The TeamPCP supply chain campaign crossed a new threshold overnight: CERT-EU confirmed the European Commission's AWS environment was breached via the poisoned Trivy scanner, with 340 GB exfiltrated across 71 EU entities, and Mandiant now quantifies the broader campaign at 1,000+ SaaS environments and ~500,000 compromised machines. An AI coding agent autonomously installed the trojanized LiteLLM package in a CI/CD pipeline — a threat category no current governance model addresses. The Axios npm maintainer published a postmortem revealing UNC1069 used deepfake personas and a fabricated Slack workspace. A new phishing kit called VENOM is actively bypassing MFA against C-suite targets. KEV deadlines: CVE-2026-33634 (Trivy) April 9, CVE-2026-5281 (Chrome) April 15.
Since April 2: CERT-EU disclosure, Mandiant scale quantification, Sportradar confirmed victim, LiteLLM AI agent vector, Elastic IOCs · Covered by 6+ sources
The TeamPCP campaign grew significantly overnight across three dimensions:
CERT-EU disclosure: The European Commission's Europa AWS hosting platform was breached on March 19 via AWS API keys harvested by the trojanized Trivy scanner (CVE-2026-33634, EPSS 0.21, CISA KEV deadline April 9). EC SOC detected March 24 (five-day dwell); CERT-EU notified March 25; 340 GB exfiltrated including ~52,000 email-related files spanning 42 internal EC departments and 29 other EU entities. ShinyHunters published the dataset March 28.
Scale quantification: Mandiant CTO confirmed 1,000+ SaaS environments affected, with credentials from approximately 500,000 machines now circulating. Campaign spans five ecosystems: GitHub Actions, PyPI, npm, Docker Hub/GHCR, and OpenVSX.
New victim: Sportradar AG ($5B valuation) confirmed as a joint TeamPCP/Vect ransomware operation — 26,000 user records, credentials for 161 client organizations (ESPN, Nike, NBA Asia, IMG Arena), 328 platform API key/secret pairs, 8 production RDS passwords, and Kafka SASL credentials exposed. CipherForce publication deadline approximately April 10–11.
AI coding agent vector: SentinelOne documented an AI coding assistant with unrestricted permissions autonomously installing the trojanized LiteLLM package in a CI/CD pipeline. The agent was terminated in 44 seconds by behavioral detection, but the implication is clear: AI agents that can install packages without human review are a supply chain attack surface that sits entirely outside current SBOM and code review governance. Datadog Security Labs published a full technical trace of the LiteLLM and Telnyx PyPI compromise chain, tracing both back to the March 19 Trivy origin event.
New IOCs: Elastic Security Labs published MITRE
ATT&CK-mapped container attack detection guidance documenting
TeamPCP's use of frps (fast reverse proxy) and
gost for tunneling through compromised container
environments.
Action: Patch Trivy to v0.69.2+, trivy-action to v0.35.0, or setup-trivy to v0.2.6 before the April 9 KEV deadline. Organizations with Sportradar business relationships should assess exposure against the 328 exposed API key/secret pairs. Any host that installed affected LiteLLM versions should be treated as a full-credential-exposure event.
The actor ecosystem is tangled: TeamPCP/LAPSUS$/Vect are the primary supply chain operators, DPRK UNC1069 is present in the credential pool (and ran the separate Axios operation using adjacent access), and ShinyHunters appears as a downstream data publisher. Whether ShinyHunters purchased credentials or has a tighter operational link to TeamPCP remains an open question. The 16-day pause in new package compromises since the Telnyx disclosure may indicate operational consolidation, not cessation. Five-day dwell time at the EC — even with a well-resourced SOC — should recalibrate detection expectations.
Sources: SANS ISC Update 006 · CERT-EU · BleepingComputer · HelpNetSecurity · SentinelOne · Datadog
Since April 2: Full social engineering chain documented, deepfake/cloned persona confirmed, postmortem published · Covered by 10+ sources
The Axios maintainer postmortem fills in the social engineering chain that enabled the npm compromise:
axios@1.14.1
and axios@0.30.4 within minutes of each otherThe fake Slack workspace populated with profiles of real OSS maintainers is a meaningful escalation in social engineering sophistication. UNC1069 did bespoke reconnaissance on the maintainer social graph and built an entire staged environment to exploit contextual trust. The time-pressure mechanic — "your software is out of date, install now or be late for this meeting" — is effective even against technically sophisticated targets who are contextually primed to expect dependency issues.
This is the same UNC1069 playbook Google GTIG documented for cryptocurrency and AI sector targeting, now with upgraded capabilities: synthetic personas, multi-channel social proof, and purpose-built pretexting infrastructure. Five vendors have independently corroborated DPRK attribution.
No new IOCs beyond those published April 2 (C2
sfrclak[.]com, 142.11.206.73:8000). Action
items unchanged: block IOCs, check lockfiles for
plain-crypto-js, rotate credentials on any system that
installed affected versions during the March 31 window.
Sources: CrowdStrike · The Hacker News · Simon Willison · SentinelOne
Since April 2: Novel attack vector clarified — Solana durable nonces weaponized via social engineering of governance signers · Covered by 3 sources
The Drift Protocol theft mechanism is now better understood and it's worse than initially reported. The attackers exploited Solana's durable nonce mechanism — a feature designed for legitimate offline transaction signing — to pre-stage malicious transactions held in reserve until the Security Council administrative keys were compromised via social engineering of governance signers. The full drain of five vaults completed in under 10 seconds, confirming meticulous pre-positioning. Attribution to DPRK reported by SecurityWeek; formal USG attribution still pending.
The durable-nonce technique is a blockchain-native evolution of the classic "sign this document" pretext (T1078, T1528). Organizations using multisig or threshold signing schemes on Solana should treat pre-authorized nonce transactions as a new threat vector requiring governance review. The speed of execution was a red herring — the social engineering prep work was the attack.
Sources: The Hacker News · SecurityWeek · BleepingComputer
A previously undocumented phishing platform dubbed "VENOM" is conducting active spearphishing campaigns against senior executives with confirmed MFA bypass capability. The "neutralizes MFA" framing is consistent with an adversary-in-the-middle (AitM) architecture that proxies authentication sessions in real time (T1557, T1111) — the same technique class as EvilProxy, Evilginx, and the recently disrupted Tycoon2FA. Two independent outlets are covering simultaneously, suggesting coordinated vendor research disclosure.
No IOCs yet. The C-suite targeting profile means credential harvesting is pointed at SSO, board-level email, and financial system access. Coming weeks after the Tycoon2FA disruption (330 domain seizures via Europol), VENOM may be filling the vacuum — the modular subscription PhaaS model disperses capability to successor platforms exactly as predicted. This is the second new MFA-bypass kit in a week (after EvilTokens). Microsoft's documented 54% click-through rate for AI-assisted phishing makes these kits significantly more dangerous than their predecessors.
Review conditional access policies; hunt for anomalous OAuth token grants and AitM session indicators in Entra ID audit logs.
Sources: SC World · Infosecurity Magazine
Chrome CVE-2026-5281 (Dawn/WebGPU UAF, actively exploited, KEV deadline April 15): no new technical detail since the April 2 afternoon update. EPSS has ticked up to 0.015 but remains a lagging indicator given confirmed wild exploitation. Update to Chrome 146.0.7680.177+ across all Chromium-based browsers. Fourth Chrome zero-day of 2026; two prior KEV entries (CVE-2026-3909, CVE-2026-3910) are now past their March 27 deadlines.
Cisco IMC CVE-2026-20093 (unauthenticated auth bypass to admin on out-of-band management): HelpNetSecurity coverage today confirms the scope across UCS C/E-Series, 5000 ENCS, and Catalyst 8300 uCPE. IMC is below-OS management plane — compromise is invisible to host EDR and survives reimaging. Patch or network-segment IMC interfaces from untrusted networks. Expect KEV addition if exploitation is observed.
CERT-UA published a strategic advisory warning that Russian threat actors are conducting systematic re-access operations against previously breached Ukrainian infrastructure — verifying whether previously exploited vulnerabilities remain unpatched, whether credentials remain valid, and whether access pathways are still viable. No specific group designation or IOCs published. This is consistent with pre-positioning behavior documented ahead of previous Russian escalation phases and should be treated as a strategic indicator rather than a tactical alert. Defenders previously breached in Russian campaigns should revalidate credential hygiene and patch status. (BleepingComputer)
Nine CVEs disclosed for Roundcube up to 1.5.13/1.6.13. Priority items: CVE-2026-35537 (Redis/Memcache deserialization — RCE where session caching uses those backends) and CVE-2026-35538 (IMAP SEARCH argument injection). Remaining seven cover HTML/SVG content injection, resource loading issues, and a Password Plugin type confusion. Roundcube is widely deployed in academic, government, and EU institutional environments and has historically attracted APT attention — multiple Ukrainian government targeting campaigns have used Roundcube vulnerabilities as initial access. Patch to 1.5.14 or 1.6.14. (VulDB)
T-Mobile disclosed an insider threat incident via regulatory filing, characterizing impact as limited in scope. Telecom insider access is structurally high-risk for SIM-swap and account takeover chains. T-Mobile's documented history of breach understatements means "limited" should be treated as provisional until independently validated. Watch for revised scope. (SecurityWeek)
Appending whitespace to a filename (e.g., shell.php )
evades OWASP Core Rule Set extension-based blocking, enabling webshell
upload of .php, .phar, .jsp, and .jspx files. Windows backends that
normalize whitespace in filenames are the primary exploitation surface —
IIS + OWASP CRS is a common enterprise combination. Update CRS rules and
retroactively hunt WAF logs for whitespace-padded extension patterns —
this is a concrete retroactive detection opportunity. (Full
Disclosure)
Auth bypass chained with arbitrary file upload achieves unauthenticated RCE on Citrix ShareFile. No CVEs assigned yet — disclosure may be under coordinated embargo. This vulnerability class in Citrix products has a strong track record of rapid weaponization by ransomware groups (ref: Citrix Bleed, CVE-2023-4966). Watch for vendor advisory and CVE assignment, then patch immediately. (SecurityWeek)
A new SparkCat variant is live on both the Apple App Store and Google Play Store, using on-device OCR/ML to scan photo libraries for crypto wallet seed phrases. The notable shift: delivery via enterprise messenger lookalike apps expands the target surface from crypto enthusiasts to corporate users installing what appear to be legitimate business communication tools. No IOCs in current reporting. (The Hacker News)
Continuing from April 1. CrowdStrike detection guidance is published and ready for implementation. Cluster size of 11 vs. EPSS 0.00045 is a notable disconnect — high vendor attention despite low measured exploitation probability. CNAME-based Kerberos relay is a novel variant of a well-understood coerce-and-relay attack class with a strong historical weaponization record.
CoBRA achieves 99.86% simplification success against Mixed Boolean-Arithmetic obfuscation (VMProtect, Themida, modern malware packers) across 73,066 expressions. Ships as CLI, C++ library, and LLVM 19–22 pass plugin with Z3 equivalence verification. The LLVM pass integration is particularly useful for teams building deobfuscation pipelines on top of Remill or similar lifting frameworks. Genuine capability uplift for malware RE teams. Apache 2.0. (Trail of Bits)
Sparse reporting — no attribution, attack type, or operational impact disclosed. Emergency dispatch infrastructure in small municipalities frequently runs legacy CAD software with poor patch cadence. If this turns out to be ransomware, it fits the pattern of municipal emergency services targeting since 2020. Monitor for follow-up. (The Record)
~67 entries skipped across all sections: 34 vulnerability stubs (Zoho ManageEngine XSS batch, NASA cFS memory safety, Casdoor OAuth, miscellaneous WordPress/CMS/consumer app CVEs), 29 general-section drops (8 CrowdStrike product marketing posts forming their own little ecosystem, AI model releases, RSAC recap, vendor announcements, a Europol migrant smuggling arrest, Windows 11 force-upgrade news, a misrouted DOJ departure piece), 1 Exchange Online availability flap, 1 vendor-dressed ransomware "explainer," 1 credentials roundup with no depth, and 1 Nigerian romance scammer conviction — caught by a fellow scammer, which is genuinely the most entertaining item in today's entire feed.
Editorial note: DPRK is running what amounts to a full-spectrum financial and supply chain offensive — the Axios social engineering postmortem and the Drift durable-nonce technique are both genuinely novel TTPs worth studying independently of the immediate incident response. But the quiet bombshell is buried in the TeamPCP coverage: an AI coding agent autonomously installed a trojanized package in a production CI/CD pipeline. That's a proof of concept for a threat category that will get worse before anyone figures out governance for it. Every organization deploying agentic AI with package-install permissions needs to read the SentinelOne write-up and ask hard questions about their own controls. Three supply chain campaigns, an MFA-bypass PhaaS kit filling the Tycoon2FA vacuum, and a $285M heist in a single news cycle is not normal operational tempo.