CXO Monthly Roundup, March 2026: Surge in supply chain attacks (Axios, LiteLLM, etc.), Anthropic’s Claude Code leak, the new VPN Risk Report, RSAC 2026, China-nexus threat actor leverages Middle East conflict, and more.

The CXO Monthly Roundup provides the latest Zscaler ThreatLabz research, alongside insights into other cyber-related subjects that matter to technology executives. This monthly roundup highlights takeaways from a surge in supply chain attacks (Axios, LiteLLM, and more), Anthropic’s Claude Code leak, the new VPN Risk Report, RSAC 2026 and shifting AI-driven risk, a China-nexus activity leveraging the Middle East conflict to deliver PlugX, ThreatLabz’s discovery of SnappyClient, and the continued evolution of Xloader.

Supply Chain Attacks Surge in March 2026

March was a turbulent month for the software supply chain. There were five major software supply chain attacks that occurred including the Axios npm package compromise, which has been attributed to a North Korean threat actor. In addition, a hacking group known as TeamPCP was able to compromise Trivy (a vulnerability scanner), KICS (a static analysis tool), LiteLLM (an interface for AI models), and Telnyx (a library for real-time communication features).

ThreatLabz published a comprehensive advisory on the Axios npm package compromise and the LiteLLM attack.

Axios npm package compromise

The widely-used npm package Axios was compromised through an account takeover attack targeting a lead maintainer. Threat actors bypassed the project's GitHub Actions CI/CD pipeline by compromising the maintainer's npm account and changing its associated email. The threat actor manually published two malicious versions via npm CLI.

These poisoned releases inject a hidden dependency called [email protected], which executes a postinstall script functioning as a cross-platform remote access trojan (RAT) dropper targeting macOS, Windows, and Linux systems.

During execution, the malware contacts command-and-control (C2) infrastructure at sfrclak[.]com to deliver platform-specific payloads, then deletes itself and replaces its package.json with a clean version to evade detection.

The figure below shows the attack chain.

Figure 1: Attack chain for the compromised Axios package.

TeamPCP’s attack on LiteLLM

LiteLLM is a popular AI infrastructure library hosted on the Python Package Index (PyPI). Two LiteLLM package versions were found to include malicious code published by the threat group TeamPCP. The impacted package versions of LiteLLM were only available in the PyPI for about three hours before they were quarantined.

LiteLLM allows developers to call different LLMs using an OpenAI-style API. Since it’s published on PyPI, a developer might download it by installing it for a project with the standard Python package installer, either directly or as part of an automated dependency install. The poisoned LiteLLM packages appear to be part of an attack designed to harvest high-value secrets such as AWS, GCP, and Azure tokens, SSH keys, and Kubernetes credentials, enabling lateral movement and long-term persistence across compromised CI/CD systems and production environments.

The attack chain for the compromised packages is shown below.

Figure 2: Attack chain for compromised LiteLLM packages.

For recommendations on mitigating these threats and a list of Indicators of Compromise (IOCs), visit Supply Chain Attacks Surge in March 2026.

Zscaler Zero Trust Exchange Coverage – Zscaler Internet Access (Advanced Cloud Sandbox, Advanced Threat Protection, Advanced Cloud Firewall, SSL Inspection), Deception

Anthropic’s Claude Code Leak

On March 31, 2026, Anthropic unintentionally exposed the full source code of Claude Code, its terminal-based AI coding agent, after a 59.8 MB JavaScript source map (.map) file was bundled into the public NPM package @anthropic-ai/claude-code v2.1.88. The issue was publicly disclosed on X by a security researcher and rapidly went viral.

The leaked file contained approximately 513,000 lines of unobfuscated TypeScript across 1,906 files, revealing the complete client-side agent harness, according to online publications. Within hours, the codebase was downloaded from Anthropic’s own Cloudflare R2 bucket, mirrored to GitHub, and forked tens of thousands of times. Thousands of developers, researchers, and threat actors are actively analyzing, forking, porting to Rust/Python and redistributing it. Some of the GitHub repositories have gained over 84,000 stars and 82,000 forks. Anthropic has issued Digital Millennium Copyright Act (DMCA) notices on some mirrors, but the code became available across hundreds of public repositories.

The heavy sharing on GitHub (thousands of forks, stars, and mirrors by developers worldwide) turns this into a vector for abuse. Key risks include:

• Supply chain attacks via malicious forks and mirrors: Thousands of repositories now host the leaked code or derivatives. Threat actors can (and already are) seeding trojanized versions with backdoors, data exfiltrators, or cryptominers. Unsuspecting users cloning “official-looking” forks risks immediate compromise.
• Amplified exploitation of known vulnerabilities and discovery of new vulnerabilities: Pre-existing flaws (e.g., CVE-2025-59536, CVE-2026-21852, RCE and API key exfiltration via malicious repo configs, hooks, MCP servers, and env vars) are now far easier to weaponize. Threat actors with full source visibility can craft precise malicious repositories or project files that trigger arbitrary shell execution or credential theft simply by cloning/opening an untrusted repo. The exposed hook and permission logic makes silent device takeover more reliable.
• Local environment and developer workstation compromise: Users building or running the leaked code locally introduce unvetted dependencies and execution paths. The leak coincided exactly with the Axios NPM supply chain attack discussed above, creating a perfect storm for anyone updating Claude Code via NPM that day.

ThreatLabz discovers “Claude Code leak” lure

While monitoring GitHub for threats, ThreatLabz came across a “Claude Code leak” repository. The repository looks like it’s trying to pass itself off as leaked TypeScript source code for Anthropic’s Claude Code CLI. The README file even claims the code was exposed through a .map file in the NPM package and then rebuilt into a working fork with “unlocked” enterprise features and no message limits. Read the full analysis here: Anthropic Claude Code Leak.

Zscaler Zero Trust Exchange Coverage – Zscaler Internet Access (Advanced Cloud Sandbox, Advanced Threat Protection, Advanced Cloud Firewall, SSL Inspection)

VPN Risk Report

The ThreatLabz 2026 VPN Risk Report highlights how AI is helping threat actors move faster while organizations’ VPN systems are not able to keep up. The report is based on a survey of 822 IT and cybersecurity professionals.

Among those surveyed, these were the most notable findings:

• 61% encountered AI-enabled attacks in the last 12 months; 70% report limited or no visibility into AI-driven threats over VPN.
• 54% say patching critical VPN vulnerabilities takes a week or more; 56% cite patching as their top operational challenge.
• 1 in 3 inspect 0% of encrypted VPN traffic; only 8% can inspect nearly all encrypted traffic.
• Only 11% can restrict a compromised session to a single application, increasing blast radius once attackers get in.
• 63% say users bypass VPN controls to reach apps faster, often due to performance and reliability issues.

RSAC 2026

AI is quickly reshaping how threat actors are launching attacks by allowing them to create convincing deepfake media, helping refine code, and even enabling them to automate stages of the attack using agentic AI tools. This means that the nature of risks organizations are facing is also changing. Having visibility into how your organization leverages AI is now a foundational requirement​ because traditional perimeter controls are insufficient for AI-driven workflows​. In addition, a Zero Trust architecture must be adopted and extended to AI-driven data flows, while governance and oversight mature at the same pace as adoption.

On March 24, 2026, my colleague Dhawal Sharma and I led a presentation on how organizations are adopting generative AI while touching on the risks. These include:

• AI sprawl​: Expands the ​attack surface and data exposure
• AI posture​: AI exposures evade traditional security ​posture tools​
• AI inspection​: AI protocols are ​complex, require ​intent-based detection​
• AI agents​: Autonomous agents, ​no defined security frameworks​

To securely undergo an AI transformation, your organization requires governance and compliance at every stage of the AI lifecycle. This means:

• AI asset management​: Understand your full​ AI footprint and risks
• Secure access​ to AI apps: Ensure the safe and​ responsible use of AI​
• Secure AI apps​ and infrastructure​: Harden AI systems and prompts and enforce runtime protection​

Zscaler Coverage

Zscaler AI Guard, Zscaler Internet Access, Zscaler Private Access, Deception

ThreatLabz Uncovers Campaign Targeting Arabian Gulf Region

Threat actors have been quick to leverage the ongoing conflict in the Middle East. On March 1, 2026, ThreatLabz discovered new activity from a China-nexus threat actor targeting victims in the Arabian Gulf region. We touched on it in a previous article but now ThreatLabz has published a comprehensive technical analysis.

Within 24 hours of the Middle East conflict making news, the threat actor used the theme of the conflict to create a PDF lure. This lure was sent to victims in the Arabian Gulf region who were likely to engage since the conflict was unfolding in that same area. The PDF lure included images of Iranian missile strikes against a US base in Bahrain and writing in Arabic.

Figure 3: PDF lure referencing Iranian missile strikes against a US base in Bahrain.

The campaign used a multi-stage attack chain that ultimately deployed a PlugX backdoor variant. Based on the tools, techniques, and procedures (TTPs) observed, ThreatLabz attributes this activity to a China-nexus threat actor with high confidence, and assesses with medium confidence that it may be linked to Mustang Panda.

Figure 4: Attack chain leading to deployment of PlugX.

The attack chain is initiated when the victim clicks on the lure which is actually a malicious Windows (LNK) shortcut file. When the victim opens the LNK file, it executes embedded command-line instructions that initiate the next stage of the payload delivery. The LNK file retrieves and extracts a malicious payload from a Compiled HTML Help (CHM) file using the legitimate Windows utility hh.exe, which allows malicious activity to blend in with normal operating system behavior.

The LNK file then displays the lure to the victim while the malware’s shellcode decrypts and deploys the PlugX backdoor, which establishes persistence through Windows registry modifications and uses HTTPS to encrypt its C2 communications. Additional technical analysis and indicators associated with this campaign are detailed in the original blog: China-nexus Threat Actor Targets Arabian Gulf Region With PlugX.

Zscaler Zero Trust Exchange Coverage – Zscaler Internet Access (Advanced Cloud Sandbox, Advanced Threat Protection, Advanced Cloud Firewall, SSL Inspection), Deception

ThreatLabz Discovers SnappyClient

ThreatLabz has published a technical analysis on a new command-and-control (C2) framework implant that we track as SnappyClient. SnappyClient has an extended list of capabilities including taking screenshots, keylogging, a remote terminal, and data theft from browsers, extensions, and other applications, and was observed being delivered exclusively by HijackLoader.

Our analysis covers SnappyClient’s core features, configuration, network communication protocol, commands, and post-infection activities. The figure below shows the SnappyClient attack chain observed by ThreatLabz.

Figure 5: Example attack chain of a campaign delivering SnappyClient.

The attack chain began with a fake telecom website that triggered an automatic downloader. Once executed, HijackLoader decrypts and loads SnappyClient, which uses multiple evasion techniques including an AMSI bypass and injection methods. For example SnappyClient uses Heaven’s Gate to execute x64 direct system calls to evade user-mode API hooks when invoking certain native APIs.

SnappyClient establishes encrypted C2 communications using a custom protocol (ChaCha20-Poly1305), retrieves tasking and targeting configuration from the server. Based on our observations, we believe that the operators of SnappyClient are mostly financially motivated with a focus on stealing cryptocurrency-related data from browsers, extensions, and wallet applications.

Zscaler Zero Trust Exchange Coverage – Zscaler Internet Access (Advanced Cloud Sandbox, Advanced Threat Protection, Advanced Cloud Firewall, SSL Inspection), Deception

Technical Analysis of Xloader Version 8

ThreatLabz has published several reports on Xloader, which its authors have been updating consistently over the years. Recently, we published a technical analysis of new obfuscation methods and network protocol strategies used in Xloader version 8.1 to 8.7. The figure below shows the attack chain.

Figure 6: The Xloader version 8.1 to 8.7 attack chain.

Starting with version 8.1, Xloader introduced more sophisticated obfuscation for hardcoded values and specific functions. For instance, when adding the typical assembly function prologue bytes (followed by a series of NOP instructions) for a decrypted function, Xloader now decodes the prologue bytes using a bitwise XOR operation. In addition to the enhancements described above, the custom decryption routine that Xloader uses to decrypt data is now obfuscated.

Xloader uses a set of decoy C2 servers to mask the real malicious C2 servers. Xloader includes a total of 65 C2 IP addresses that are individually decrypted only when they are used at runtime. Xloader randomly chooses 16 C2 IP addresses and starts sending HTTP requests (both internal request IDs 3 and 6 mentioned in Table 1). Xloader repeats this process until all C2 servers have been contacted. This makes it difficult for malware sandboxes to differentiate decoys from the real C2 servers. Thus, the only way to determine the real C2 servers is to first establish a network connection with each C2 address (e.g. by network emulation) and verify the response.

Xloader continues to be a highly active information stealer that constantly receives updates. As a result of the malware’s multiple encryption layers, decoy C2 servers, and robust code obfuscation, Xloader has been able to remain largely under the radar. Therefore, ThreatLabz expects Xloader to continue to pose a significant threat for the foreseeable future.

Zscaler Zero Trust Exchange Coverage – Zscaler Internet Access (Advanced Cloud Sandbox, Advanced Threat Protection, Advanced Cloud Firewall, SSL Inspection), Deception