Mythos and the AI Vulnerability Storm: Exploring the Control Point

Mitchell Johnson — Thu, 16 Apr 2026 17:15:03 GMT

The Inflection Point Is Here

With Mythos, Anthropic showed that AI can find vulnerabilities in minutes that once took skilled technologists months to find. This shift is a coming storm for developers. While no one knows the exact implications, how do you handle security remediation when vulnerability volume increases 2x, 5x, or even 10x — and issues are identified faster and with greater sophistication?

When AI Writes Code, Who Governs the Dependencies?

Tom Tapley — Thu, 16 Apr 2026 12:00:04 GMT

The Department of War's Call for Solutions on AI-enabled coding capabilities (CDAO_26-01) arrives at exactly the right moment. Today's AI coding assistants have moved beyond experiments in productivity to becoming the basis for how modern software is built. The DoW is right to close the gap with the commercial sector, and the Call for Solution's emphasis on security, data handling, and IL5 compliance reflects a clear-eyed understanding of what defense-grade deployment requires.

Why Software Supply Chain Security Requires a New Playbook

alinskens@sonatype.com (Aaron Linskens) — Wed, 15 Apr 2026 13:00:06 GMT

Software is being built faster than ever, but application security has not kept up.

Q1 2026 Open Source Malware Index: Adaptive Attacks Exploit Trust

research@sonatype.com (Sonatype Security Research Team) — Tue, 14 Apr 2026 10:00:00 GMT

TL;DR

Sonatype identified 21,764 open source malware packages in Q1 2026, bringing the total logged since 2017 to 1,346,867.
npm accounted for 75% of malicious packages this quarter. Trojans dominated, with most activity focused on credential theft, host reconnaissance, and staged payload delivery.
The quarter's defining pattern was trust abuse: attackers succeeded by hiding behind trusted packages, trusted release paths, and trusted workflows.
Three incidents stood out: SANDWORM_MODE, the LiteLLM compromise, and the axios compromise.

By the Numbers: What We Saw

In the first three months of 2026, Sonatype identified 21,764 open source malware packages across ecosystems, bringing the total number logged since 2017 to 1,346,867. Q1 activity was heavily concentrated in npm and focused on credential theft, host information exfiltration, and staged follow-on compromise.

The quarter was also defined by trojan-style malware, which outpaced brandjacking and hijacking as the dominant payload type. While access paths varied — typosquatting, maintainer compromise, and abuse of legitimate release channels — the pattern was consistent: attackers kept finding ways to push malware through software that looked legitimate enough to trust by default.

Three incidents illustrate that pattern especially clearly:

SANDWORM_MODE, which pointed to more adaptive and worm-like malware behavior.
The Trivy/litellm-linked campaign, which showed how release paths and high-value AI and security tooling can become the attack surface.
The axios compromise, which demonstrated how a small dependency change inside a highly trusted package can create outsized downstream risk.

Beyond the Numbers: Trust Abuse Was the Defining Pattern

Q1 saw one new malicious package every six minutes, and npm accounted for 75%, reinforcing that attackers still see JavaScript ecosystems as the fastest path to developers and build systems at scale. The prevalence of trojans far showed attackers did not need especially novel tactics to succeed. In many cases, the playbook was simple: publish something plausible, get it installed, and execute inside a trusted workflow.

The most common behaviors — credential theft, host information exfiltration, and droppers for follow-on compromise — point to the same conclusion. These campaigns were designed for access, persistence, and reuse inside developer and CI/CD environments.

The core risk in Q1 was not just malicious code entering the ecosystem. It was malicious code entering through trusted names, trusted workflows, and trusted environments.

SANDWORM_MODE: Supply Chain Malware Got More Worm-Like

SANDWORM_MODE was one of Q1's clearest signs that open source malware is becoming more adaptive and automated.

The campaign used typosquatted npm packages to harvest sensitive data from developer machines and CI environments. Sonatype observed theft of npm and GitHub tokens, environment variables, cryptographic keys, and API credentials, along with code aimed at spreading into additional repositories and workflows.

Researchers also found code designed to interact with a local Ollama instance, suggesting early experimentation with malware that could modify itself inside compromised environments.

What made SANDWORM_MODE important was not just that it spread. It showed attackers building malware to take advantage of the automation and trust built into modern software delivery.

Trivy Hijack: Trusted Release Paths Became the Attack Surface

The Trivy incident stood out because it was not just a compromised package story. It was a supply chain attack that linked trusted security tooling to malicious code insertion in another widely used project.

In March 2026, a compromised version of the Trivy security scanner was used to help facilitate the insertion of malicious code into the LiteLLM library. That made the attack especially significant: the issue was not simply a fake package or a one-off malicious upload, but the abuse of a trusted tool inside the software delivery chain.

The related LiteLLM compromise involved malicious PyPI versions 1.82.7 and 1.82.8, which contained an obfuscated credential stealer and dropper. The malware targeted API keys, environment variables, SSH keys, Git credentials, cloud secrets, Kubernetes tokens, Terraform and Helm artifacts, and CI/CD configuration, then established persistence through sysmon.py.

What made this incident so important in Q1 was the attack path itself. Once attackers can compromise a trusted tool or release workflow, they no longer need to rely on obvious deception. They can use legitimate software and trusted delivery paths to move malicious code downstream.

Axios Compromise: Small Change, Large Blast Radius

The axios compromise showed how little an attacker needs to change to create downstream risk. Attackers hijacked an npm publishing account and released axios@1.14.1 and axios@0.30.4 with a hidden dependency on plain-crypto-js@4.2.1. That package acted as an obfuscated loader, using npm's postinstall hook to fetch and run a secondary payload.

Researchers found OS-specific launcher behavior for MacOS, Windows, and Linux, consistent with delivery of a remote access trojan. The attack also used cleanup and metadata tricks to make analysis harder.

The lesson was straightforward: attackers did not need to rewrite a popular library. They only needed to insert a malicious transitive dependency into a package developers already trusted.

What Development Teams Should Take Away

Screen components before use. New packages and updates should be evaluated before they reach developer machines or CI pipelines.
Inspect transitive dependencies. The axios incident showed how malware can arrive through a hidden child package, not just the top-level dependency.
Treat dev and CI environments as high-value targets. Q1 malware repeatedly targeted tokens, cloud credentials, SSH material, and pipeline secrets.
Assume credential exposure after execution. In incidents like LiteLLM or axios, package removal is not enough. Rotate secrets and review affected environments.
Watch release paths, not just package names. Maintainer accounts, publishing workflows, and release automation are part of the attack surface.
Do not rely on reputation alone. Familiar names and popular packages are no longer strong trust signals by themselves.

Looking Ahead

Q1 reinforced a consistent reality: the most effective attacks did not rely on obviously malicious packages. They relied on appearing trustworthy by hiding inside familiar names, legitimate workflows, and routine dependency updates.

Prevention is less about reacting after-the-fact and more about making better decisions before code is ever used.

In practice, that means having access to reliable, real-time intelligence about open source packages that highlights unusual behavior, known risks, or patterns that do not align with normal development activity.

Tools like Sonatype Guide are designed to surface that kind of context directly to developers, making it easier to evaluate dependencies and avoid high-risk components before they enter the build.

As Q1 showed, attackers consistently took advantage of assumed trust. The teams that reduce risk most effectively will replace that assumption with visibility and make informed decisions a routine part of development.

Modernizing Nexus Repository: Moving Beyond OrientDB

alinskens@sonatype.com (Aaron Linskens) — Thu, 09 Apr 2026 18:55:43 GMT

If you're running Sonatype Nexus Repository or Sonatype Nexus Repository Community Edition (formerly known as Nexus Repository OSS) on OrientDB, you're operating on a legacy database architecture that is no longer aligned with current security and platform requirements.

AI, DevSecOps, and the Future of Application Security: The Gartner® Report

alinskens@sonatype.com (Aaron Linskens) — Tue, 07 Apr 2026 14:47:49 GMT

Even as organizations recognize the importance of application security, most still struggle to operationalize it at scale. That gap becomes harder to ignore as development accelerates, AI becomes embedded in workflows, and software supply chains grow more complex.

How Sonatype's Container Scanning Protects You From Zero-Days

Crystal Derakhshan — Wed, 01 Apr 2026 13:00:00 GMT

Software development moves fast, and engineering teams face intense pressure to deliver applications securely without slowing down. Containers offer incredible speed and portability, allowing developers to build and deploy applications rapidly. But this speed introduces hidden risks when organizations rely on inadequate tools to secure their environments.

Axios Compromise on npm Introduces Hidden Malicious Package

research@sonatype.com (Sonatype Security Research Team) — Tue, 31 Mar 2026 20:31:30 GMT

A newly discovered software supply chain attack targeting the npm ecosystem briefly compromised one of the most widely used JavaScript libraries in the world.

Is Your Repository Ready for What's Next?

mprescott@sonatype.com (Michael Prescott) — Tue, 31 Mar 2026 13:00:04 GMT

Most software teams don't start out planning to adopt an enterprise artifact repository.

Autonomous Development and AI: Speed vs. Security

alinskens@sonatype.com (Aaron Linskens) — Thu, 26 Mar 2026 17:11:28 GMT

AI-assisted development is changing how software gets built. What began as a productivity boost is quickly becoming something bigger.

2024 Sonatype Blog