Sign in Subscribe

The Update You Trusted Just Installed Malware — Inside the Rise of Software Supply Chain Attacks

The Update You Trusted Just Installed Malware — Inside the Rise of Software Supply Chain Attacks
Photo by Shahadat Rahman / Unsplash

This week, attackers poisoned Axios — one of the most downloaded software packages on the internet. No phishing. No hacking. Just a routine update. Here's how it works and what your business needs to know.

At some point today, someone on your team installed a software update. Maybe it was a browser extension. Maybe a plugin. Maybe a development tool. Whatever it was, they didn't think twice about it — because why would they? It came from a trusted source. It had the right name. It looked exactly like every other update they'd ever installed.

That trust is exactly what attackers are now weaponizing.

This week, the Axios HTTP client — one of the most widely used JavaScript packages in the world, with hundreds of millions of downloads — was hit by a supply chain attack. Hackers compromised a publishing account and pushed two malicious versions of the package to npm, the software repository used by developers globally. Hidden inside those versions was credential-stealing malware, designed to run silently the moment the package was imported into any project.

What is a software supply chain attack?

To understand why this is so dangerous, you need to understand how modern software is built. Almost no application today is written entirely from scratch. Developers rely on thousands of pre-built, open-source packages — libraries of code that handle common tasks like making web requests, formatting data, or handling authentication.

These packages are shared publicly on repositories like npm or PyPI, and developers install them with a single command. A typical business application might depend on hundreds of these packages — and each of those packages might depend on dozens more. It's a chain of trust, stretching from the original author all the way to your business's software.

A supply chain attack targets that chain. Instead of trying to hack your business directly, attackers compromise a package that you already trust — poisoning the well before the water ever reaches you.

How the Axios attack worked
Attackers gained access to the Axios npm publishing account and released versions 4.87.1 and 4.87.2 containing malicious code hidden inside a .WAV audio file using steganography. When any developer installed the update, the malware silently harvested credentials across Windows, Linux, and macOS systems.

How a supply chain attack unfolds

Attacker gains accessA developer's publishing credentials are stolen through phishing or a previous breach — giving attackers control of a trusted package.

Malware is hiddenMalicious code is embedded inside a legitimate update, often disguised or obfuscated so automated security scans miss it entirely.

Update is publishedThe poisoned package is pushed to a public repository. Thousands of developers and businesses automatically pull the update within hours.

Silent executionThe malware runs the moment the package is used — harvesting credentials, opening backdoors, or exfiltrating data without a single visible warning.

This isn't rare — it's accelerating

The Axios attack didn't happen in isolation. The same week, the Telnyx Python package was compromised in an identical way — malicious code hidden inside a WAV file, credential-harvesting malware delivered to anyone who installed the update. The same threat actor group, TeamPCP, was behind both attacks.

And these aren't the only recent examples. The GitGuardian State of Secrets Sprawl 2026 report, released this week, found 29 million new hardcoded secrets exposed on GitHub in 2025 alone — a 34% increase year over year and the largest single-year jump ever recorded. Credentials, API keys, passwords — left sitting in code repositories, waiting to be harvested.

"Secrets sprawl isn't slowing down. In 2025, it accelerated faster than most security teams anticipated." — GitGuardian State of Secrets Sprawl 2026

The pattern is clear: attackers have figured out that going after the software supply chain is far more efficient than targeting individual businesses. One compromised package can deliver malware to thousands of organizations simultaneously — including yours.

What this means for Canadian businesses

You might be thinking: "We're not developers. We don't install npm packages." And you'd be right — but it doesn't protect you. Every piece of software your business uses was built by developers who did. Every cloud application, every SaaS tool, every website plugin is built on layers of open-source dependencies. If any link in that chain is compromised, the impact flows downstream — all the way to your data.

The businesses most at risk right now are those running software that hasn't been updated recently, those using open-source tools without any visibility into their dependencies, and those without monitoring in place to detect unusual credential activity when malware does slip through.

5 steps to protect your business right now

  • Know what software your business is runningYou can't protect what you can't see. Maintain a current inventory of every application, plugin, and tool your team uses — including browser extensions. Unknown software is unprotected software.
  • Keep everything updated — but verify firstUpdates are essential, but so is knowing what's in them. For critical business tools, wait 24–48 hours after a new version drops before installing — give the security community time to flag anything suspicious.
  • Enable endpoint detection and response (EDR)Modern EDR tools can detect unusual behaviour — like a background process suddenly attempting to access credentials or make outbound connections — even when the malware came in through a trusted channel.
  • Use a secrets management solutionIf your developers or IT team store credentials, API keys, or passwords in code or shared documents, that's an immediate risk. A dedicated secrets management tool ensures credentials are stored securely and rotated automatically.
  • Monitor for credential misuseEven if malware slips through, early detection limits the damage. Set up alerts for unusual login activity, especially from new devices, locations, or outside business hours. Catching it in hour one is very different from catching it in month three.
  • Work with an IT partner who monitors your environment 24/7Supply chain attacks are designed to be invisible to the untrained eye. Having a managed IT partner with continuous monitoring means threats are flagged and contained before they become headlines.

The bottom line

The Axios attack is a reminder that in 2026, the perimeter of your business extends far beyond your office walls or your network firewall. It stretches into every software package, every update, every tool your team touches. Attackers know this — and they're exploiting it aggressively.

The good news is that awareness is the first line of defence. Businesses that understand the threat, maintain visibility into their software environment, and have the right monitoring in place are far better positioned to catch attacks before they cause real damage.

At 247Techify, we help Ontario businesses stay ahead of exactly these kinds of threats — the ones that don't announce themselves, don't set off alarms, and arrive wrapped in a routine software update. Don't wait to find out the hard way that your supply chain was the weakest link.

Book a free assessment ↗