Recent attacks on the software supply chain—from the axios compromise by North Korea's Lazarus Group to the TeamPCP worm infecting trusted security tools—demonstrate a relentless, ecosystem-wide campaign. Attackers steal credentials, poison trusted packages, and steal more credentials in a self-reinforcing cycle. The common failure point? Implicit trust. Here we answer key questions to help your team shift from assuming trust to explicitly verifying every component in your pipeline.
What is driving the surge in supply-chain attacks?
The epidemic stems from attackers exploiting a fundamental vulnerability: implicit trust. Over the past year, incidents like the axios compromise (83 million weekly downloads, embedded with platform-specific RATs for three hours) and the TeamPCP campaign (weaponizing Aqua Security's Trivy scanner into a self-propagating worm that hit 141 npm packages) show a consistent pattern. Attackers steal developer credentials, inject malicious code into trusted packages, and use those compromised packages to steal more credentials. This self-reinforcing loop is accelerating, now backed by ransomware monetization. The root cause isn't a single flaw but the assumption that a familiar container tag, a GitHub Action version number, or a CI/CD secret authored by a team member is safe. Every incident happened because trust was assumed where verification was needed.
What does 'implicit trust' really mean in practice?
Implicit trust is the default posture of trusting something until a reason to doubt appears. In real-world attacks, it manifests as teams pulling container images by mutable tags (e.g., :latest), executing GitHub Actions without checking their supply-chain integrity, or using long-lived credentials stored in CI/CD secrets. Attackers hijack maintainer accounts (as with axios), inject malicious code into popular packages, and those packages then steal credentials from every environment they touch. The gaps are small: a familiar image name, a version number that looks legitimate, a workflow authored by a colleague. But these gaps are precisely what attackers exploit. Organizations that weathered these incidents with minimal damage had already replaced implicit trust with explicit verification: they verified base images, pinned references, used scoped short-lived credentials, and ran sandboxed execution environments.
How can organizations shift from trust to verification?
The shift requires a change in default posture: from 'trust unless there's a reason not to' to 'verify before you trust, and limit the blast radius when verification fails.' No single tool solves it—it's a layered approach. Start by verifying the base images you build on. Use images like Docker Hardened Images (DHI), which are rebuilt from source with SLSA Build Level 3 attestations, signed SBOMs, and VEX metadata. Next, enforce immutable references: pin packages to specific hashes or version tags from verified sources. For credentials, replace long-lived tokens with short-lived, scoped tokens. Finally, sandbox your CI/CD runners—use isolated environments with least privilege so a compromise cannot spread across the entire pipeline. These aren't new ideas, but they require consistent enforcement. The key is making verification automatic, not an afterthought.
Why are verified base images essential for security?
Verified base images prevent the 'poisoned well' problem. If you build on a compromised base image, everything you build is compromised. Attackers target popular base images because they propagate trust downstream—like in the TeamPCP campaign, which used a worm to cascade from Trivy into Checkmarx KICS, LiteLLM, and 141 npm packages. By using images that are rebuilt from source with verifiable build attestations (e.g., SLSA Level 3), you gain cryptographic proof that the image hasn't been tampered with. Docker Hardened Images is one such free, open-source option. These images also include signed SBOMs and VEX metadata, so you know exactly what's inside and can quickly assess vulnerability impact. For any organization, starting with verified base images is the single most impactful step to eliminate a large class of supply-chain attacks.
What is the proper way to handle CI/CD credentials?
Credentials are the attacker's gold. The axios compromise and similar attacks succeeded because long-lived credentials—tokens, API keys, passwords—were stored as secrets in CI/CD systems. Once stolen, attackers used them to push malicious versions of trusted packages. The proper approach is to use short-lived, scoped credentials. For example, use OAuth tokens that expire in minutes rather than months, or workload identity federation that issues tokens for each build. Additionally, limit credentials to the narrowest scope needed: a token that can only push to one repository, not your entire registry. Rotate secrets frequently and audit their use. Combine this with sandboxed CI runners that cannot access the host system or other pipelines. This way, even if credentials are compromised, the blast radius is contained and the window of opportunity is minimal.
How should teams sandbox their CI/CD environments?
Sandboxing CI/CD environments ensures that a compromise in one pipeline does not cascade into others. Attackers in the TeamPCP campaign used a worm that self-propagated across multiple repositories and tools precisely because environments were not isolated. Sandboxing starts with running CI jobs in containers with least-privilege permissions—no root access, no host network access, and no persistent storage. Use ephemeral runners that are destroyed after each job. Limit which packages can be installed and where they come from (e.g., use a private registry for verified dependencies). Also, separate build environments from production: a build server should not have access to production secrets. Finally, implement network sandboxing so that even if a malicious package executes, it cannot communicate with command-and-control servers. These measures make it exponentially harder for attackers to move laterally.