TeamPCP Backdoors LiteLLM on PyPI, Harvests Cloud Creds at Scale

AI Sec News Weekly #1 — 187 sources scanned

Supply-chain attacks used to target what you depend on. Now they target what your AI depends on. There's a difference — and it matters more than most teams realize.

When a traditional library gets compromised, the blast radius is bounded by what that library can touch. But an AI proxy layer sits at the intersection of every model call, every API key, every orchestration secret in your stack. Compromise one package and you're not just inside the build pipeline — you're inside the inference path, with line-of-sight to every credential the agent needs to do its job.

The entries below show the Trivy supply-chain story is still unfolding in ways nobody predicted six months ago. Scroll down — it's a busy week.

This Week's Stories

TeamPCP Backdoors LiteLLM on PyPI, Harvests Cloud Creds and Kubernetes Secrets at Scale

TeamPCP — the group behind the Trivy supply-chain compromise — pushed malicious LiteLLM versions 1.82.7 and 1.82.8 to PyPI on March 24. Version 1.82.7 injected a base64 payload into litellm/proxy/proxy_server.py that fires on import. Version 1.82.8 escalated by dropping a litellm_init.pth file into site-packages, which Python's interpreter executes on every startup — even if LiteLLM is never imported. The payload runs a three-stage chain: credential harvesting (SSH keys, cloud tokens, K8s secrets).

Why it matters: The .pth vector means any Python process on a compromised host runs the payload — not just code that imports LiteLLM — so the blast radius extends well beyond the LLM proxy into every service sharing that Python environment.

BleepingComputer by Lawrence Abrams

Trivy Supply-Chain Fallout Hits 1,000+ Cloud Environments, Lapsus$ Now Involved

Mandiant CTO Charles Carmakal disclosed at RSAC 2026 that over 1,000 SaaS environments are actively dealing with infections traced back to the Trivy 0.69.4 compromise, with that number expected to grow into the thousands. The original attack exploited a misconfigured GitHub Action in Trivy's repo to steal a privileged access token — a flaw that was never fully remediated. Wiz reports that TeamPCP has now partnered with Lapsus$ and other extortion crews, and that the campaign has spread laterally to trojanize LiteLLM, which Wiz says is present in 36% of cloud environments.

Why it matters: A stolen CI token from February metastasized into a multi-tool supply-chain campaign three months later because the initial credential exposure was treated as contained — incomplete revocation in CI/CD has compounding consequences.

The Register Security by Jessica Lyons

Inside the LiteLLM Backdoor: .pth Launchers, K8s Pod Spray, and Systemd Persistence

Endor Labs and JFrog published detailed teardowns of the LiteLLM 1.82.7–1.82.8 payloads. The v1.82.8 .pth launcher uses subprocess.Popen to spawn a detached child process, decoding and executing the payload in the background — invisible to the importing application. The harvester checks for a Kubernetes service account token and, if found, enumerates all cluster nodes and deploys a privileged pod to each one that chroots into the host filesystem to install persistence.

Why it matters: The chroot-to-host trick via privileged pods turns a single compromised Python dependency into full node-level persistence across an entire Kubernetes cluster — container isolation provides no defense when the attacker's pod requests privileged: true and the admission policy allows it.

The Hacker News

Tool Spotlight

Snyk Launches Agent Security Solution to Protect the Full AI Lifecycle

Snyk Launches Agent Security to Govern Autonomous AI from Code to Production. At RSAC this week, Snyk announced its new Agent Security solution alongside the GA of Evo AI-SPM, targeting the growing risks of autonomous coding agents like Claude Code, Cursor, and Devin. The platform introduces an enforcement layer across the full AI lifecycle, governing how agents are introduced, what they build, and how they behave in production. Central to this is Evo AI-SPM, which creates a live inventory (AI-BOM), enriches it with risk intelligence, and converts plain-English governance intent into machine-enforceable security guardrails that execute natively during CI pipelines.

Why it matters: Autonomous agents are rapidly becoming part of the software supply chain, but most enterprises lack visibility and control over what these agents introduce or execute. Snyk’s approach reframes AI governance as an enforceable, code-first security problem — shifting from post-deployment monitoring to pre-deployment control.

snyk.io

New repos and releases worth trying.

Trail of Bits Ships a Claude Plugin That Finds Dimensional Mismatches Mechanically

Trail of Bits released a Claude Code plugin for dimensional analysis — instead of asking the LLM to "find bugs," it uses the model to annotate your codebase with dimensional types (units like wei, seconds, basis points), then flags mismatches mechanically. The workflow runs four phases: dimension discovery, annotation, propagation, and validation. Tested against real (unpublished) audit findings, it hit 93% recall with 12% standard deviation, versus 50% recall and 20% standard deviation for baseline prompts. Install is three commands via the Claude plugin marketplace.

Why it matters: Turning the LLM into a labeling machine and letting deterministic checks do the actual bug-finding sidesteps the hallucination problem that makes most LLM security tooling unreliable — and the approach generalizes well beyond blockchain arithmetic.

Trail of Bits by Benjamin Samuels

PenBot 2.0: A Multi-Agent Framework for Automated Chatbot Penetration Testing

PenBot 2.0.0 landed on PyPI as an open-source, multi-agent pentest framework specifically targeting AI chatbots. It identifies the target's domain in round one (e.g., "parcel tracking bot"), then adapts attack patterns accordingly — testing for stored XSS, SQL injection, data leakage, and business-logic flaws rather than just recycling generic jailbreak prompts. In its first production run against a live chatbot, it found 15 vulnerabilities in 63 minutes, including a critical stored XSS in the admin panel via payload logging.

Why it matters: Domain-aware adaptation is the interesting bit — most chatbot red-teaming tools treat every target identically, which means they miss the injection vectors that live in business-specific input fields like tracking numbers or account IDs.

pypi.org

Community Chatter

What practitioners are debating.

Simon Willison's JavaScript Sandboxing Deep Dive Sparks Agent-Runtime Debate

Simon Willison published a Claude Code–generated comparison of JavaScript sandboxing options for running untrusted code, covering Node.js primitives (worker_threads, node:vm, the Permission Model), npm packages (isolated-vm, vm2), and alternative engines like quickjs-emscripten, QuickJS-NG, ShadowRealm, and Deno Workers. The research originated from Aaron Harper's post on worker threads and quickly expanded into a broader survey of isolation tradeoffs — escape surface, performance overhead, and API compatibility across each approach.

Why it matters: Anyone wiring LLM-generated code into an agent loop is picking one of these runtimes, and vm2 was already abandoned after CVE-2023-37466 — the field of safe options is smaller than most teams assume.

Simon Willison

OpenAI Details How It Monitors Internal Coding Agents for Misalignment

OpenAI described a low-latency monitoring system it built for its own internal coding agents, using GPT-5.4 Thinking at maximum reasoning effort to review agent chains of thought and actions in near-real-time. The system flags behaviors inconsistent with user intent or internal security policies, categorizes them by severity, and operates within a roughly 30-minute review window. OpenAI notes the unique risk profile: these agents can inspect — and potentially modify — the documentation and code of their own safeguards.

Why it matters: Using one frontier model to police another's chain-of-thought is an honest admission that static rules can't keep up with agentic behavior — but the monitor inherits whatever blind spots the overseer model has.

OpenAI Blog

Two Enterprise Teams Ran Six-Month SOC AI Pilots — Here's What Actually Happened

At RSAC 2026, Ankit Gupta (Fortune 500 food manufacturing) and Shilpi Mittal (financial services) presented results from six-month trials of LLM-powered triage in their SOCs. Mittal reported mean time to discovery improved 26–36%, MTTR dropped 22%, and false positives fell 16 points — but the AI also generated new false positives of its own. The LLM operated as a read-only triage assistant with enforced citations, human approval gates, tool allow lists, and full audit logging.

Why it matters: The 16-point false-positive reduction came with a read-only, citation-required setup — teams that skip those constraints and let the model take autonomous action are running a fundamentally different experiment than the one that produced these numbers.

Dark Reading by Becky Bracken

Quick Hits

• Critical Langflow RCE Exploited Within 20 Hours of Disclosure (The Hacker News) — CVE-2026-33017 (CVSS 9.3) lets attackers get unauthenticated RCE on Langflow via exec() on flow data; exploitation hit the wild in under a day.
• RSAC Talk Shows AI Coding Agents Bypassing Endpoint Defenses (Dark Reading) — Researchers at RSAC 2026 demoed how Claude Code, Codex, and Gemini agents can read local configs to slip past EDR and browser isolation.
• 121 Agent Skills Vulnerable to GitHub Username Hijacking (Reddit) — 121 skills across 7 agent marketplaces are susceptible to repo takeover via GitHub username hijacking; 5 scanners disagreed 10x on detection.
• Raxe Ships Runtime Scanner for Prompt Injection in Agents (pypi.org) — New PyPI package raxe scans agentic inputs at runtime for prompt injection and jailbreaks using 500+ rules and an on-device ML model.
• Stolen Premium AI Accounts Selling Briskly on Dark Web (BleepingComputer) — Flare found an active underground market for paid AI accounts and API keys, acquired via credential theft, key scraping, and trial abuse.
• OpenClaw Beta Tightens Agent Sandbox and Plugin Hooks (github.com) — OpenClaw's new beta locks down outbound file access to match fs policy and adds a before_dispatch plugin hook exposing inbound metadata.