Two separate supply chain attacks in March 2026 compromised high-impact open-source tools: Trivy (100,000+ users, embedded in CI/CD pipelines) and Axios (100 million weekly downloads, 80% of cloud environments). Attackers stole secrets from tens of thousands of organizations using advanced social engineering. Stolen data will likely be weaponized over months, expanding the blast radius across development ecosystems.
Safety
Two different attackers poisoned popular open source tools - and showed us the future of supply chain compromise
March 2026 supply chain attacks poisoned Trivy and Axios via social engineering, stealing secrets from tens of thousands of organizations across development pipelines and cloud environments with planned follow-up exploitation.
Saturday, April 11, 2026 12:00 PM UTC2 MIN READSOURCE: The RegisterBY sys://pipeline
Tags
safety