Threat Research

Supply Chain Attacks Surge in March 2026

ZScaler
Supply Chain Attacks Surge in March 2026
March 2026 saw a wave of high-profile software supply-chain attacks, including an Axios NPM compromise and malicious PyPI releases of LiteLLM that were used to deliver cross-platform RATs and credential-harvesting payloads. Both incidents involved maintainer account compromise or malicious publishes that executed code at install/startup and contacted C2 infrastructure. #Axios #LiteLLM

Keypoints

  • Five major software supply-chain attacks occurred in March 2026, with Axios and LiteLLM among the high-impact compromises highlighted.
  • The Axios NPM package was compromised via an account takeover of a lead maintainer; malicious versions added a dependency (plain-crypto-js) that ran a postinstall script to deploy a cross-platform RAT contacting sfrclak[.]com.
  • TeamPCP is linked to multiple supply-chain compromises and published malicious LiteLLM PyPI versions that delivered payloads designed to harvest AWS/GCP/Azure tokens, SSH keys, and Kubernetes credentials.
  • LiteLLM deliveries included a startup-executed .pth file (litellm_init.pth) and an obfuscated import-time payload in proxy_server.py, enabling code execution on any Python start or on import.
  • Recommended mitigations include rotating/revoking secrets, enforcing MFA and least privilege, restricting build/publish workflows to trusted registries and protected runners, applying strict lockfile usage, and scanning for suspicious dependency changes.
  • Zscaler added detections for these threats (multiple JS/Python/OSX RAT/Trojan signatures) and published IOCs including hashes, domains, and an IP address to help defenders detect related activity.

MITRE Techniques

  • [T1195 ] Supply Chain Compromise – The attacks involved malicious package publishes and poisoned dependencies that delivered malware via normal package install/startup (‘These poisoned releases inject a hidden dependency called [email protected]’).
  • [T1078 ] Valid Accounts – The Axios compromise was achieved through an account takeover of a lead maintainer, allowing the attacker to publish malicious versions (‘compromised through an account takeover attack targeting a lead maintainer’).
  • [T1059 ] Command and Scripting Interpreter – Malicious postinstall and startup scripts executed platform-specific payloads via scripts such as node setup.js, Python .pth execution, and PowerShell/OSX scripts (‘the postinstall script ran a setup.js script via node’).
  • [T1071.001 ] Application Layer Protocol: Web Protocols – Compromised packages contacted command-and-control infrastructure and exfiltration endpoints over web protocols (HTTP/S) (‘contacts command-and-control (C2) infrastructure at sfrclak[.]com’).

Indicators of Compromise

  • [Domain ] C2 and exfiltration hosts – sfrclak[.]com (Axios C2), models[.]litellm[.]cloud (LiteLLM exfiltration URL)
  • [IP Address ] Observed network connection – 142.11.206[.]73 (search for connections from developer workstations and CI/CD systems)
  • [File hash ] Malicious package and payload hashes – axios 0.30.4: e56bafda15a624b60ac967111d227bf8, litellm_init.pth: cde4951bee7e28ac8a29d33d34a41ae5 (and other hashes listed in the report)
  • [File name ] Malicious filenames or scripts – setup.js (Axios postinstall payload), litellm_init.pth (LiteLLM startup-executed file)
  • [Package / Version ] Compromised packages and versions – Axios 1.14.1 and 0.30.4 (malicious releases), LiteLLM v1.82.7 and v1.82.8 (malicious PyPI releases)
  • [Package name ] Malicious dependency introduced – plain-crypto-js (dependency injected into compromised Axios releases)

Read more: https://www.zscaler.com/blogs/security-research/supply-chain-attacks-surge-march-2026