Supply-Chain Attacks Hit npm, PyPI, Docker Hub in April 2026 Wave

On April 22, 2026, at approximately 14:30 UTC, an attacker with access to Bitwarden's GitHub Actions pipeline published version 2026.4.0 of the @bitwarden/cli package to the npm registry. The release looked routine. It was not. Ninety-three minutes later, Bitwarden's security team pulled the package after confirming it contained a credential-stealing payload designed to exfiltrate environment variables, SSH keys, and cloud service tokens from any CI/CD pipeline that installed it. The window was brief. The blast radius is still being calculated.

The Bitwarden CLI compromise was not an isolated incident. It landed in the middle of what researchers now describe as a coordinated three-registry assault. Between April 21 and April 23, according to reporting by Dan Goodin at Ars Technica, malicious packages appeared simultaneously on npm, PyPI, and Docker Hub, each targeting developer credentials and CI/CD secrets. The npm vector delivered the Bitwarden CLI backdoor. The PyPI vector pushed trojanized versions of common data-science libraries. The Docker Hub vector distributed base images with embedded reverse shells. Three registries, one operational tempo.

The attackers had done their reconnaissance. The Bitwarden compromise exploited a GitHub Actions workflow that lacked branch-protection rules, a configuration gap that allowed the attacker to push a malicious commit from a compromised personal access token. In a statement confirmed to BleepingComputer, Bitwarden said the malicious package was downloaded fewer than 200 times before removal. That number understates the risk. A single install inside a large enterprise CI/CD pipeline can expose secrets that cascade across dozens of internal services. Lawrence Abrams reported for BleepingComputer that the payload was designed to propagate: it searched local filesystems for other npm projects and injected itself into their package.json dependency lists.

The Bitwarden attack did not happen in a vacuum. Five weeks earlier, the same threat actor, subsequently identified by multiple incident-response firms as the LAPSUS$ group, had breached Checkmarx, the application-security testing vendor. The attackers exfiltrated private GitHub repositories, including source code, internal tooling, and customer deployment scripts. On April 28, Checkmarx confirmed that LAPSUS$ had leaked the stolen data onto the dark web. Bill Toulas, reporting for BleepingComputer, noted that the leaked material included Checkmarx's own npm publishing tokens, creating a direct path from one compromised security vendor to another compromised security tool.

The targeting of security firms is not accidental. A security vendor's software sits at the root of its customers' build pipelines. Compromise Checkmarx's npm credentials, and you can poison the static-analysis tools that thousands of enterprises run against their own code before deployment. The same logic applied to Bitwarden: a password manager's command-line client carries credentials that unlock everything else. This is what makes the April 2026 wave structurally different from earlier supply-chain attacks. The attackers selected targets based on the transitive trust they enjoyed, not their user counts.

A compromised security vendor is not one victim. It is a skeleton key to every organization that trusted that vendor's signing keys., Senior incident responder at a European DFIR firm, speaking on condition of anonymity

While the Checkmarx-LAPSUS$ chain was unfolding, a separate campaign with a different origin was hitting the Axios HTTP client library, one of the most-downloaded packages in the npm ecosystem with over 2 billion weekly downloads. In late March 2026, a maintainer of the Axios project was contacted through social-engineering channels by individuals posing as Microsoft support staff. The attackers claimed they were providing a fix for a Microsoft Teams authentication error and directed the maintainer to install a malicious package. Once installed, the package exfiltrated the maintainer's npm authentication token, which the attackers used to publish two trojanized versions of Axios: version 1.14.1 and version 0.30.4.

Google Cloud's threat intelligence team attributed the Axios operation to a North Korea-aligned group in a public analysis published on April 8, 2026. The group, which Google tracks as UNC4899, has been active since at least 2023 and targets cryptocurrency wallets, browser credential stores, and developer authentication tokens. The Axios maintainers published a detailed post-mortem confirming the social-engineering vector. The compromised versions remained available on npm for approximately 18 hours before being taken down. During that interval, the packages were downloaded an estimated 16,000 times. CoinTelegraph reported that security firm Socket had advised all Axios users to rotate keys and audit dependency trees.

The Worm in the Registry

The third component of the April wave involved a set of malicious npm packages that researchers at Socket described as exhibiting worm-like propagation behavior. Published under names that mimicked popular debugging and testing utilities, these packages, once installed, scanned the host filesystem for other Node.js projects and injected themselves into those projects' dependency declarations. They then exfiltrated credentials, browser-stored passwords, and cryptocurrency wallet files. Infosecurity Magazine, citing Socket's research, reported that the malware also modified the local .npmrc configuration to weaken package-integrity verification settings, a technique that made subsequent reinfections easier.

Socket's analysis found that the worm packages shared infrastructure with the PyPI and Docker Hub campaigns from the same 72-hour window. The PyPI packages impersonated popular data-science libraries including pandas-profiling and scikit-learn-extra. The Docker Hub images posed as official base images for Node.js and Python runtimes, embedding a reverse shell that phoned home to command-and-control servers hosted behind Cloudflare's content-delivery network. The operational commonality, Socket noted, suggested a single group or a closely coordinated cluster rather than opportunistic copycats.

While the registry attacks were unfolding, a parallel threat was materializing through a different supply-chain conduit: the desktop-software distribution channel. On May 5, Kaspersky's Global Research and Analysis Team disclosed that the official website of Daemon Tools, a widely used virtual-drive emulation utility with millions of active installations, had been serving trojanized installers for approximately one month. The compromised installer downloaded and executed a backdoor that Kaspersky identified as a variant of the Machete malware family, a toolset previously linked to Spanish-speaking espionage groups.

Disc Soft Limited, the Belarus-based developer of Daemon Tools, confirmed the breach on May 6 and released a clean installer. The company said an attacker had gained access to the web server hosting the download portal and replaced legitimate binaries with signed-but-trojanized versions. The abuse of valid code-signing certificates meant that Windows systems did not flag the installer as suspicious. Dan Goodin's reporting for Ars Technica noted that the monthlong dwell time before discovery is consistent with a reconnaissance-first approach: the attacker likely spent the early weeks mapping which downstream organizations were installing the backdoored software.

The desktop supply chain and the registry supply chain share a root cause that is rarely discussed in vendor disclosures: the authentication model for software distribution remains broken at scale. npm, PyPI, and Docker Hub all support two-factor authentication, but enforcement is inconsistent. GitHub Actions tokens are often over-provisioned. Code-signing certificates, once compromised, are slow to revoke. And maintainer identity, particularly in open-source registries, is verified through email addresses that can be phished. The Axios incident demonstrated this precisely: an email-based social-engineering attack against one maintainer compromised a package used by millions.

AI Enters the Supply-Chain Attack Chain

The most unsettling development in the first half of 2026 involves the use of large language models to accelerate supply-chain attacks. On April 30, The Hacker News reported that a DPRK-aligned group had used Claude Opus to generate malicious npm dependency code that was committed to a compromised open-source repository in February 2026. The AI-generated code included functionality for cryptocurrency wallet exfiltration and persistent remote-access trojan deployment. The operators did not need to write the malware themselves; they needed only to describe the desired behavior and integrate the output into a plausible-looking package update.

Andy Greenberg and Matt Burgess, reporting for Wired in April, documented how a separate North Korean group used AI tools for what Greenberg described as vibe coding their malware, generating entire malicious packages, fake recruiter personas, and even counterfeit company websites to build credibility with targets. The group stole as much as $12 million in three months. Wired's reporting, based on blockchain-intelligence data from TRM Labs, found that the AI-assisted operations were executed by hackers with relatively low technical skill who leveraged language models to bridge their competence gaps. The Wired investigation confirmed that the same group had used AI-generated npm packages to target developers working on cryptocurrency platforms.

The systemic version of this failure is not that one registry got breached or one desktop app got backdoored. It is that the software supply chain has no mandatory integrity layer that operates independently of the registry, the publisher, or the maintainer. Sigstore and the SLSA framework provide optional attestation, but adoption remains low among the npm packages that make up the median web application's dependency tree. The April 2026 attacks succeeded not because the attackers were unusually skilled but because the gaps they exploited have been documented and unaddressed for years. A compromised GitHub token should not be sufficient to publish a package to a public registry. A phished maintainer should not be able to push a release without a second human review. These are not technical constraints. They are governance failures.

The disclosure timeline for the April wave reveals a counterintuitive pattern: Bitwarden disclosed within hours of detection, Checkmarx took more than a month, and Axios disclosed after the Google Cloud attribution forced the issue. The Daemon Tools compromise was discovered by an external security vendor, not by Disc Soft's own monitoring. This asymmetry, in which attackers move faster than defenders and some victims disclose only when they must, creates what incident responders call a shadow risk: organizations that installed compromised packages during the window of non-disclosure have no way of knowing they were exposed unless they audit their build logs retroactively. Most do not.

What to watch for next: the three-registry coordination seen in April suggests an operational model that will be replicated. If an attacker can compromise one maintainer's credentials and use them to publish across npm, PyPI, and Docker Hub simultaneously, the blast radius multiplies. Registry operators are discussing cross-registry credential-blocking protocols, but no standard exists yet. The question for the rest of 2026 is not whether supply-chain attacks will continue but whether the cost of ignoring mandatory integrity attestation has finally exceeded the cost of implementing it. On current evidence, we are not there yet.