Two coordinated supply chain campaigns attributed to North Korean state-linked UNC1069 and criminal group TeamPCP compromised Axios (npm, CVE-2026-40175, CVSS 8.1) and Aqua Security’s Trivy vulnerability scanner (CVE-2026-33634, CVSS 9.5), injecting malicious code that propagated through CI/CD pipelines and harvested API keys, cloud credentials, and authentication tokens at scale; confirmed victims include OpenAI, the European Commission, and Checkmarx. The federal remediation deadline for CVE-2026-33634 was April 9, 2026 — already elapsed — making immediate action mandatory. Organizations must audit all CI/CD environments for affected package versions, rotate all credentials exposed in compromised pipeline environments, upgrade Trivy to a verified clean release per GHSA-69fq-xp46-6×23, and enforce IMDSv2 on all AWS EC2 instances as a baseline mitigation against Axios SSRF-to-metadata exfiltration.