A cluster of software supply chain attacks and incidents within a 10-day period — including attacks on Trivy, Axios, KICS, LiteLLM, and Anthropic's accidental leak of 500,000+ lines of Claude Code source code — highlights systemic weaknesses in the open source ecosystem. The incidents stem from misconfigured GitHub Actions, compromised maintainer accounts, and poor credential hygiene rather than zero-day exploits. Security researchers warn that CI/CD pipelines are prime attack surfaces, that the blast radius of popular package compromises (Axios has 70,000+ direct dependents) is enormous, and that AI coding agents amplify risk by operating with broad access to developer workstations. Recommendations include treating the software supply chain as critical infrastructure, implementing strong secret management, validating dependencies early, and performing risk-based rather than reflexive patch-everything strategies.
Table of contents
Continuous Integration, Continuous Exposure?Far-Reaching Impact From Source Code LeaksSort: