← Back to Blog DevOps & Security

March 2026 Gave Us a Free Masterclass in Why DevOps Matters

EB DevTech April 1, 2026 12 min read

Five major open-source supply chain attacks hit in just twelve days. Axios. Trivy. LiteLLM. Telnyx. And then the Claude Code source code leak on top of it all.

Different tools. Different ecosystems. Same root cause every single time: credentials, configurations, and process gaps.

Let's break down what happened, what connects them, and what your team can actually do about it.

What Happened

The Axios npm Hijack March 31

Axios is one of the most widely used tools in the JavaScript ecosystem. Over 100 million weekly downloads. It's the kind of dependency that's everywhere — in frontend apps, backend services, enterprise platforms, and CI/CD pipelines.

On March 31, a threat actor hijacked the npm account of the lead Axios maintainer and published two malicious versions (1.14.1 and 0.30.4). These versions contained a hidden dependency called "plain-crypto-js" that silently installed a cross-platform Remote Access Trojan the moment any machine ran npm install.

The attacker pre-staged the malicious dependency 18 hours in advance, built separate payloads for Windows, macOS, and Linux, hit both release branches within 39 minutes, and designed the malware to self-destruct after execution to cover its tracks.

Google's Threat Intelligence Group has attributed the attack to UNC1069, a financially motivated North Korean threat actor active since at least 2018.

The malicious versions were live for roughly two hours before being pulled. But with 100 million weekly downloads, even a two-hour window creates massive exposure.

The red flag: Legitimate Axios releases always include OIDC provenance metadata linking the package back to a specific GitHub Actions build. The malicious versions had none. That missing provenance was the signal that security researchers spotted immediately.

The LiteLLM and Telnyx PyPI Compromises March 24–27

This one started with Trivy, an open-source security scanner that many organizations rely on to detect exactly this kind of threat.

On March 19, a group known as TeamPCP hijacked release tags in the Trivy GitHub Actions repository, injecting credential-harvesting malware. From there, the attackers used the stolen credentials to move into Checkmarx KICS on March 23, and then into PyPI.

On March 24, malicious versions of LiteLLM (1.82.7 and 1.82.8) were published to PyPI. LiteLLM is an AI proxy layer present in roughly 36% of cloud environments, handling API requests across over 100 different large language model providers. The compromised packages used Python's .pth file mechanism to execute automatically on every Python interpreter startup, harvesting SSH keys, cloud credentials, Kubernetes configs, database passwords, and API keys.

Three days later, the Telnyx Python package was hit with the same playbook.

The LiteLLM packages were available for about three hours. Given the package's three million daily downloads, the exposure window was significant.

The cascade effect: The attackers didn't go after LiteLLM directly. They compromised the security tool first, used those credentials to cascade into the next target, and repeated the pattern. One initial breach led to five separate compromises across multiple ecosystems.

The Claude Code Source Code Leak March 31

On the same day as the Axios attack, Anthropic accidentally shipped the full source code of its Claude Code CLI inside a public npm package. Version 2.1.88 included a source map file — a debugging artifact that mapped the bundled production code back to the original TypeScript source. That file pointed to a zip archive on Anthropic's own cloud storage containing approximately 512,000 lines of code across 1,900 files.

This wasn't a hack or a breach. It was a packaging error caused by a misconfigured file in the release process. Anthropic confirmed it was human error.

Within hours, the codebase was mirrored on GitHub, accumulating tens of thousands of forks. The leak exposed the full architecture of a product with an estimated $2.5 billion in annual revenue, including unreleased features, internal tooling, and system prompts.

This was actually the second time a similar source map leak had occurred with Claude Code, following an earlier incident in February 2025.

The Pattern

Step back from the individual incidents and the picture becomes clear.

None of these were some impossibly sophisticated attack that no one could have defended against. Every single one came down to fundamentals:

The Axios Attack

Succeeded because the attacker obtained a long-lived npm access token. One compromised credential unlocked publishing rights to a package used by millions.

The LiteLLM Attack

Cascaded from a single exposed CI/CD token. Stolen credentials from one tool gave access to another, then another, then another.

The Claude Code Leak

Happened because of one missing exclusion in a config file. A single oversight in the release pipeline exposed everything.

These were all process failures before they became security incidents.

The Good News

Everything we just described is fixable. The playbook already exists. Here's what separates the teams that were affected from the ones that weren't.

Pin your dependencies

Don't let your build system automatically pull the latest version of a package. Lock your dependency versions in your lockfiles and verify the integrity of what you're installing. If your CI/CD pipeline had pinned Axios to 1.14.0, the malicious 1.14.1 would never have been installed.

Require build provenance

Legitimate packages published through proper CI/CD pipelines include cryptographic build attestations. The malicious Axios versions had no OIDC provenance. Configuring your package proxy to reject packages without provenance would have flagged these immediately.

Gate your releases

Separate the ability to write code from the ability to publish it. Require multiple approvals for releases. Don't let a single compromised account push directly to production.

Segment your CI/CD permissions

The LiteLLM attack cascaded because one set of credentials unlocked access to multiple systems. Scope your automation tokens. Use short-lived credentials. Audit which systems have publish rights and limit the blast radius of any single compromise.

Audit your release pipeline

The Claude Code leak happened because a debugging file made it into a production package. Automated checks for source maps, debug artifacts, and sensitive files in your release pipeline can catch these before they ship.

Treat credentials like they're already at risk

Rotate tokens regularly. Use short-lived, automation-scoped tokens instead of long-lived personal access tokens. Monitor for unexpected publishing activity.

How EB DevTech Helps

This is exactly the kind of work we do every day.

At EB DevTech, we help businesses build the operational foundation where they can move fast and still sleep at night. We work with your team to lock down build pipelines, verify dependencies before they hit production, segment permissions so one bad credential doesn't snowball, and put the gates in place that catch process gaps before they become headlines.

AI is moving at an incredible pace right now. That's exciting. But speed without structure is just chaos with a deadline. We help you keep the speed and add the structure.

The tools are amazing. Let's make sure your process is too.

Want to get ahead of supply chain risks?

Let us help you lock down your build pipelines, enforce dependency governance, and audit your CI/CD security posture.

Contact EB DevTech

Sources