Breaking the Supply Chain Kill Chain: Lessons from Trivy, LiteLLM, and Axios

It starts with a routine dependency update. Your CI pipeline pulls the latest Trivy GitHub Action, a security tool you’ve trusted for years. The build passes. Three weeks later, your AWS, GCP, and Azure tokens are funding a cryptomining operation, and your company is in the news as another supply chain victim.

That isn’t hypothetical. In March 2026, attackers compromised the Trivy GitHub Action and used the harvested credentials to publish a backdoored LiteLLM Python package five days later. A week after that, a North Korean actor took over the maintainer account for Axios, an HTTP client with 70+ million weekly npm downloads, and shipped a cross-platform RAT for three hours before takedown.

Five major supply chain attacks landed in twelve days. Different vectors, identical playbook.

Perimeter defenses assume attacks come from outside your codebase. Signature scanning assumes you can spot malicious code before it runs. Static analysis assumes the code you’re looking at is the code that will execute. Supply chain attacks bypass all three: the malicious payload arrives signed, semver-pinned, and tagged “release.”

The good news: these attacks follow predictable patterns. Map the kill chain, and you can build defenses that make your stack a worse target than the next one over.

The 5-Phase Supply Chain Kill Chain

Every successful supply chain compromise follows the same progression:

1. Initial Access, compromising an upstream developer account, CI/CD pipeline, or repository. The attacker now controls something downstream systems trust.
2. Persistence, embedding the payload in a package, container image, or workflow that downstream consumers will pull.
3. Credential Harvesting, scraping SSH keys, cloud tokens, npm/PyPI publish tokens, GitHub PATs, and Kubernetes secrets from the victim environment.
4. Lateral Movement, using harvested credentials to compromise more packages, repos, or infrastructure. Each compromise becomes a launch pad for the next.
5. Impact, ranging from data exfiltration to ransomware to further supply chain poisoning.

The phases compound. Each one builds on the last and creates the launching pad for the next.

The 2026 Attacks, Phase by Phase

Trivy → LiteLLM: A Live Cascade

The cleanest demonstration of the kill chain in 2026 isn’t one attack. It’s two attacks linked by stolen credentials.

Phase 1 (late February 2026): Attackers exploited a misconfiguration in Trivy’s GitHub Actions environment and extracted a privileged access token. Aqua Security disclosed the initial incident and rotated credentials on March 1, but the rotation wasn’t comprehensive, and the threat actor retained residual access via still-valid credentials.

Phase 2 (March 19, ~17:43 UTC): Using those credentials, the attacker force-pushed 76 of 77 version tags in aquasecurity/trivy-action and all 7 tags in aquasecurity/setup-trivy, redirecting trusted version references to malicious commits. A poisoned Trivy v0.69.4 was published.

Phase 3 (March 19–24): The malicious Trivy action ran inside thousands of CI/CD pipelines and harvested AWS/GCP/Azure tokens, SSH keys, Kubernetes service-account tokens, Docker config, and Git credentials.

Phase 4 (March 24, 10:39 UTC): Among the harvested secrets were LiteLLM’s PyPI publishing credentials. The attackers used them to publish backdoored litellm v1.82.7 and v1.82.8 to PyPI. The package is downloaded ~3.4 million times per day; the malicious versions saw 119k+ installs in their ~40-minute window. Each install dropped a litellm_init.pth file that auto-executes on every Python process startup, harvesting the same secret types from a fresh population of victims.

Phase 5 (April 15): The Vect ransomware group listed its first victim, a property-management company, claiming exfiltration of ~4 million emails and 700 GB of data attributed to the TeamPCP Trivy campaign.

The full kill chain, executed in production, in under thirty days.

Axios: Account Takeover at the Maintainer Layer

The Axios compromise is a different shape, but the same playbook with fewer hops.

Phase 1 (March 31, 2026): A targeted social-engineering operation took over the npm account of jasonsaayman, one of Axios’s primary maintainers. Microsoft and Google attribute the attack to Sapphire Sleet / UNC1069, a financially motivated North Korean actor.

Phase 2: Within a 39-minute window, the attacker published axios@1.14.1 and axios@0.30.4. Each version added a single new dependency, plain-crypto-js, whose postinstall hook downloaded and executed platform-specific stage-2 RAT implants from sfrclak[.]com:8000.

Phase 3–5: Axios serves over 70 million weekly downloads. The malicious versions were live for roughly three hours before takedown. Every system that ran npm install in that window pulled the RAT, which phoned home for credential harvesting and follow-on tasking.

No build-system breach, no force-pushed tags. Just one social-engineered maintainer and a popular package, and three hours was enough to make global news.

What These Have in Common

All three compromised infrastructure that downstream teams had every reason to trust: a vulnerability scanner, an LLM gateway, the default HTTP client for half the JavaScript ecosystem. None are peripheral utilities. They’re core infrastructure.

All three demonstrate phase progression in real time: initial access enabled persistence, persistence enabled credential harvesting, harvesting enabled lateral movement (Trivy → LiteLLM is literal lateral movement across ecosystems). Point defenses fail because attackers move through phases faster than detection systems respond.

Five Cascade Breakers

Each tactic below disrupts specific phases. Implemented together, they create overlapping failure points for attackers.

1. Short-Lived Credentials (breaks Phases 3 & 4)

Long-lived API keys are why credential harvesting is profitable. The Trivy CI credentials stolen on March 19 were still valid five days later when the attackers used them to publish malicious LiteLLM packages. With OIDC federation and short-lived tokens (e.g. AWS STS, 1-hour TTL), that residual-access window collapses.

OIDC federation for GitHub Actions eliminates stored secrets entirely:

permissions:
  id-token: write
  contents: read

steps:
  - uses: aws-actions/configure-aws-credentials@v4
    with:
      role-to-assume: arn:aws:iam::ACCOUNT:role/GitHubActionsRole
      role-session-name: deployment
      aws-region: us-east-1

Tools to evaluate: HashiCorp Vault, AWS IAM Roles Anywhere, GCP Workload Identity Federation, Azure Managed Identity.

2. Secrets Out of Environment Variables (breaks Phase 3)

Environment variables are the first place every credential-harvesting payload looks: /proc/*/environ, process memory, exported shell state. The Trivy and LiteLLM payloads both scraped well-known names like AWS_ACCESS_KEY_ID, GOOGLE_APPLICATION_CREDENTIALS, and KUBE_* directly.

Fetch secrets at runtime from a dedicated store and mount them as read-only files rather than exporting them globally:

spec:
  containers:
  - name: app
    volumeMounts:
    - name: secrets
      mountPath: "/etc/secrets"
      readOnly: true
  volumes:
  - name: secrets
    secret:
      secretName: app-secrets

Tools to evaluate: HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, Kubernetes External Secrets Operator.

3. SHA Pinning (breaks Phases 1 & 2)

The Trivy attack worked because force-pushed tags rewrote what aquasecurity/trivy-action@v0.28.0 resolved to. Pin to the commit SHA, not the tag:

# Vulnerable: tag resolves to whatever the latest force-push points at
- uses: aquasecurity/trivy-action@v0.28.0

# Secure: pinned to a specific commit
- uses: aquasecurity/trivy-action@a76e9f3...c4d2e1b

Same principle applies to container images and language packages: use image digests, lockfile integrity hashes, and pip install --require-hashes. Renovate and Dependabot can keep SHA-pinned dependencies updated automatically.

Tools to evaluate: Renovate, Dependabot, Sigstore cosign, npm audit signatures, Docker Content Trust.

4. Contribution & Workflow Verification (breaks Phase 2)

The Axios maintainer takeover succeeded against a single account. Required signed commits, branch protection with mandatory review, and protected publishing identities raise the bar substantially:

required_pull_request_reviews:
  required_approving_review_count: 2
  require_code_owner_reviews: true
required_status_checks:
  strict: true
  contexts: ["ci/security-scan", "ci/tests"]
enforce_admins: true

Combine with workflow linting (actionlint), secret scanning on commits, and trusted publishing. Both PyPI and npm now support OIDC-based publishing that eliminates long-lived publish tokens entirely.

Tools to evaluate: Actionlint, GitGuardian, Semgrep, PyPI Trusted Publishing, npm Trusted Publishing.

5. Hardened Runtime (breaks Phase 5)

When prevention fails, and at sufficient scale eventually it does, runtime enforcement decides whether the payload gets to do anything once it executes. A distroless base image, a tight AppArmor or SELinux profile, and a readOnlyRootFilesystem pod spec mean a credential-harvester landing in your container can’t read ~/.aws/credentials, can’t slurp /proc/*/environ, can’t write a .pth file, can’t dial sfrclak[.]com:8000.

apiVersion: v1
kind: Pod
spec:
  securityContext:
    runAsNonRoot: true
    runAsUser: 65534
  containers:
  - name: app
    securityContext:
      readOnlyRootFilesystem: true
      allowPrivilegeEscalation: false
      capabilities:
        drop: ["ALL"]

Tools to evaluate: Google Distroless / Chainguard Images, AppArmor, SELinux, gVisor, Falco for runtime detection.

Defense in Depth, Prioritized

Supply chain security isn’t about choosing one tactic. It’s about overlapping layers that make successful attacks exponentially harder.

Start with credentials. Short-lived tokens and proper secrets management are the highest-leverage moves and the cheapest to deploy. They alone would have collapsed the Trivy → LiteLLM pivot to a few hours of useful access.

Then pin and verify. SHA pinning, required reviews, and trusted publishing defeat the Trivy tag rewrite and the Axios single-maintainer push. These are process changes more than infrastructure changes.

Land the safety net. Hardened images and runtime enforcement contain what gets through. They’re the only layer attackers cannot bypass with valid signatures, social engineering, or upstream compromise, because they evaluate what the code does, not where it came from.

Metrics That Matter

• Percent of dependencies pinned by SHA in production builds (target: >95%)
• Median credential lifetime across CI/CD systems (target: <4 hours)
• Percent of CI/CD workloads running under a hardened runtime profile (target: 100%)
• Time from credential compromise detection to revocation (target: <15 minutes)

The Strategic Imperative

Supply chain attacks are asymmetric: defenders must secure every dependency, while attackers only need to compromise one. March 2026 made the math worse, with five attacks in twelve days, including a security tool used to compromise an AI gateway in the same campaign. Attack-iteration velocity is accelerating.

For senior engineering teams, supply chain security isn’t just risk management. It’s a velocity multiplier. Teams that pin, verify, federate, and enforce can move fast on dependencies because they trust their layered defenses. Teams without them are stuck choosing between velocity and security, which is the wrong dilemma to be solving in 2026.

Prevent what you can. Detect what gets through. Contain what you can’t prevent or detect. Runtime behavioral controls are the last layer attackers cannot social-engineer their way past. When a malicious package tries to read credentials it has never accessed, runtime enforcement is your last and best chance to stop the attack.

---

Learn more about runtime behavioral controls for container workloads or how automated AppArmor profiles strengthen your supply chain defense.