Supply Chain Attacks in 2026: The Year Typosquatting Got Serious

On March 31, a maintainer account got popped and axios@1.14.1 shipped to npm with a trojanized dependency called plain-crypto-js. Axios does 100 million downloads a week. The malicious versions lived on the registry for about three hours.

Three hours is enough.

If you had "axios": "^1.14.0" in a package.json and ran npm install during that window, you pulled a remote access trojan. If you had a pinned lockfile and npm ci --ignore-scripts in your pipeline, nothing happened to you. One line of CI config separated the victims from the bystanders.

Welcome to typosquatting in 2026. It is not what it was two years ago.

What Actually Changed

The 2023 version of typosquatting was lazy. Someone published reqeusts or colour on PyPI, waited for fat fingers, and collected a few dozen installs. Cute. Mostly harmless to anyone with a linter.

The 2026 version has three new properties, and all three showed up in the wild this quarter.

It is automated at scale. FortiGuard's Q2 2025 scanners processed 1.4 million npm packages and 400,000 PyPI packages in a single quarter. Over 1,000 came back analyst-confirmed malicious. Xygeni logged 230-plus confirmed malicious packages in February 2026 alone. Single operators deploy hundreds of obfuscated packages per hour, each from a fresh account to dodge rate limits.

It is worm-capable. In February, researchers documented SANDWORM_MODE: 19 typosquatted npm packages impersonating Claude Code, supports-color, and crypto utilities. First known self-propagating supply chain worm. It scans the infected machine for git repos and credentials, then publishes copies of itself from the victim's own npm account. It also installs persistent malicious git hooks so your next commit is compromised.

It is a hybrid play. The axios attack was not a typosquat in the classic sense. Attackers pre-staged the plain-crypto-js typosquat 18 hours early. Then they took over the maintainer account and pushed a legit-looking patch version that referenced it. Pre-staging defeats the "new package, be suspicious" heuristic. Account takeover defeats the "look at the author" heuristic. Both together defeat almost every automated guardrail shipping in 2026.

The TeamPCP campaign that ran March 19-27 hit Trivy, KICS, LiteLLM, and Telnyx in rapid succession. Security tooling compromising security tooling. Elastic Security Labs thinks it was the rehearsal for axios.

The AI Assistant Problem Nobody Wants to Talk About

Here is the contrarian take.

Every vendor pitch right now says AI coding assistants help you catch supply chain issues. They will flag a suspicious install. They will notice the typo.

They are also the attack surface.

SANDWORM_MODE did not just infect the machine. It injected malicious Model Context Protocol servers into Claude Code, Cursor, VS Code Continue, and Windsurf configs. Your AI assistant, the thing you trust to read your code and your env files, became the exfiltration agent. It had legitimate access to everything you had access to.

And the autocomplete direction has its own problem. When an LLM confidently suggests import crypto-js from 'plain-crypto-js', most developers accept it. Prompt-time hallucinations turn into supply chain compromises at install time. This is not hypothetical. Socket's 2025 mid-year report documented several of these.

The "AI helps you catch typos" narrative is half true. The other half is that AI confidently invents package names that attackers pre-register.

The Fix Exists. Almost Nobody Runs It.

Here is the part the vendor blogs bury at the end.

Every legitimate axios 1.x release on npm uses OIDC Trusted Publishers. That means npm has a cryptographic binding between the package version and the GitHub Actions workflow that built it. The malicious 1.14.1 had no OIDC binding, no gitHead field, no corresponding GitHub tag.

The signal was there. The tooling to check it in CI does not ship by default.

You can verify it yourself with the npm CLI:

# Check for OIDC provenance on a specific version
npm view axios@1.14.0 --json | jq '.dist."npm-signature"'
npm audit signatures

npm audit signatures catches unsigned published packages when the rest of the release line is signed. That is the axios pattern. Run it in CI. It takes seconds.

The Three Controls That Blocked Everything

I looked at every 2026 npm and PyPI supply chain incident with public technical writeups. Axios, SANDWORM_MODE, TeamPCP, the Phylum 500-package PyPI wave, the chimera-sandbox-extensions targeted attack, the Bittensor wallet typosquats. Three controls blocked all of them. No product required. No vendor call.

1. Pinned lockfiles, committed

Not package.json. The lockfile. package-lock.json or pnpm-lock.yaml or yarn.lock. Pinned in git. Reviewed on PR.

If axios@1.14.1 never enters your lockfile, you never install it. The semver range is the attacker's payload delivery mechanism.

// package.json -- this alone is NOT enough
{
  "dependencies": {
    "axios": "^1.14.0"
  }
}

# Commit the lockfile and use ci, not install
npm ci --ignore-scripts

npm ci refuses to run if package.json and the lockfile disagree. That is the point. Dependabot or Renovate updates the lockfile in a reviewable PR, not at 3 AM on your build box.

2. Kill install scripts in CI

This is the one-liner.

npm ci --ignore-scripts
pnpm install --ignore-scripts
yarn install --ignore-scripts

Or for Python:

pip install --require-hashes -r requirements.txt
# pip install ignores postinstall-equivalents by default for wheels
# uv is even stricter
uv sync --frozen

Most supply chain malware fires during the postinstall hook. --ignore-scripts turns the install into a file copy. The RAT never executes. Add a separate script-allowlist stage if you genuinely need build hooks, and scope it to packages you trust.

3. Token rotation and scoped credentials

The axios maintainer got popped because a credential lived too long. npm now supports granular access tokens and OIDC Trusted Publishers. Use them. Publish from CI, not from a laptop. Rotate anything long-lived on a schedule.

For your own packages:

# Token scoped to a single package, expires in 7 days
npm token create --read-only --cidr 10.0.0.0/8 --expires 7d

If you are still using classic tokens with full publish rights and no expiration, you are one phishing email away from being the next case study.

Where Vekt Fits

Vekt, our supply chain scanner, reads 22 lockfile formats across 12 ecosystems and checks every package against OSV.dev for CVEs and MAL-* malicious package advisories. The first time I ran it against the Kief Studio codebase it surfaced 221 lockfiles and 69,419 packages across 6 ecosystems.

vekt scan .

Running a scanner does not replace the three controls above. Lockfile pinning, --ignore-scripts, and token hygiene are the prevention. Scanning is the detection layer that catches the thing your pinning missed because it happened three days before you updated.

The pattern that works is scan on every PR, scan on every deploy, and scan your base images on a cron. Vekt's free tier is 50 scans a day. That is enough for a small team to cover PR and deploy without thinking about it.

What To Do This Week

No fear. Just a checklist.

1. Commit your lockfiles. All of them. package-lock.json, pnpm-lock.yaml, yarn.lock, uv.lock, poetry.lock, Gemfile.lock, Cargo.lock, go.sum. Whichever your stack uses.
2. Find every npm install, pnpm install, yarn install in your CI config. Change them to npm ci --ignore-scripts or the equivalent.
3. Audit any long-lived npm or PyPI publish tokens. Migrate to OIDC Trusted Publishers if your CI supports it. GitHub Actions does.
4. Add npm audit signatures or the Vekt CLI to your pipeline as a gate, not a warning.
5. Check your AI assistant's MCP config. Anything you did not explicitly add, remove.

Three hours on a Tuesday afternoon. That is the cost of not being the next incident writeup.

The attackers are not getting more sophisticated because they have to. They are getting more sophisticated because it is cheap to automate, and most teams are still running npm install straight from main. Close the easy gaps. They will move on to someone who did not.

meta_title: "Supply Chain Attacks 2026: Typosquatting Got Serious"
meta_description: "Axios, SANDWORM_MODE, TeamPCP. Three controls blocked every 2026 npm supply chain attack. Here's the checklist."
tags: ["supply-chain-security", "npm", "typosquatting", "devsecops", "vekt"]