Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

The software supply chain continues to face escalating threats, with malicious actors targeting developers and organizations at an unprecedented scale. In our Spring 2026 Threat Research Review, we analyze the latest trends, uncover alarming statistics, and highlight the evolving tactics used by attackers. From dependency injection attacks to the rise of typosquatting, this report provides a comprehensive look at the threats shaping the software ecosystem.

For years, vulnerability management has followed a familiar pattern: discover assets, scan for CVEs, prioritize by severity, and remediate what you can. That model works, at least within the boundaries of systems you own. The problem is that most organizations no longer operate within those boundaries. Federal agencies especially depend on a complex ecosystem of SaaS platforms, software vendors, contractors, and open-source components.

Apr 2, 2026 Mastering Software Supply Chain Management in 2026 Read More Natalie Tischler Mar 31, 2026 Why Security Debt Should Be a Board-Level Priority Read More Natalie Tischler Mar 26, 2026 Prioritize, Protect, Prove: A Roadmap for Application Security Transformation Read More Natalie Tischler.

Engineering teams face a dual mandate: ship high-quality features faster and keep the underlying infrastructure secure. As development velocity increases, so does the complexity of the tools, libraries, and third-party components that make up your applications. Software Supply Chain Management is the discipline of securing these interconnected components.

Attackers carried out a supply chain compromise by abusing a compromised npm maintainer account to publish malicious Axios versions (axios@1.14.1 and axios@0.30.4). These releases introduced an unexpected dependency, plain-crypto-js@4.2.1, which attempted platform-specific malware execution via an npm lifecycle script during installation on Windows, macOS, and Linux.

The widely used Axios npm package, a JavaScript library that enables applications to make HTTP/S requests and is included as a dependency in millions of applications, was compromised in a supply chain attack on March 31, 2026 (UTC).

The JavaScript ecosystem experienced a significant supply chain incident on 31 March 2026 when two newly published Axios versions were found to contain a malicious dependency. Axios is one of the most widely used HTTP clients in both browser and Node.js environments, with weekly downloads ranging from 80 to over 100 million. The compromise impacted organisations across sectors that rely on the package for service integration and automation.

On March 30-31, 2026, threat actors published two malicious versions of the popular HTTP library axios (versions 1.14.1 and 0.30.4) to the npm registry. Both versions included a new dependency named plain-crypto-js which, in its 4.2.1 release, contained a fully-featured cross-platform dropper that silently installed a Remote Access Trojan (RAT) on developer machines.

On March 31, 2026, two malicious versions of axios were published to npm, , using credentials stolen from a lead axios maintainer. The attacker injected a hidden dependency into both releases that drops a remote access trojan (RAT) on any machine that ran npm install during the exposure window. No CVE identifier has been assigned at the time of writing. The malicious dependency executes automatically at install time via a postinstall hook, without any action by the developer.