The final week of March 2026 delivered what may be the most concentrated burst of software supply chain attacks in history. Within days of each other, three separate incidents shook the foundations of open source software trust: a nation-state compromise of the most popular JavaScript HTTP client, a cascading breach that led to stolen Cisco source code, and an accidental source code leak from a leading AI company. Each incident carries urgent lessons for government IT leaders and developers. Here is what happened, what it means, and how your organization can protect itself.

Incident 1: Axios NPM Supply Chain Attack

On March 30-31, 2026, the axios JavaScript library - the most popular HTTP client in the npm ecosystem with over 100 million weekly downloads - was compromised in what security firm StepSecurity called “among the most operationally sophisticated supply chain attacks ever documented against a top-10 npm package.”

The attack began when a threat actor compromised the npm account of the project’s lead maintainer, jasonsaayman. Using the hijacked credentials, the attacker published two malicious versions: axios@1.14.1 and axios@0.30.4, targeting both the modern and legacy release branches within 39 minutes of each other.

The malicious versions contained zero lines of harmful code in axios itself. Instead, the attacker injected a single new dependency called plain-crypto-js@4.2.1, a package impersonating the legitimate crypto-js library. This dependency’s sole purpose was to execute a postinstall script that deployed a cross-platform Remote Access Trojan (RAT) capable of targeting Windows, macOS, and Linux systems.

The sophistication was remarkable:

• Pre-staging: The malicious dependency was published 18 hours in advance, with a clean “decoy” version (4.2.0) established first to build publishing history and avoid triggering new-package alarms.
• Speed: Within two seconds of npm install, the malware was calling home to an attacker-controlled command-and-control server (sfrclak.com:8000) before npm had finished resolving dependencies.
• Anti-forensics: After execution, the dropper deleted itself and replaced its own package.json with a clean version reporting version 4.2.0 instead of 4.2.1, designed to mislead incident responders checking installed packages.
• Stealth: A developer inspecting their node_modules folder after the fact would find no indication anything went wrong.

The packages were live for approximately three hours before npm removed them. Google Threat Intelligence Group told BleepingComputer that UNC1069, a financially motivated North Korean threat actor with ties to the BlueNoroff group within the broader Lazarus ecosystem, was behind the compromise, potentially making this the first successful attack on a top-10 npm package by DPRK-linked actors.

Sources: StepSecurity Technical Analysis, BleepingComputer (Bill Toulas, March 31, 2026)

Incident 2: Cisco Source Code Stolen via Trivy Supply Chain Attack

Also on March 31, 2026, reports emerged that Cisco suffered a significant data breach after threat actors used credentials stolen during the compromise of Trivy, the widely used open source vulnerability scanner maintained by Aqua Security, to breach Cisco’s internal development environment and steal source code.

The Trivy supply chain attack began in early March 2026 when an attacker exploited a compromised credential with write access to the repository. By March 19, the attacker force-pushed malicious code to 75 of 76 previously released version tags of trivy-action. The payload was a credential-harvesting infostealer that scanned dozens of filesystem locations for:

• SSH keys
• Cloud credentials (AWS, Google Cloud, and Azure)
• Kubernetes tokens and Docker configurations
• Environment variables and database credentials
• Cryptocurrency wallets

The stolen data was exfiltrated using AES-256-CBC with RSA-4096 hybrid encryption to attacker-controlled infrastructure. The compromised credentials were then reportedly used as the entry vector to breach Cisco’s development systems. According to BleepingComputer, more than 300 GitHub repositories were cloned during the incident, including source code for AI-powered products, and a portion of the stolen repositories allegedly belongs to corporate customers, including banks, BPOs, and US government agencies.

This incident demonstrates the cascading nature of supply chain attacks: a single compromised open source tool can provide the keys to enterprise environments that depend on it.

Sources: BleepingComputer - Cisco Breach (Lawrence Abrams, March 31, 2026), BleepingComputer - Trivy Compromise, Wiz Technical Analysis

Incident 3: Anthropic Claude Code Source Code Leak

Coinciding with these attacks, Anthropic accidentally published a .map source map file in their npm package @anthropic-ai/claude-code version 2.1.88 that contained the complete TypeScript source code of their Claude Code developer tool: approximately 1,900 files, approximately 500,000 lines of code, including internal system prompts, tool definitions, hidden feature flags, and unreleased commands with developer comments preserved.

This was the second such incident following a similar leak in February 2025. A GitHub mirror of the leaked source attracted thousands of stars before Anthropic issued DMCA takedowns affecting over 8,100 repository forks.

Community analysis of the leaked source revealed unreleased features including background agent capabilities, async deep thinking modes, and anti-distillation measures designed to protect the tool’s intellectual property.

The fix was trivial: excluding .map files from production builds via .npmignore.

Critically, this leak coincided with the Axios supply chain attack. Developers who cloned leaked Claude Code repositories and ran npm install on March 31 may have been further compromised by the malicious axios packages, creating a compound attack vector.

Sources: BleepingComputer (Mayank Parmar, March 31, 2026), Anthropic DMCA on GitHub

How to Protect Your Organization with Microsoft Security Solutions

These three incidents share common threads: compromised developer accounts, poisoned dependencies, stolen credentials, and inadequate build pipeline controls. Microsoft provides a comprehensive set of tools to address each of these attack vectors.

1. Microsoft Defender for DevOps and GitHub Advanced Security

Microsoft Defender for DevOps provides unified visibility into your DevOps security posture across Azure DevOps, GitHub, and GitLab. It surfaces findings from code scanning, secret detection, and open source dependency vulnerability scans in a single console. Combined with GitHub Advanced Security, which includes dependency review and Dependabot alerts, your teams can catch malicious or vulnerable dependencies before they enter your codebase. The dependency review action can block pull requests that introduce known-vulnerable packages.

2. Microsoft Defender for Cloud for CI/CD Pipeline Security

Microsoft Defender for Cloud extends security from code to cloud, including CI/CD pipeline protection. It can detect compromised credentials, misconfigured DevOps environments, and Infrastructure as Code vulnerabilities. In the context of the Trivy attack, Defender for Cloud’s posture management recommendations would help identify overly permissive GitHub Action configurations and exposed secrets.

3. Azure DevOps Artifact Feeds with Upstream Sources

Azure Artifacts upstream sources allow you to proxy public registries like npmjs.com through a controlled feed. This provides package integrity verification, caching for reliability, and a chokepoint where you can apply security policies before packages reach developer machines. By routing all npm installs through an Azure Artifacts feed, your team gains visibility into every package consumed and can block known-malicious versions before they are installed. The upstream sources tutorial walks through setting this up.

4. Microsoft Entra ID with Phishing-Resistant MFA

The axios attack began with a compromised maintainer account. Microsoft Entra Conditional Access enforces Zero Trust policies for every sign-in, requiring phishing-resistant authentication methods like passkeys (FIDO2) that cannot be stolen via credential harvesting or social engineering. For developer accounts with publishing permissions to package registries, enforcing hardware-bound passkeys eliminates the class of attack that enabled the axios compromise.

5. Microsoft Sentinel for Threat Detection

Microsoft Sentinel provides cloud-native SIEM capabilities to detect anomalous behavior such as unexpected outbound network connections from build servers (like the C2 callback to sfrclak.com in the axios attack), unusual package installation patterns, or credential exfiltration attempts. Custom analytics rules can be configured to alert on new or unexpected npm package dependencies in CI/CD pipelines.

6. GitHub Secret Scanning and Push Protection

GitHub secret scanning automatically detects exposed credentials across your repositories, including API keys, tokens, and passwords. Push protection prevents secrets from being committed in the first place. In the context of the Trivy attack, where stolen credentials cascaded into a Cisco breach, secret scanning and credential rotation practices are essential defenses.

7. DevSecOps Practices with Azure DevOps Pipelines

Implementing security gates in Azure DevOps pipelines ensures that every build passes through automated security checks before deployment. This includes dependency scanning, container image scanning, and approval workflows that can catch anomalous changes like the injection of an unexpected dependency in a release build.

Why This Matters for Government

Government agencies face unique risks from supply chain attacks:

• Critical infrastructure dependencies: State and local government systems that handle citizen data, emergency services, and financial transactions rely on the same open source ecosystems that were compromised. An npm install on a developer workstation connected to a government network could provide attackers with a foothold into sensitive systems.
• Nation-state targeting: The attribution of the axios attack to DPRK-linked actors underscores that government organizations are not bystanders in these campaigns. Nation-state actors specifically target software supply chains as a vector to reach government and critical infrastructure systems.
• Cascading risk: As the Trivy-to-Cisco chain demonstrates, a single compromised development tool can cascade into full organizational breaches. BleepingComputer reported that stolen repositories included code belonging to US government agencies, underscoring that government supply chains are directly in the crosshairs. Government agencies using open source security scanners, CI/CD tools, or JavaScript libraries in their applications need layered defenses.
• Regulatory and compliance obligations: Government organizations have obligations under frameworks like NIST SP 800-218 (Secure Software Development Framework) and CISA’s Secure by Design principles to maintain software supply chain integrity. These incidents are exactly the scenarios those frameworks aim to prevent.
• GCC and sovereign cloud considerations: Organizations operating in Microsoft 365 GCC tenants and Azure Government should leverage the security tools available in those environments, including Defender for Cloud and Sentinel, which are available in Azure Government regions.

Immediate Actions for Your Team

1. Audit your dependencies now: Check if any of your projects installed axios@1.14.1, axios@0.30.4, or plain-crypto-js in any version. If the plain-crypto-js directory exists in node_modules, assume compromise.
2. Review Trivy usage: If your CI/CD pipelines use trivy-action, verify you are running a clean version and rotate any credentials that may have been exposed.
3. Enable phishing-resistant MFA: Require passkeys or FIDO2 security keys for all developer accounts with package publishing or repository admin permissions.
4. Implement artifact feed proxying: Route all package manager traffic through Azure Artifacts or a similar controlled feed.
5. Deploy detection rules: Configure Microsoft Sentinel analytics to detect unexpected outbound connections from build environments and developer workstations.
6. Review .npmignore and build artifacts: Ensure your own packages do not accidentally publish source maps, environment files, or other sensitive files.

The message from this extraordinary week is clear: software supply chain security is not optional. It demands the same rigor, tooling, and attention that organizations apply to network security and endpoint protection. The tools exist. The question is whether your organization has deployed them before the next attack lands.