Skip to content
.ca
sign in
4 minhigh

Don't Kill the Goose That Lays the Golden Eggs

Recent supply chain attacks in March 2026, including the compromise of the widely used Axios npm package by North Korean actors and CI/CD targeting by TeamPCP, highlight the increasing threat to the open-source ecosystem. These incidents underscore the necessity of supporting and securing open-source maintainers against sophisticated nation-state social engineering and credential theft campaigns, rather than abandoning open-source architecture.

Conf:highAnalyzed:2026-04-11reports
ActorsTeamPCPNorth Korean state-sponsored actorsMarch 2026 supply chain attacksAxios npm compromise
Open SourceSupply Chain AttackNode.jsSocial Engineeringnpm

Source:Socket

Key Takeaways

  • March 2026 saw severe supply chain attacks targeting the open-source ecosystem, prompting industry debate over OSS security.
  • TeamPCP actively targeted OSS security tools and CI/CD pipelines to harvest valuable credentials.
  • A North Korean social engineering campaign successfully compromised the Axios npm package (downloaded 100M+ times/week) by targeting high-trust maintainers.
  • Nation-state actors are exploiting the unpaid labor and security burden of solo OSS maintainers.
  • The attacks highlight the need to fund, support, and protect open-source maintainers rather than abandoning OSS infrastructure.

Affected Systems

  • Open Source Software (OSS) ecosystems
  • CI/CD pipelines
  • Node.js ecosystem
  • npm registry (specifically the Axios package)
  • OSS security tools

Attack Chain

Threat actors, including North Korean state-sponsored groups and TeamPCP, targeted the open-source software supply chain. TeamPCP focused on compromising OSS security tools and CI/CD pipelines to extract valuable credentials. Concurrently, North Korean actors executed a weeks-long social engineering campaign against high-trust Node.js maintainers. This campaign successfully yielded write access to the widely used Axios npm package, allowing potential distribution of malicious updates to millions of downstream users.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No detection rules or queries are provided in the article.

Detection Engineering Assessment

EDR Visibility: Low — The attacks primarily involve social engineering of third-party maintainers and the compromise of upstream CI/CD pipelines and npm registries, which occur outside the scope of traditional endpoint EDR. Network Visibility: Low — Malicious package downloads from legitimate registries (like npm) blend in with normal development traffic and are difficult to distinguish without deep packet inspection and known malicious hashes. Detection Difficulty: Very Hard — Detecting supply chain compromises at the source requires identifying social engineering against third-party maintainers or credential theft within external CI/CD environments, which organizations typically lack visibility into.

Required Log Sources

  • CI/CD pipeline audit logs
  • Package registry access logs
  • Developer authentication logs
  • Source code management (SCM) audit logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Monitor CI/CD pipelines for unauthorized access, unusual credential extraction activities, or unexpected modifications to build scripts.CI/CD audit logs, Secrets management logsCredential AccessMedium
Identify unexpected changes to package dependencies, version bumps, or maintainer access rights in internal repositories.Source code management (SCM) audit logsPersistenceLow

Control Gaps

  • Visibility into third-party maintainer security posture
  • Detection of compromised upstream packages before deployment into internal environments

Key Behavioral Indicators

  • Unexpected maintainer changes on critical OSS packages
  • Anomalous CI/CD pipeline executions or secret access

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Audit CI/CD pipelines for exposed credentials and excessive permissions.
  • Review project dependencies for unexpected version bumps or maintainer changes, particularly for the Axios package.

Infrastructure Hardening

  • Implement strict least-privilege access controls for CI/CD environments.
  • Enforce MFA and strong authentication for all internal and external code repositories.
  • Utilize software composition analysis (SCA) tools to monitor for known compromised package versions.

User Protection

  • Educate developers and maintainers on advanced social engineering tactics used by nation-state actors.
  • Implement hardware security keys (FIDO2) for developer authentication to mitigate credential phishing.

Security Awareness

  • Promote awareness of the security burden on OSS maintainers and consider funding or contributing to the security of critical dependencies.

MITRE ATT&CK Mapping

  • T1195.001 - Supply Chain Compromise: Compromise Software Dependencies and Development Tools
  • T1586 - Compromise Accounts
  • T1566 - Phishing
  • T1552 - Unsecured Credentials

Related