Supply Chain Attacks Are Targeting Businesses Right Now in 2026 — Here Is What We Are Doing About It

Published April 1, 2026 — Chibitek Security Team

There are currently two separate, active supply chain attacks making headlines across the cybersecurity world — and the Chibitek team has been on both since they broke. We want to be transparent with our clients and the broader community about what is happening, what it means, and exactly what we have already done to protect the businesses we serve.

What Is a Supply Chain Attack?

Before diving in, it helps to understand what makes supply chain attacks so dangerous. Rather than targeting your company directly, attackers compromise a piece of trusted software or a tool that you — or your vendors — rely on every day. Once that trusted tool is poisoned, the attack slips in through the side door. Everything appears to be working normally while the damage is happening in the background. This is what makes them so difficult to catch without a proactive monitoring partner.

Attack One: TeamPCP and the Trivy Compromise (March 19, 2026 — Ongoing)

On March 19, 2026, a sophisticated threat group known as TeamPCP launched a coordinated supply chain attack targeting Trivy — one of the most widely used open-source security scanning tools in the world. Rather than attacking organizations head-on, they compromised Trivy's own distribution channels, turning a trusted security tool into a credential-harvesting weapon.

The attackers injected malicious code into official release versions and GitHub Actions workflows. Any organization whose software pipelines pulled from these sources during the exposure window was unknowingly running the attacker's code — code designed to steal cloud credentials, SSH keys, API tokens, and Kubernetes secrets from the affected systems. The campaign has since expanded to additional tools including Checkmarx and LiteLLM, and estimates put the number of affected enterprise environments at over 1,000 globally.

This campaign is tracked as CVE-2026-33634 and has been covered extensively by Microsoft Security, Arctic Wolf, Wiz Research, and others. As of today, it is still active and evolving.

Attack Two: The Axios Supply Chain Compromise (Disclosed April 1, 2026 — Today)

Just today, Elastic Security Labs disclosed a second, separate supply chain attack — this one targeting Axios, one of the most downloaded JavaScript libraries in existence. Axios is used by millions of developers and embedded in countless web applications, internal tools, and automated workflows around the world.

Malicious versions of Axios (1.14.1 and 0.30.4) were published to the npm package registry. These versions introduced a hidden dependency — plain-crypto-js@4.2.1 — that quietly executed during installation and deployed a cross-platform backdoor. The payload worked silently across Windows, macOS, and Linux. On Windows, a renamed PowerShell binary was used to establish persistence through the system registry. On macOS, the malware disguised itself using Apple-style naming conventions to avoid detection. On Linux, a Python-based remote access tool was deployed that beacons back to attacker infrastructure every 60 seconds.

In all cases, the malware was designed to look like normal activity. Nothing would appear broken. No error messages. Scans would complete as expected. The attack would simply run underneath, gathering and transmitting sensitive data to the attacker's command-and-control server.

Elastic Security Labs filed the disclosure to the Axios repository on March 31, 2026 and published their full technical analysis today. The malicious packages have been removed, but any environment that pulled these versions during the exposure window should be treated as potentially compromised.

What Chibitek Has Already Done

We did not wait for our clients to call us. That is not how we operate.

As soon as each of these threats came to light, our security team pushed blocks for all known malicious network indicators — including the attacker's command-and-control domains and IP addresses — to every firewall we manage on behalf of our clients. We are actively scanning all devices enrolled in our monitoring systems that are currently online, looking for indicators of compromise from both campaigns. Our team is tracking both situations in real time and will continue to take additional protective action as new threat intelligence becomes available.

This is the value of having a proactive managed security partner — not waiting for something to go wrong, but working ahead of the threat so our clients never have to find out the hard way.

What You Need to Know If You Are a Chibitek Client

Our monitoring and protection only covers devices where our agent is installed and enrolled. If anyone at your organization is unsure whether a particular device — especially a personal laptop, a developer machine, or a recently set up workstation — has our agent on it, please reach out to us immediately. Do not wait.

You can reach our team at support@chibitek.com, via Teams chat, or through our emergency support line. No question is too small — that is genuinely what we are here for.

The Bigger Picture

Two significant, unrelated supply chain attacks in the same two-week window is not a coincidence — it is a reflection of where the threat landscape is heading in 2026. Attackers are no longer primarily breaking down the front door. They are quietly compromising the tools, libraries, and services that businesses trust implicitly. The software you install. The pipelines that run automatically. The updates that happen in the background.

This is exactly the environment Chibitek was built for. We are not a break-fix shop. We are not a helpdesk that responds when something breaks. We are an AI-driven managed security and IT partner that monitors, responds, and acts — so that you can focus on running your business with confidence.

We will continue to post updates as the situation develops. If you have questions or concerns, our team is reachable at support@chibitek.com.

Additional Reading

Elastic Security Labs — Axios Supply Chain Compromise Detections: https://www.elastic.co/security-labs/axios-supply-chain-compromise-detections

Microsoft Security Blog — Detecting and Defending Against the Trivy Compromise: https://www.microsoft.com/en-us/security/blog/2026/03/24/detecting-investigating-defending-against-trivy-supply-chain-compromise/

Arctic Wolf — TeamPCP Supply Chain Attack Campaign: https://arcticwolf.com/resources/blog/teampcp-supply-chain-attack-campaign-targets-trivy-checkmarx-kics-and-litellm-potential-downstream-impact-to-additional-projects/

Wiz Research — Trivy Compromised by TeamPCP: https://www.wiz.io/blog/trivy-compromised-teampcp-supply-chain-attack