and permission validators. That information gives attackers a detailed blueprint for crafting payloads that can persist through context compaction and target gaps in the security chain.
Ramon also flags a new class of threat specific to AI agents: attack persistence through poisoned instructions.
"Traditional compromised packages execute in a bounded runtime: a coding agent has access to your entire file system, shell, network, and MCP servers, so the blast radius is an entire developer workstation," he said. "AI agents also introduce a new class of attack persistence: a poisoned instruction can survive context compaction and re-emerge as what the model treats as a legitimate directive, then flow into pull requests and production code."
Ramon characterizes the situation as one where AI development workflows are moving faster than the security practices designed to protect them — a gap that could have consequences far beyond any single leaked package.
What Organizations Should Do Now
Security researchers across these incidents converge on several practical recommendations for enterprises seeking to harden their pipelines:
- Restrict access to sensitive credentials within CI/CD environments and adopt strong secret-management practices.
- Audit GitHub Actions pipelines for misconfigurations and suspicious indicators, and revoke and rotate any secrets that may have been exposed.
- Validate and check dependencies early in the development cycle to detect malicious code before it reaches production.
- Perform risk-based analysis rather than defaulting to immediate patching of every dependency update.
- Implement ecosystem-wide monitoring capable of surfacing abnormal package behavior quickly, rather than relying on reactive incident response.
- Treat the software supply chain as critical infrastructure, with guardrails built into every layer of the pipeline.
The string of incidents from late March through early April 2026 serves as a stark reminder that the most dangerous vulnerabilities in modern software development may not be found in the code itself — but in the pipelines, maintainers, and processes that deliver it.
Source: Dark Reading