Supply-Chain - 1

2026 (3)

April (1)

security: Mitigating the Axios npm supply chain compromise

Microsoft Security Blog

2026-04-01

Microsoft reports that Axios was compromised in a March 31, 2026 npm supply chain attack. Two newly published version-update packages were used to download from command-and-control infrastructure, which Microsoft Threat Intelligence attributes to the North Korean actor Sapphire Sleet.

March (1)

k8s: The Invisible Rewrite: Modernizing the Kubernetes Image Promoter

Kubernetes Official Blog

2026-03-17

Kubernetes rewrote the core of its image promoter (kpromo/promo-tools), removing legacy code and splitting promotion into distinct phases. The new pipeline improved performance and reliability, shipped in v4.2.0–v4.4.0, and kept user-facing flags and manifests unchanged.

February (1)

security: Developer-targeting campaign using malicious Next.js repositories

Microsoft Security Blog

2026-02-24

Microsoft reports a developer-targeting campaign that used malicious Next.js repositories to achieve remote code execution and establish command-and-control via normal build workflows, aiming to blend into routine development activity.