Skip to content
Security & Trust

Supply Chain Attacks in H1 2026: 4.5x the Volume of All 2025. The Attacks Now Spread Themselves.

May 2026 was the busiest month on record — 14 campaigns, 346 malicious packages in 31 days. Three campaigns hit npm, PyPI, and Docker Hub within 48 hours. The Shai-Hulud worm propagates through build systems. Package-level attacks are now automated.

· 6 min read
Share on X LinkedIn
Supply Chain Attacks in H1 2026: 4.5x the Volume of All 2025. The Attacks Now Spread Themselves.

The Numbers Are Accelerating

The first half of 2026 produced 4.5 times the volume of malicious packages compared to all of 2025, according to Phoenix Security's supply chain intelligence report. May 2026 was the busiest month on record: 14 distinct campaigns and 346 indexed malicious packages published across npm, PyPI, and other registries in 31 days. In early June, GitGuardian documented three separate supply chain campaigns hitting npm, PyPI, and Docker Hub within a 48-hour window.

This is not a gradual increase. It is an inflection. The techniques have shifted from opportunistic typosquatting — publishing packages with names similar to popular libraries — to coordinated campaigns targeting specific organizations, build pipelines, and AI development toolchains. The attackers are not amateurs. They are operating at the speed and scale of professional software development.

4.5x malicious package volume
H1 2026 vs full-year 2025
Self-propagating worms and AI poisoning driving surge. Source: Phoenix Security, June 2026.
14 campaigns, 346 packages
May 2026
Busiest month on record. Source: Phoenix Security, June 2026.
3 campaigns across npm, PyPI, Docker Hub
48-hour window (early June)
Simultaneous multi-registry attacks. Source: GitGuardian, June 2026.

The Worm That Builds Itself

Shai-Hulud is a self-propagating supply chain worm that spreads through build systems. When a developer installs a compromised package, Shai-Hulud's payload infects the local build pipeline and publishes malicious versions of other packages that the developer maintains. Over 100 npm and PyPI packages were compromised in the Shai-Hulud campaign, including packages associated with TanStack, Mistral AI, UiPath, and OpenSearch. The worm defeated SLSA provenance checks — the supply chain security standard that was supposed to prevent exactly this scenario.

The Miasma campaign on June 1 compromised 32 packages under the @redhat-cloud-services npm namespace. The attacker bypassed code review and pushed a credential-stealing payload. On June 7, the Hades variant was detected across 19 PyPI packages — 37 malicious wheel artifacts that used Python .pth startup hooks to execute a credential stealer on every Python interpreter startup, not just when the malicious package was imported.

What the Attackers Want

The primary targets in 2026 supply chain attacks are not end users — they are developers and CI/CD pipelines. The malware steals API keys, cloud credentials (AWS, Azure, GCP), SSH keys, registry tokens, and environment variables. A single compromised developer laptop can expose the secrets for an entire organization's cloud infrastructure. A compromised CI/CD pipeline can inject malicious code into every build artifact that pipeline produces.

Unit42 (Palo Alto Networks) documented a new pattern in their June 2026 npm threat landscape report: malware specifically designed for CI/CD environments rather than developer workstations. These payloads detect whether they are running in GitHub Actions, GitLab CI, or Jenkins and extract secrets from the CI/CD environment — build tokens, deployment keys, and container registry credentials that are only available during builds.

API keys, cloud credentials, SSH keys, registry tokens
Targeted secrets
Developer environments and CI/CD pipelines. Source: Upwind/Unit42, June 2026.
~8,000%
AI agent traffic growth
Agentic browsers and AI tools creating new attack surface. Source: HUMAN Security, 2026.

The Dependency Count Is the Attack Surface

A WordPress installation with 20 plugins pulls in hundreds of PHP dependencies. A Next.js application with standard tooling pulls in over 1,000 npm packages. A Python web application with typical dependencies pulls in dozens of PyPI packages, each with their own transitive dependency trees. Every dependency is a trust relationship — the developer trusts that the package maintainer has not been compromised, that the registry has not been poisoned, and that the build pipeline has not been intercepted.

Frameworks that minimize dependencies minimize attack surface. Hugo has zero npm dependencies and zero PyPI dependencies — it is a single compiled binary. Astro ships with minimal default dependencies. The framework choice directly determines how many trust relationships — and how many potential supply chain attack vectors — an organization accepts.

The Automation Threshold

The 4.5x surge is not driven by more human attackers. It is driven by automation. AI-generated typosquatting packages, automated vulnerability scanning for maintainer account takeover, and self-propagating worms that use compromised build systems to spread — the attack pipeline now looks like a CI/CD pipeline. The defenders are patching manually. The attackers are deploying continuously.

Share this insight