As of Tuesday, the supply-chain attack remains active, and its scope extends beyond the original 18 infected Qix packages to now include five additional compromised DuckDB and coveops/abi packages, according to JFrog. Wiz warns organizations to assume "malicious versions of popular packages are still available for download and might be automatically included in development pipelines."