This post is a work in progress, more updates will be be added in time (both for new and historical incidents).
2026
April 2026 - WordPress plugin ecosystem compromise
The WordPress ecosystem was hit by a major supply chain incident after more than 30 popular plugins from the EssentialPlugin portfolio were reportedly acquired by a new owner and later backdoored. Researchers said the malicious code remained dormant for months before activating, allowing attackers to push spam content, redirects and potentially further compromise affected websites through trusted plugin update channels. The incident highlights how third-party plugins and vendor-controlled update systems can become high-impact attack vectors for organisations relying on third-party software.
March 2026 - Axios npm package compromise
Popular JavaScript HTTP client library Axios was compromised when attackers gained access to the npm registry account of a maintainer. The attackers published a malicious version of Axios that included a backdoor, allowing them to execute arbitrary code on systems that installed the compromised package.
- Inside the Axios supply chain compromise - One RAT to rule them all published by Elastic Security Labs.
- North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package in Supply Chain Attack published by Google Cloud Threat Intelligence.
- The Axios supply chain incident through a risk lens published by me.
March 2026 - LiteLLM PyPI package compromise
Widely used open-source Python package LiteLLM suffered a software supply chain attack after malicious versions were uploaded to PyPI using compromised maintainer credentials. Security researchers reported the poisoned releases contained malware designed to automatically steal API keys, cloud credentials, SSH keys and Kubernetes secrets, with some variants also establishing persistence on affected systems. Because LiteLLM is commonly used as a gateway for multiple AI providers, the incident created heightened risk for organisations storing numerous sensitive credentials in one service. The malicious packages were removed and users were urged to downgrade, rotate secrets and investigate potentially affected environments.
- Security Update: Suspected Supply Chain Incident published by LiteLLM.
2025
September 2025 - Discord 3rd party customer support vendor compromise
While not neccesarily a software supply chain attack, Discord disclosed a security incident involving a third-party customer service provider used to support its Trust & Safety operatrions. Attackers reportedly gained unauthorised access to support system data, exposing a limited number of users’ names, usernames, email addresses, IP addresses, support conversations, partial billing information and ~70,000 government ID images used for age-verification appeals. Discord stated its core platform systems, passwords, and private user messages were not breached. In response, Discord revoked the vendor’s access and launched an investigation.
August 2025 - Salesloft Drift credential compromise and downstream Salesforce data theft
Salesloft disclosed a major third-party supply chain incident involving its Drift chatbot integration for Salesforce. Attackers reportedly stole OAuth credentials tied to the Drift-Salesforce connection, allowing unauthorised access to Salesforce environments across hundreds of organisations. Victims publicly linked to the campaign included Cloudflare, Zscaler, PagerDuty and Palo Alto Networks. Exposed data reportedly included customer contact details, sales records, support case content and in some cases sensitive tokens or credentials shared in support workflows. The incident highlighted how SaaS integrations with broad permissions can create high-impact downstream risk even when the affected organisations’ own core infrastructure remains uncompromised.