Inside the Supply-Chain Attacks of 2026: Key Learnings and Quick Wins

A presentation at DASH in June 2026 in New York, NY, USA by Daniel "phrawzty" Maher

Slide 1

Slide 1

Slide 2

Slide 2

WELCOME TO 2

Slide 3

Slide 3

STARTING SOON Inside the Supply-Chain Attacks of 2026 Key Learnings and Quick Wins 3

Slide 4

Slide 4

The software factory

Slide 5

Slide 5

The software factory

Slide 6

Slide 6

Have you met your (software) supply chain? app dependencies npm, PyPI Docker images VM images AI skills

Slide 7

Slide 7

npm in numbers 4M+ 600B+ 150k+ public packages monthly downloads malicious packages 7

Slide 8

Slide 8

2026 the year of Linux on the desktop large-scale supply-chain attacks 8

Slide 9

Slide 9

Slide 10

Slide 10

Daniel Maher Senior Security Advocate & Researcher 10

Slide 11

Slide 11

? year of the first documented malicious npm package 11

Slide 12

Slide 12

2017 year of the first documented malicious npm package 12

Slide 13

Slide 13

Malicious software packages in 2026 Malicious by design Typosquatting Brand impersonation Popular keywords (“ChatGPT”) Compromised legitimate package Compromised maintainer account Release CI pipeline abused CI credentials leaked

Slide 14

Slide 14

Attack complexity High Uninteresting zone Typosquatting Low Compromise popular package Attackers’ dream zone Impact & reach High

Slide 15

Slide 15

Compromised legitimate packages Large user base Spread fast react: 100M+ weekly 50% of organizations use a dependency < 24h old1 axios: 100M+ weekly lodash: 150M+ weekly 1: State of DevSecOps, Datadog, 2026 15

Slide 16

Slide 16

Maintainer compromise how attackers steal npm accounts 16

Slide 17

Slide 17

Adversary-in-the-Middle (AiTM) phishing How it works The lookalike infrastructure Attacker proxies auth through a lookalike npm domain Captures valid session cookie — bypasses SMS/OTP 2FA One compromised maintainer = thousands of victims npmjs.help npmjs.wtf npmjs.pro npmjs.us npm email addresses are public — easy to target Session cookie gives full npm publishing rights 17

Slide 18

Slide 18

xrpl (semantic versioning considered harmful) Four staged versions v4.2.1 — crude fetch(), only build files touched v4.2.2/3 — expanded scope, refactored code v4.2.4 — polished, malicious payload fully hidden Why semantic versioning amplifies this ^4.2.0 silently auto-accepts new patches 50% of orgs install a dep released the same day (Datadog 2026 State of DevSecOps) 18

Slide 19

Slide 19

The maintainer compromise two-step Step 1: Gain access Step 2: Maximize blast radius AiTM phishing captures a valid session cookie Bypasses all standard 2FA — undetectable in real time Attacker controls the npm publishing account Inject malicious code into a new patch version Semantic versioning auto-delivers it to consumers Steal secrets, deploy RAT, or establish persistence 19

Slide 20

Slide 20

? year of the first documented npm worm 20

Slide 21

Slide 21

2025 the npm worm era 21

Slide 22

Slide 22

Shai-Hulud 1.0 (September 2025) How it self-propagates Secrets + impact Finds npm tokens in .npmrc and environment variables Lists victim’s packages via registry API Publishes backdoored patch versions, then spreads TruffleHog + env vars + cloud credentials stolen 500+ packages compromised Some victims had 2M+ weekly installs 22

Slide 23

Slide 23

Shai-Hulud 2.0 (November 2025) Significantly evolved No token, no problem Cloud Secrets Manager (AWS/GCP/Azure) targeted Self-hosted GitHub runner planted for persistence GitHub Actions exfiltrates on every Discussion event Searches GitHub Archive for prior victims’ tokens 700+ packages compromised — no central IOC list Shai-Hulud 3.0 (Dec): minor variant, same codebase 23

Slide 24

Slide 24

axios supply chain (March 2026) How the attack worked Impact Maintainer PC compromised via social engineering plain-crypto-js@4.2.1 injected into package.json Post-install hook deployed a cross-platform RAT axios: 70M+ weekly downloads Live ~3 hours; thousands of endpoints hit the command & control platform Attributed to Sapphire Sleet (North Korea) 24

Slide 25

Slide 25

Sandworm (February 2026) Persistence: two layers Advanced evasion Installs MCP server — injected into Claude Code, Cursor Prompt injection in tool descriptions drives execution Git hooks in all repos + init.templateDir — permanent DGA for C2 + DNS tunneling as fallback Calls local Ollama to rewrite own code per victim Each instance unique — evades signature detection 25

Slide 26

Slide 26

The attacker’s toolkit The four techniques Heuristic obfuscation Version poisoning — code injected into a legitimate patch Token and credential theft — npm tokens, cloud secrets Post-install hooks — automatic execution at install time Sandworm rewrote its own code per victim Variable renaming, control flow rewrites, decoy insertion No two instances identical — signatures fail by design 26

Slide 27

Slide 27

Quick wins what you can do this week 27

Slide 28

Slide 28

If you publish packages Phishing-resistant 2FA npm Trusted Publishing Switch to FIDO2 / WebAuthn: YubiKey or passkeys Key is origin-bound — AiTM cannot replay it Technically defeats the maintainer-phishing vector OIDC short-lived tokens via GitHub Actions No long-lived token stored anywhere Two lines of YAML — works with GitHub and GitLab 28

Slide 29

Slide 29

If you consume packages Slow down updates Reduce the execution surface minimumReleaseAge / cooldown — delay N days Closes the zero-hour infection window SCFW wraps npm/pip, checks osv.dev at install time npm config set ignore-scripts true Disables postinstall hooks — how most worms fire Default in pnpm v10+ (consider switching!) 29

Slide 30

Slide 30

How Datadog helps static, runtime, and research 30

Slide 31

Slide 31

Datadog Code Security Static analysis detects malicious packages at PR time Runtime protection flags suspicious behaviour Contextualised alerts — severity + reachability 31

Slide 32

Slide 32

Datadog Security Research Datadog Security Labs publishes malicious package research MCP / Cmd+I brings alerts into your IDE in context Tells you about malicious packages while you code 32

Slide 33

Slide 33

What’s next the attack surface is shifting 33

Slide 34

Slide 34

AI is the new attack surface Attacks in the AI era MCP servers and AI skills Postinstall hook fires, invokes local coding agent Agent executes attacker commands — looks like dev activity Sandworm already demonstrated MCPlayer persistence Same trust model as npm — install and run Poisoned MCP server = attacker inside your dev environment AI-heavy orgs are high-value targets (LiteLLM: 36% of envs) 34

Slide 35

Slide 35

La plus ça change… Social engineering still wins Classic defenses still apply 100% of 2025-26 maintainer compromises started with phishing Public emails + high trust = easy targets The attack is on people, not code Inventory everything: SBOM, deps, MCP servers installed Least-privilege: scoped tokens, no longlived credentials Delay auto-updates. Verify before you trust. 35

Slide 36

Slide 36

Ship safer github.com/DataDog/guarddog docs.datadoghq.com/security/code_security securitylabs.datadoghq.com 36