Inside the Supply-Chain Attacks of 2026: Key Learnings and Quick Wins

A presentation at DASH in June 2026 in New York, NY, USA by Daniel "phrawzty" Maher

WELCOME TO 2

STARTING SOON Inside the Supply-Chain Attacks of 2026 Key Learnings and Quick Wins 3

The software factory

The software factory

Have you met your (software) supply chain? app dependencies npm, PyPI Docker images VM images AI skills

npm in numbers 4M+ 600B+ 150k+ public packages monthly downloads malicious packages 7

2026 the year of Linux on the desktop large-scale supply-chain attacks 8

Daniel Maher Senior Security Advocate & Researcher 10

? year of the first documented malicious npm package 11

2017 year of the first documented malicious npm package 12

Malicious software packages in 2026 Malicious by design Typosquatting Brand impersonation Popular keywords (“ChatGPT”) Compromised legitimate package Compromised maintainer account Release CI pipeline abused CI credentials leaked

Attack complexity High Uninteresting zone Typosquatting Low Compromise popular package Attackers’ dream zone Impact & reach High

Compromised legitimate packages Large user base Spread fast react: 100M+ weekly 50% of organizations use a dependency < 24h old1 axios: 100M+ weekly lodash: 150M+ weekly 1: State of DevSecOps, Datadog, 2026 15

Maintainer compromise how attackers steal npm accounts 16

Adversary-in-the-Middle (AiTM) phishing How it works The lookalike infrastructure Attacker proxies auth through a lookalike npm domain Captures valid session cookie — bypasses SMS/OTP 2FA One compromised maintainer = thousands of victims npmjs.help npmjs.wtf npmjs.pro npmjs.us npm email addresses are public — easy to target Session cookie gives full npm publishing rights 17

xrpl (semantic versioning considered harmful) Four staged versions v4.2.1 — crude fetch(), only build files touched v4.2.2/3 — expanded scope, refactored code v4.2.4 — polished, malicious payload fully hidden Why semantic versioning amplifies this ^4.2.0 silently auto-accepts new patches 50% of orgs install a dep released the same day (Datadog 2026 State of DevSecOps) 18

The maintainer compromise two-step Step 1: Gain access Step 2: Maximize blast radius AiTM phishing captures a valid session cookie Bypasses all standard 2FA — undetectable in real time Attacker controls the npm publishing account Inject malicious code into a new patch version Semantic versioning auto-delivers it to consumers Steal secrets, deploy RAT, or establish persistence 19

? year of the first documented npm worm 20

2025 the npm worm era 21

Shai-Hulud 1.0 (September 2025) How it self-propagates Secrets + impact Finds npm tokens in .npmrc and environment variables Lists victim’s packages via registry API Publishes backdoored patch versions, then spreads TruffleHog + env vars + cloud credentials stolen 500+ packages compromised Some victims had 2M+ weekly installs 22

Shai-Hulud 2.0 (November 2025) Significantly evolved No token, no problem Cloud Secrets Manager (AWS/GCP/Azure) targeted Self-hosted GitHub runner planted for persistence GitHub Actions exfiltrates on every Discussion event Searches GitHub Archive for prior victims’ tokens 700+ packages compromised — no central IOC list Shai-Hulud 3.0 (Dec): minor variant, same codebase 23

axios supply chain (March 2026) How the attack worked Impact Maintainer PC compromised via social engineering plain-crypto-js@4.2.1 injected into package.json Post-install hook deployed a cross-platform RAT axios: 70M+ weekly downloads Live ~3 hours; thousands of endpoints hit the command & control platform Attributed to Sapphire Sleet (North Korea) 24

Sandworm (February 2026) Persistence: two layers Advanced evasion Installs MCP server — injected into Claude Code, Cursor Prompt injection in tool descriptions drives execution Git hooks in all repos + init.templateDir — permanent DGA for C2 + DNS tunneling as fallback Calls local Ollama to rewrite own code per victim Each instance unique — evades signature detection 25

The attacker’s toolkit The four techniques Heuristic obfuscation Version poisoning — code injected into a legitimate patch Token and credential theft — npm tokens, cloud secrets Post-install hooks — automatic execution at install time Sandworm rewrote its own code per victim Variable renaming, control flow rewrites, decoy insertion No two instances identical — signatures fail by design 26

Quick wins what you can do this week 27

If you publish packages Phishing-resistant 2FA npm Trusted Publishing Switch to FIDO2 / WebAuthn: YubiKey or passkeys Key is origin-bound — AiTM cannot replay it Technically defeats the maintainer-phishing vector OIDC short-lived tokens via GitHub Actions No long-lived token stored anywhere Two lines of YAML — works with GitHub and GitLab 28

If you consume packages Slow down updates Reduce the execution surface minimumReleaseAge / cooldown — delay N days Closes the zero-hour infection window SCFW wraps npm/pip, checks osv.dev at install time npm config set ignore-scripts true Disables postinstall hooks — how most worms fire Default in pnpm v10+ (consider switching!) 29

How Datadog helps static, runtime, and research 30

Datadog Code Security Static analysis detects malicious packages at PR time Runtime protection flags suspicious behaviour Contextualised alerts — severity + reachability 31

Datadog Security Research Datadog Security Labs publishes malicious package research MCP / Cmd+I brings alerts into your IDE in context Tells you about malicious packages while you code 32

What’s next the attack surface is shifting 33

AI is the new attack surface Attacks in the AI era MCP servers and AI skills Postinstall hook fires, invokes local coding agent Agent executes attacker commands — looks like dev activity Sandworm already demonstrated MCPlayer persistence Same trust model as npm — install and run Poisoned MCP server = attacker inside your dev environment AI-heavy orgs are high-value targets (LiteLLM: 36% of envs) 34

La plus ça change… Social engineering still wins Classic defenses still apply 100% of 2025-26 maintainer compromises started with phishing Public emails + high trust = easy targets The attack is on people, not code Inventory everything: SBOM, deps, MCP servers installed Least-privilege: scoped tokens, no longlived credentials Delay auto-updates. Verify before you trust. 35

Ship safer github.com/DataDog/guarddog docs.datadoghq.com/security/code_security securitylabs.datadoghq.com 36

Daniel "phrawzty" Maher
@phrawzty

1 / 36

The npm registry hosts over 3 million packages and serves 400 million downloads every month, which makes it an attractive target for attackers. In 2025 and 2026, the ecosystem saw a sharp escalation in supply chain attacks: phishing campaigns targeting maintainers, credential theft at scale, and the first self-replicating worms spreading through package dependencies.

In this talk, we’ll review the most impactful supply chain attacks of 2025 and 2026, and share an actionable roadmap that defenders can use to harden their build pipelines and developer practices to prevent compromise.