RHSB-2026-001 Multiple supply chain compromises of open source projects
Public Date: April 1, 2026, 12:12
Updated June 2, 2026, 18:45
Updated
Was this information helpful?
Feedback cancelled
Resolved
Status
Executive Summary
In March 2026, multiple widely-used open source projects were impacted by supply chain attacks. The impacted tools are BerriAI LiteLLM, Aqua Security Trivy, Checkmarx KICS, Telnyx, Axios, and various npm packages. No Red Hat products or enterprise software were identified as built or shipped with a compromised version of these packages. Red Hat's investigation into this matter is now complete.
References
- LiteLLM: https://github.com/advisories/GHSA-5mg7-485q-xm76
- Trivy: https://www.aquasec.com/blog/trivy-supply-chain-attack-what-you-need-to-know/
- CVE-2026-33634 in Red Hat Security Database https://access.redhat.com/security/cve/cve-2026-33634
- Checkmarx: https://checkmarx.com/blog/checkmarx-security-update/
- Telnyx: https://osv.dev/vulnerability/PYSEC-2026-3
- Axios: https://github.com/axios/axios/issues/10604
- npm packages: https://socket.dev/blog/canisterworm-npm-publisher-compromise-deploys-backdoor-across-29-packages
Comments