Sophisticated cyberattacks targeting a variety of open source projects, including the Trivy security-scanner project, the widely used Axios Javascript package, and now Anthropic's accidental publishing of source code for its flagship Claude Code — all in a 10-day period — underscore a worrying trend of own-goal risks posed to software supply chains.

Attackers exploited a misconfigured GitHub Action in Trivy and the failure of the development team to recover from the incident to capture the needed credentials for pushing out malicious code. A compromise of the lead maintainer's account for Axios led to backdoor-installing Trojans landing in development environments. Other breaches include the KICS static-code analyzer maintained by cybersecurity firm Checkmarx, the open source LiteLLM Python library. And now, human error this week led to the publishing of more than a half million lines of the source code for Anthropic's Claude Code npm package. Read more here