Supply Chain Attacks Surge in March 2026 | ThreatLabz
In March 2026, severe software supply chain attacks targeted popular open-source packages. A North Korean threat actor compromised the Axios NPM package to distribute a cross-platform RAT, while the TeamPCP group poisoned the LiteLLM PyPI package to harvest cloud and infrastructure secrets.
Authors: THREATLABZ
Source:
Zscaler ThreatLabz
- domainsfrclak[.]comCommand and control (C2) domain for the cross-platform RAT dropped by the compromised Axios package.
- filenamesite-packages/litellm_init.pthMalicious .pth file introduced in LiteLLM 1.82.8 that executes automatically on Python startup.
Key Takeaways
- A North Korean threat actor compromised the Axios NPM package via account takeover to distribute a cross-platform RAT.
- The malicious Axios versions injected a hidden dependency (plain-crypto-js) that executed a postinstall script to drop the RAT and contact C2 infrastructure.
- TeamPCP compromised the LiteLLM PyPI package to harvest high-value cloud and Kubernetes secrets.
- LiteLLM version 1.82.8 utilized a malicious .pth file for execution upon Python startup, while version 1.82.7 used an obfuscated Base64 payload in proxy_server.py.
Affected Systems
- macOS
- Windows
- Linux
- NPM (Axios users)
- PyPI (LiteLLM users)
- CI/CD pipelines
Attack Chain
In the Axios attack, a North Korean threat actor compromised a maintainer's account, bypassed CI/CD, and manually published malicious versions containing the 'plain-crypto-js' dependency. This dependency used a postinstall script to run 'setup.js', dropping a cross-platform RAT that contacts C2 infrastructure before cleaning up its tracks. In the LiteLLM attack, the TeamPCP group published malicious versions containing either an obfuscated Base64 payload or a malicious '.pth' file that executes on Python startup to harvest cloud and infrastructure secrets.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide specific detection rules, but outlines behavioral indicators, package versions, and network IOCs to monitor.
Detection Engineering Assessment
EDR Visibility: Medium — EDR can detect anomalous child processes spawned by package managers (npm, pip) or Python/Node.js, as well as unexpected network connections to C2 IPs. Network Visibility: Medium — Network monitoring can detect connections to the known C2 domain (sfrclak.com) and IP (142.11.206.73). Detection Difficulty: Moderate — Supply chain attacks blend in with legitimate developer activity. Detecting malicious postinstall scripts or .pth file executions requires baseline knowledge of normal build environments.
Required Log Sources
- Process Creation logs (Event ID 4688 / Sysmon Event ID 1)
- Network connection logs
- DNS query logs
- CI/CD pipeline audit logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for node.js or npm processes spawning unexpected child processes or making external network connections to unknown IPs. | Process Creation, Network Connections | Execution | Medium |
| Identify Python processes executing from environments where litellm_init.pth is loaded, especially if followed by file reads of sensitive credential files (.env, SSH keys). | Process Creation, File Access | Credential Access | Low |
Control Gaps
- Lack of MFA on maintainer accounts
- Overly permissive CI/CD network access
- Implicit trust in open-source package managers
Key Behavioral Indicators
- NPM or Python processes initiating outbound connections to non-repository IPs
- Creation of .pth files in site-packages by non-standard installers
- Modification of package.json immediately after installation
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Review package.json and lockfiles for axios@1.14.1, axios@0.30.4, or plain-crypto-js@4.2.1 and remove them.
- Downgrade LiteLLM to version 1.82.6.
- Search for connections to sfrclak.com or 142.11.206.73 from developer workstations and CI/CD systems.
- Rotate or revoke all potentially exposed secrets (PyPI tokens, API keys, SSH keys, cloud credentials).
Infrastructure Hardening
- Use private registry proxies and Software Composition Analysis (SCA) tools.
- Restrict build environments to internal package managers or trusted mirrors.
- Limit internet access from CI/CD systems to reduce exfiltration risk.
- Apply least-privilege IAM and tighten Kubernetes RBAC.
User Protection
- Restrict open-source package consumption on corporate devices using enterprise controls.
- Enforce strict lockfile usage (npm ci instead of npm install).
Security Awareness
- Train teams on phishing awareness and supply chain security best practices.
- Enable phishing-resistant MFA on NPM, GitHub, and cloud platforms.
MITRE ATT&CK Mapping
- T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain
- T1078 - Valid Accounts
- T1059.004 - Command and Scripting Interpreter: Unix Shell
- T1547.006 - Boot or Logon Autostart Execution: Python
- T1552 - Unsecured Credentials
- T1027 - Obfuscated Files or Information
Additional IOCs
- Ips:
142[.]11[.]206[.]73- C2 IP address for the Axios RAT
- Domains:
sfrclak[.]com- C2 domain for the Axios RAT
- File Paths:
site-packages/litellm_init.pth- Malicious .pth file introduced in LiteLLM 1.82.8proxy_server.py- File containing obfuscated Base64 payload in LiteLLM 1.82.7setup.js- Script executed via node in the plain-crypto-js postinstall process
- Command Lines:
- Purpose: Executes the malicious setup script during the plain-crypto-js postinstall phase | Tools:
node,npm| Stage: Execution |node setup.js
- Purpose: Executes the malicious setup script during the plain-crypto-js postinstall phase | Tools:
- Other:
axios@1.14.1- Compromised Axios NPM package versionaxios@0.30.4- Compromised Axios NPM package versionlitellm@1.82.8- Compromised LiteLLM PyPI package versionlitellm@1.82.7- Compromised LiteLLM PyPI package version