A coordinated supply chain campaign — the highest priority item in this rollup at 0.85 — compromised three widely used open-source tools (Trivy, Axios, LiteLLM) during March 2026 by injecting malicious code into published releases via maintainer account compromise and poisoned release pipelines, targeting CI/CD environments to steal API keys, tokens, and cloud credentials. No CVE identifier has been assigned and specific compromised version ranges are not yet confirmed in open-source reporting; confidence in full technical payload details is rated MEDIUM. Any organization that pulled these packages during March 2026 should immediately rotate all secrets accessible to affected pipelines, audit outbound network activity from build agents, and pin dependencies to maintainer-verified clean versions — note that Axios also has a separate CVE (CVE-2026-40175) addressed under its own vendor entry below.