Multiple supply chain compromises of open source projects

Created Date: April 1, 2026, 12:12
Updated April 1, 2026, 13:45

Was this information helpful?

Feedback cancelled

Ongoing Status

Executive Summary

Beginning in March 2026, multiple widely-used open source projects have been impacted by supply chain attacks. The impacted tools are BerriAI LiteLLM, Aqua Security Trivy, Checkmarx GitHub Actions, Telnyx, Axios, and various npm packages. Some compromises are inter-related, it is currently unknown if they all are. No Red Hat products or enterprise software have been identified as built or shipped with a compromised version of these packages. Investigations are ongoing and this article will be updated as new information emerges. Click the “FOLLOW” button below to be notified of updates.

References

LiteLLM: https://github.com/advisories/GHSA-5mg7-485q-xm76
Trivy: https://www.aquasec.com/blog/trivy-supply-chain-attack-what-you-need-to-know/
- CVE-2026-33634 in Red Hat Security Database https://access.redhat.com/security/cve/cve-2026-33634
Checkmarx: https://checkmarx.com/blog/checkmarx-security-update/
Telnyx: https://osv.dev/vulnerability/PYSEC-2026-3
Axios: https://github.com/axios/axios/issues/10604
npm packages: https://socket.dev/blog/canisterworm-npm-publisher-compromise-deploys-backdoor-across-29-packages

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation

Get notified when this content is updated.

Multiple supply chain compromises of open source projects

Executive Summary

References

Get notified when this content is updated

Comments

Quick Links

Help

Site Info

Related Sites

Red Hat legal and privacy links

Red Hat legal and privacy links