What Happened
On March 30, 2026, attackers compromised the Axios NPM package by taking over a maintainer's account. Axios, a widely used HTTP client library in JavaScript, was injected with malicious code to exfiltrate data from applications using the compromised version. The attack lasted three hours before detection and quarantine.
In a related incident, the LiteLLM package on PyPI was also compromised for about three hours through similar account takeover methods. Both attacks were linked to organized threat actors, including the TeamPCP hacking group and North Korean state-sponsored operators.
Timeline
March 30, 2026 - Axios Compromise:
- Attackers accessed a maintainer account.
- A malicious version was published to the NPM registry.
- Applications downloaded the package during normal updates.
- Detection and quarantine occurred after a three-hour exposure.
LiteLLM Incident (March 2026):
- Account takeover executed.
- Compromised version published to PyPI.
- Three-hour window before quarantine.
- Zscaler and other security vendors issued coverage recommendations.
This timeline shows how quickly supply chain attacks can spread through modern CI/CD pipelines. Your automated build process, designed for speed, can become an attack vector.
Which Controls Failed or Were Missing
1. Account Protection
Both incidents began with account takeovers. The maintainer accounts lacked sufficient authentication controls to prevent credential-based compromise. There was no evidence of MFA being enforced on these critical publishing accounts.
2. Code Signing and Verification
The malicious packages were published without cryptographic verification of the publisher's identity. Your package manager accepted the new version based solely on account credentials, not cryptographic proof of authorship.
3. Automated Dependency Monitoring
The three-hour detection window indicates missing real-time monitoring of dependency changes. Your build pipeline likely pulled these packages automatically without behavioral analysis or anomaly detection.
4. Version Pinning and Lock Files
Applications using flexible version ranges (e.g., ^1.0.0 or ~2.3.0) automatically pulled the malicious versions. Teams that hadn't implemented strict version pinning became instant victims.
5. Network Egress Controls
The malicious code successfully exfiltrated data, indicating missing or insufficient network monitoring and egress filtering in the runtime environment.
What the Relevant Standard Requires
PCI DSS v4.0.1 Requirement 6.3.2 mandates secure development of custom software based on industry standards, including third-party components. Failing to verify the integrity of third-party code before integration violates this control.
PCI DSS v4.0.1 Requirement 6.4.3 requires that all scripts loaded and executed in the payment page are authorized and managed. This principle extends to all third-party code execution in your environment. You must maintain an inventory and verify the integrity of external dependencies.
ISO/IEC 27001:2022 Control 8.30 (Outsourcing) requires managing security risks associated with external suppliers. Your dependency on open-source maintainers constitutes an outsourcing relationship. The control requires you to verify that security practices are maintained throughout the supply chain.
NIST Cybersecurity Framework PR.DS-6 (Integrity checking mechanisms) requires verification mechanisms for software integrity. Your package manager must verify cryptographic signatures before accepting updates.
NIST 800-53 Rev 5 Control SA-12 (Supply Chain Protection) requires protection against supply chain threats through acquisition strategies, contract tools, and monitoring. Accepting packages without verification mechanisms fails this control entirely.
OWASP Top 10 2021 A06:2021 – Vulnerable and Outdated Components directly addresses this risk. The guidance requires continuous inventory of component versions, monitoring for vulnerabilities, and obtaining components only from official sources over secure links.
Lessons and Action Items for Your Team
Implement Publisher Verification Immediately
Enable package signature verification in your package managers. For NPM, use npm config set ignore-scripts true to prevent automatic execution of install scripts, then review each package's scripts before allowing execution. For PyPI, verify package signatures using GPG when available.
Configure your package manager to reject unsigned packages in production builds. This will disrupt some workflows, but it's essential to know what you're running.
Enforce MFA on All Publishing Accounts
If you maintain any packages, enable MFA on your NPM, PyPI, and other registry accounts today. Use hardware security keys, not SMS-based authentication. Document this requirement in your secure development policy.
For packages you consume, verify that upstream maintainers have enabled MFA. NPM displays a verification badge for accounts with MFA enabled. If a critical dependency lacks this protection, open an issue requesting it.
Pin Exact Versions in Production
Replace all semantic versioning ranges in your lock files with exact versions. Your package-lock.json or Pipfile.lock should specify "axios": "1.6.8", not "axios": "^1.6.0". Configure your CI/CD pipeline to fail builds if lock files contain version ranges.
Update dependencies through explicit, reviewed pull requests—never automatically. Your dependency update process should include:
- Review of the changelog
- Diff inspection of the package contents
- Test execution in an isolated environment
- Manual approval before merge
Deploy Software Composition Analysis (SCA)
Integrate SCA tools into your CI/CD pipeline to detect known vulnerabilities and behavioral anomalies. Configure the tool to fail builds when new dependencies appear without approval or when package checksums don't match known-good values.
Monitor for sudden changes in package size, new network calls, or filesystem access patterns. The malicious Axios version likely exhibited behavioral changes detectable by runtime analysis.
Implement Network Egress Controls
Configure your production environment to deny outbound connections by default. Maintain an allowlist of required external services. When the malicious package attempted data exfiltration, it should have hit a network boundary.
Log all outbound connection attempts. Alert on connections to unexpected domains, especially those originating from build processes or package installation scripts.
Establish a Dependency Review Process
Before adding any new dependency, require:
- Verification of the package's maintainer history
- Review of the package's dependencies (transitive risk)
- Assessment of the package's maintenance activity and community
- Documented business justification
For packages with fewer than three active maintainers, implement additional monitoring. Single-maintainer packages represent concentrated risk.
Test Your Incident Response
The three-hour window before quarantine represents your detection gap. Run a tabletop exercise: What happens when your SCA tool flags a compromised dependency in production right now? Who gets notified? What's the rollback procedure? How do you identify affected systems?
Document the runbook. Test it quarterly. The next supply chain attack won't announce itself politely.
These controls aren't theoretical. They map directly to requirements you're already supposed to meet. The Axios and LiteLLM incidents proved that checkbox compliance isn't enough—you need defense in depth across your entire dependency chain.
