Highlights from March
Coming in at number 1 on this month’s top 10 most prevalent threat list is activity related to March 2026’s axios npm compromise. On March 30, 2026, security researchers discovered that the widely-used npm package axios was compromised through an account takeover attack targeting a lead maintainer. Attackers bypassed the project’s GitHub Actions CI/CD pipeline by compromising the maintainer’s npm account and changing its associated email. The attacker manually published two malicious versions via npm command-line interface (CLI). The poisoned releases inject a hidden dependency called plain-crypto-js@4.2.1, which executes a postinstall script functioning as a cross-platform remote access trojan (RAT) dropper targeting macOS, Windows, and Linux systems. Red Canary detected malicious activity across all three operating systems, including RAT payload installation, but saw no additional follow-on activity.
OWASP’s npm security best practices can help mitigate impacts from npm compromises. Key recommendations include enabling two-factor authentication (2FA) for any accounts with publishing rights to the npm package repository, and using a local npm proxy to cache known good npm packages for use internally. This caching strategy can be combined with a “cooldown check” to avoid using packages less than a day old. For a deeper look at these risks, watch the SecOps Weekly deep-dive into the compromise.
The other newcomer to this month’s top 10 is the threat group TeamPCP, due to the LiteLLM compromise reported in March 2026. On March 24, 2026, the group published two malicious versions of LiteLLM (1.82.7 and 1.82.8) to the Python Package Index (PyPI) after exfiltrating maintainer credentials through the project’s CI/CD pipeline. TeamPCP is a sophisticated criminal group conducting coordinated supply chain attacks and cloud-native infrastructure compromises for ransomware deployment, credential harvesting, and coinmining. In addition to the LiteLLM compromise, TeamPCP is the threat group behind a months-long supply chain campaign that has also targeted GitHub Actions, Docker Hub, npm, OpenVSX, and PyPI.
Finally, last month Red Canary observed an increase in Microsoft Teams phishing paired with email bombing. This is not a wholly new trend; in many ways, the recent activity is similar to those we have previously reported. You can read more about this activity below.
This month’s top 10 threats
To track pervasiveness over time, we identify the number of unique customer environments in which we observed a given threat and compare it to what we’ve seen in previous months.
Here’s how the numbers shook out for March 2026:
