VerifiVerifi Security
Back to blog
Opinion

H2 2026: Packages Are the New Phishing Email, and Your Secrets Are the Target

Sim Chiwanza· Founder, Verifi Security· 20 May 2026· 6 min read

The views expressed in this piece are those of the author.

We are halfway through 2026. Before the pace of incidents makes it harder to see the pattern, I want to name it clearly: malicious packages have become the primary initial access vector for credential theft operations. Not a contributing factor. The primary vector.

The evidence from the first half of this year is unambiguous.

What Axios Told Us

On 31 March 2026, attackers compromised the npm account of the primary Axios maintainer and released two poisoned versions, axios@1.14.1 and axios@0.30.4, containing a hidden malicious dependency that delivered a cross-platform Remote Access Trojan. Axios has over 100 million weekly downloads. The window between publication and detection was measured in hours, but those hours were enough for the infected versions to land in thousands of build pipelines.

Microsoft's security team published an incident response guide the following morning. SANS and Huntress issued advisories. The package was pulled. But pulled does not mean remediated. Every environment that ran npm install during that window and has not since verified and rotated credentials is still at risk.

The Axios compromise was not a sophisticated operation. It was a credential compromise of a single maintainer account, followed by a poisoned release. The sophistication was in the target selection: a package so ubiquitous that even a short exposure window produces enormous blast radius.

What LiteLLM and TeamPCP Told Us

TeamPCP, also tracked as PCPcat, ShellForce and DeadCatx3, has been the most consequential threat group operating against open-source ecosystems in this period. Their campaign began with the original Shai-Hulud worm in September 2025. By March 2026, they had extended their reach to LiteLLM on PyPI, a package with 95 million monthly downloads that sits directly between application code and large language model APIs.

Compromising LiteLLM is not just about stealing npm or PyPI credentials. It is about sitting inside the integration layer between enterprise software and AI infrastructure, where API keys for OpenAI, Anthropic, Google and others flow through by design. The credential surface in that position is extraordinary.

Datadog Security Labs documented the campaign in detail. Wiz published their own analysis. Endor Labs noted that TeamPCP, having already compromised Trivy, Aqua Security and Checkmarx, was now targeting the AI tooling layer. The pattern is consistent: find packages that are trusted, widely deployed and positioned close to secrets, then use them as credential harvesting infrastructure.

What Anthropic's Adversary Report Told Us

In a landmark piece of threat intelligence, Anthropic published details of the first documented AI-orchestrated cyber espionage campaign, one in which Claude was used as an active component of the attack infrastructure. The report is worth reading in full, but the supply chain security implication is this: adversaries are now using AI to accelerate every phase of a campaign, from reconnaissance to credential validation to lateral movement.

The manual, patient attacker who carefully selects targets and waits weeks for the right moment is not going away. But they are now joined by a different kind of adversary: one who can use AI to compress timelines, automate credential testing at scale and adapt tactics faster than defenders can update their detection signatures.

This changes the calculus on response time in a fundamental way.

What H2 2026 Looks Like

The pattern from H1 is clear enough to project forward with reasonable confidence.

Malicious packages will continue at scale. The economics are too favourable for attackers to stop. Publishing to npm and PyPI is free, fast and largely unauthenticated beyond an account credential. The registries have improved their scanning capabilities, but a package that behaves maliciously only after install, or only in a CI/CD environment, or only when it detects certain environment variables, is hard to catch at publish time. We will continue to see coordinated campaigns releasing packages in large numbers, relying on statistics to ensure some proportion reaches production.

Credential scraping is the primary objective. This is the shift that has clarified over H1. The early supply chain attacks were often about injecting backdoors into software that end users would run. The current generation of attacks is primarily about stealing developer and CI/CD credentials: npm tokens, GitHub personal access tokens, AWS keys, cloud provider credentials. These credentials unlock lateral movement across an organisation's entire infrastructure. One compromised CI/CD agent with a valid GitHub token can provide access to every private repository the organisation owns.

AI tooling is the new high-value target. As enterprises adopt agentic AI infrastructure, the packages that sit in that stack, LLM gateway libraries, agent frameworks, model routing tools, become extremely attractive targets. They are trusted, they run in privileged environments, and they handle API keys and sensitive prompts as a matter of course.

AI-assisted attacks will compress response windows. If Anthropic's report represents the opening phase of AI-assisted adversarial operations, the response time available to defenders will shrink further in H2. Credential validation, lateral movement planning and new campaign execution will happen faster than they did in H1.

The Only Adequate Response

Here is the uncomfortable truth: if your response to a malicious package incident involves someone creating a Jira ticket, assigning it to an engineering team, waiting for triage, and manually opening pull requests across your estate, you are already too slow.

The entire value of credential theft through a compromised package is that it gives attackers persistent access to your infrastructure. Every hour a package carrying credential-scraping code sits in your build pipelines is another hour those pipelines are running in a compromised environment, potentially exfiltrating tokens, cloud keys and repository access.

Speed of removal is the only metric that matters. And speed of removal at enterprise scale, across hundreds of repositories, multiple registries, dozens of teams, requires automation.

This is what Verifi is built for. When a package is confirmed malicious, Verifi immediately identifies every repository consuming it, generates remediation pull requests, routes them to the right owners and tracks removal to completion across the entire estate. It does not wait for a ticket. It does not require manual triage. It moves at the speed the threat requires.

Your secrets are only as safe as how quickly you can remove the packages trying to steal them. In H2 2026, that speed needs to be measured in hours, not sprints.

Related
More from the blog
Opinion

Adversaries Are Publishing at Scale. Speed Is Now the Only Defence.

Threat Intelligence

Mini Shai-Hulud: The Self-Replicating npm Worm That Should Change How You Think About Dependencies