What Every Scanner Missed and What We Built SecNode to Catch It

---

A routine dependency update lands in your CI pipeline. It installs cleanly, exits zero. Your scanner sees nothing. Three weeks later, credentials from that build show up in breach data.

Not a hypothetical. That is the documented playbook behind every major supply chain compromise of 2025 and 2026.

Supply chain security was called an "emerging threat" for years. It emerged. In 2025 alone, Sonatype identified 454,600 newly malicious packages across npm, PyPI, Maven Central, NuGet, and Hugging Face — a 75% jump year over year, bringing the cumulative total past 1.2 million. Verizon's 2025 DBIR doubled the third-party share of breaches from 15% to 30% in a single annual cycle, the largest single-year shift the report has ever recorded. IBM priced a supply chain compromise at $4.91M average and 267 days to resolve — the longest mean lifecycle of any breach vector.

The registries serving this ecosystem — npm, PyPI, Maven Central, NuGet, RubyGems, Crates.io, Packagist, Hugging Face, and more than a dozen others — will collectively serve over 10 trillion package downloads in 2026. That is more than one billion downloads per hour. Each one is a potential delivery channel.

These attacks are not sophisticated in the zero-day sense. They are sophisticated in the trust-exploitation sense. That distinction is everything when it comes to defense.

---

The Ecosystem Is Bigger Than npm

Most supply chain coverage starts and stops at npm. That framing is outdated and dangerous.

The 2026 attack surface spans every major registry. A coordinated campaign in late April and early May 2026 hit TanStack, Mistral AI, UiPath, and OpenSearch packages simultaneously across both npm and PyPI, uploading malicious versions in two waves with heavily obfuscated payloads that executed on installation or import. The Python-specific angle ran a second channel: a malicious .pth file in the PyPI package executed automatically at Python interpreter startup with no explicit import required. No install hook. No postinstall trigger. Just boot.

PyPI added 130,000 new packages in 2025, nearly matching its entire 2018 catalog in a single year, and is now adding close to 900 packages per day in 2026. Maven Central and NuGet remain high-value targets for Java and .NET ecosystems respectively. RubyGems has seen coordinated credential theft campaigns. Crates.io serves Rust, which is increasingly present in systems-level and embedded infrastructure. Hugging Face has emerged as a new distribution channel with weaker security controls relative to its blast radius.

The point is not that npm is no longer dangerous. It is that your dependency graph almost certainly spans multiple registries, and most tooling is built to watch one of them adequately.

---

What Actually Happened

Three campaigns defined the 2025 to 2026 wave. Different entry points, same playbook.

Shai-Hulud — September 2025

The first npm worm that self-propagated without a developer installing anything. It burned through 800+ packages, then returned in successive waves through April 2026.

The origin has since been traced to the s1ngularity campaign two months earlier, in which compromised Nx packages harvested 2,349 credentials from 1,079 developer systems. Stolen npm tokens from that campaign appear to have enabled the September attack — credential mutualization across campaigns is now documented infrastructure for this threat class.

A later variant targeted four SAP Cloud Application Programming packages carrying 570,000 combined weekly downloads. Subsequent variants added dormant sleeper payloads that only activated under specific runtime conditions, built to stay invisible to automated scanners. Defenders were scanning for malicious packages. The payload waited until they stopped looking.

Axios — March 2026

Lazarus Group (DPRK) compromised the most widely used HTTP client in JavaScript — running in roughly 80% of cloud environments — without touching a single CVE.

They changed the lead maintainer's npm account email, bypassed GitHub Actions CI/CD, and injected a dependency whose postinstall hook silently exfiltrated credentials. OpenAI revoked its macOS signing certificate as a precaution after its dependency chain ran through Axios.

The compromised package was clean on installation. The credential theft happened during a postinstall hook that had never existed in any prior version. One observation from Mandiant: the compromise date and the impact date are not the same. Stolen credentials surfaced in breach data months after the intrusion.

Trivy / TeamPCP — March 2026

Attackers exploited a misconfigured pull_request_target workflow to steal a service account token. Incomplete credential rotation left the door open. They force-pushed malicious code to 76 of 77 version tags on Aqua Security's open-source vulnerability scanner — CVE-2026-33634, now on CISA's KEV catalog.

The payload dumped GitHub Actions runner memory: SSH keys, cloud credentials, Kubernetes secrets from every affected pipeline. The same operation simultaneously hit Checkmarx KICS, LiteLLM, and the Telnyx SDK. Weeks later, the Vect ransomware group announced a formal alliance with TeamPCP to pursue every exposed organization.

A security tool became the delivery mechanism.

---

The Five-Stage Playbook

Every major 2025 to 2026 supply chain attack followed the same structure. What changed between campaigns was speed and automation, not the model.

None of these needed a novel exploit. Every single one abused a trust assumption — in a package name, a version tag, a vendor update channel, a CI/CD identity — that was never formally verified.

---

Why Standard Tooling Misses This

Most security tooling was built to answer a different question.

Scanners find known CVEs in known packages. They are good at that. Supply chain attacks in 2025 and 2026 mostly skipped that surface entirely.

Shai-Hulud's sleeper payloads were built to pass automated scans on initial analysis. The Axios postinstall hook had no CVE — it was a trusted package doing something it had never done before. The Trivy compromise targeted version tags, which most tooling treats as immutable signals of integrity. The PyPI .pth attack needed no import statement, no user interaction, and no trigger condition visible to a static scanner.

The gap is behavioral and contextual, not signature-based. Catching what these attacks actually do requires three things working together: a persistent, versioned map of everything in your dependency graph across every registry you consume; a system that pulls and inspects every new package version before your pipeline ever sees it; and threat intelligence wired directly to the version-monitoring layer so registry anomalies connect to known adversary infrastructure in real time.

Most organizations have none of these. Most tools were not built to provide them.

---

The SecNode Approach: Know Before It Lands

SecNode's architecture does not wait for your next scan. It operates three capabilities continuously before any build runs.

Step 1: Build and Maintain the Dependency Knowledge Base

Before anything else, HiveSense encodes your full Bill of Materials — not just the packages you declared, but every transitive dependency resolved across your services, pinned at the exact version hash each service pulled. This covers npm, PyPI, Maven Central, NuGet, RubyGems, Crates.io, Packagist, and Hugging Face.

The graph is not a flat list. HiveSense maps which packages appear at which install points, how the graph changed between builds, and what the normal behavioral profile looks like for each package across its version history. When a package you have consumed for two years adds a postinstall hook that has never existed before, HiveSense has a prior state to compare it against. The deviation registers immediately.

This is the prerequisite for every detection capability downstream. If you cannot state exactly what your pipeline consumed 48 hours ago — not declared versions, resolved content hashes — you cannot detect what changed.

Step 2: Pull Every New Version and Inspect It Before Your Build Does

When a new version is published to any monitored registry, HiveSense pulls it before your pipeline can. This is not passive monitoring. It is active interception.

Hive Mind runs the version through a multi-stage inspection pipeline. Static analysis checks for obfuscated code and known malware patterns. Behavioral sandboxing executes the install process under multiple runtime conditions and watches for network calls, file writes, credential access, and interpreter-level side effects — including .pth file injection, which requires no explicit import to execute. Code-level diffing compares the new version against the prior known-good hash and flags novel logic, new execution paths, unexpected new dependencies, and added lifecycle hooks.

The sleeper payload problem is addressed here. Shai-Hulud's variants were engineered to look clean on first scan. Behavioral sandboxing under varied runtime conditions catches payloads that only activate under specific environments. Version-to-version diffing catches obfuscated additions that pass static signature checks entirely.

If Hive Mind identifies something anomalous, it does not generate an alert for a human to triage next week. It blocks the version from your dependency graph and surfaces a finding with the behavioral evidence: what the package attempted to do, what changed compared to prior versions, and what assets are reachable downstream in your specific topology.

Step 3: Corroborate Against Threat Intelligence Feeds

A new version with anomalous behavior is a strong signal. A new version with anomalous behavior where the package maintainer's account shows recent credential-reset activity, and where the postinstall hook's callback domain appears in active adversary infrastructure reports, is a confirmed incident.

HiveSense correlates every finding against live threat intelligence: maintainer account reputation and recent registry activity, package namespace anomalies flagged by community feeds, callback infrastructure tied to known campaigns, and active threat indicators from groups including Lazarus, Silk Typhoon, TeamPCP, and the industrialized malicious-package publishing operations Sonatype now tracks as standing campaigns.

This is the layer that would have closed the Axios case faster. The Lazarus email-swap on the maintainer account left observable signals in npm registry metadata hours before the malicious dependency appeared. Correlating the package-level anomaly against maintainer account signals collapses the detection window from weeks to hours.

Collective defense compounds this further. When Hive Mind validates a malicious pattern in one environment, that signal propagates across the fleet. Every customer consuming the affected package gets the finding before their next build executes — across every registry where the package appears. Shai-Hulud's propagation model depends on defenders gaining visibility after spread. This inverts that timeline.

---

What to Do Right Now

These apply regardless of what tooling you run.

• Pin dependencies to content hashes, not version tags. Tags are mutable. The Trivy attacker force-pushed to 76 of them because downstream consumers were pulling by tag. Hash pinning closes this at the package-manager level for every registry that supports it.
• Map your full dependency graph across all registries, transitive dependencies included. Most organizations track npm and have a rough picture of PyPI. Maven, NuGet, RubyGems, and Crates.io dependencies are frequently invisible. If you cannot list every package version your production pipeline pulled in the last 30 days — including the registry it came from — you are operating with a partial picture.
• Treat CI/CD credentials as already compromised. Rotate on a schedule that does not assume a clean history. The gap between compromise date and impact date in the Axios campaign was measured in months, not hours.
• Audit GitHub Actions workflow permissions. Misconfigured pull_request_target workflows and over-scoped PATs were the entry point for both tj-actions and Trivy. Least-privilege on CI/CD identity is not optional.
• Monitor maintainer account health, not just package content. The Axios attack, the s1ngularity campaign, and the 2025 PyPI phishing campaign all left signals at the maintainer account level before the malicious payload appeared in the package. Registry metadata is threat intelligence.

---

The Actual Problem

Supply chain compromise became the highest-leverage attack class because it bypasses multiple defensive layers simultaneously.

Perimeter controls do not help when the payload arrives as a signed package from a registry you already trust. Signature verification does not help when the attacker controls the signing account. CVE scanning does not help when the payload has no CVE and the execution happens at interpreter boot from a .pth file nobody reviewed.

The organizations that contained blast radius in 2025 shared one characteristic: they knew what normal looked like, and they had systems that noticed when normal changed. A versioned dependency graph across every registry. Behavioral baselines for every package at every install point. Threat intelligence wired directly to the version-monitoring layer.

Not faster CVE feeds. Persistent memory, proactive interception, and corroborated threat context — across every registry your engineers actually use.

The next compromised package is already in transit. The question is whether your tooling will see it before it lands.

---

Want to see how HiveSense maps your full dependency graph and how Hive Mind inspects new versions across every registry before your pipeline sees them? secnode.ai

---

References

• Sonatype — 2026 State of the Software Supply Chain Report · sonatype.com
• OpenSSF — Hidden Costs of Package Registries, May 2026 · openssf.org
• NHS England Digital — Supply Chain Attack: TanStack, Mistral AI, UiPath, OpenSearch · digital.nhs.uk
• RapidFort — PyPI, npm, and the New Frontline of Supply Chain Attacks, April 2026 · rapidfort.com
• Halcyon — Trivy Supply Chain Compromise & Vect Ransomware · halcyon.ai
• Dark Reading — Supply Chain Worms in 2026: What Shai-Hulud Taught Attackers · darkreading.com
• Verizon — 2025 Data Breach Investigations Report · verizon.com
• IBM — Cost of a Data Breach Report 2025 · ibm.com
• Cloudsmith — Malicious Packages on PyPI, npm, and RubyGems, June 2025 · cloudsmith.com
• Bernát Gábor — Defense in Depth: Python Supply Chain Security, March 2026 · bernat.tech