Multiple supply chain compromises of open source projects

Executive Summary

Beginning in March 2026, multiple widely-used open source projects have been impacted by supply chain attacks. The impacted tools are BerriAI LiteLLM, Aqua Security Trivy, Checkmarx GitHub Actions, Telnyx, Axios, and various npm packages. Some compromises are inter-related, it is currently unknown if they all are. No Red Hat products or enterprise software have been identified as built or shipped with a compromised version of these packages. Investigations are ongoing and this article will be updated as new information emerges. Click the “FOLLOW” button below to be notified of updates.

References

• LiteLLM: https://github.com/advisories/GHSA-5mg7-485q-xm76

• Trivy: https://www.aquasec.com/blog/trivy-supply-chain-attack-what-you-need-to-know/

  • CVE-2026-33634 in Red Hat Security Database https://access.redhat.com/security/cve/cve-2026-33634

• Checkmarx: https://checkmarx.com/blog/checkmarx-security-update/ 

• Telnyx: https://osv.dev/vulnerability/PYSEC-2026-3

• Axios: https://github.com/axios/axios/issues/10604

• npm packages: https://socket.dev/blog/canisterworm-npm-publisher-compromise-deploys-backdoor-across-29-packages