EPIC FAILS in Application Development Security practice processes, training, implementation, and incident response
Iran-Linked Hackers Breach FBI Director’s Personal Email, Hit Stryker With Wiper Attack
Threat actors with ties to Iran successfully broke into the personal email account of Kash Patel, the director of the U.S. Federal Bureau of Investigation (FBI), and leaked a cache of photos and other documents to the internet.
The FBI said the published data was "historical in nature and involves no government information." The leak includes emails from 2010 and 2019 allegedly sent by Patel.
Handala Hack Team, which carried out the breach, said on its website that Patel "will now find his name among the list of successfully hacked victims."
The primary vector for recent destructive operations from Handala Hack likely involves the exploitation of identity through phishing and administrative access through Microsoft Intune. Hudson Rock has found evidence that compromised credentials associated with Microsoft infrastructure obtained via infostealer malware may have been used to pull off the hack.
European Commission investigating breach after Amazon cloud account hack
The European Commission, the European Union's main executive body, is investigating a security breach after a threat actor gained access to the Commission's Amazon cloud environment. The threat actor who claimed responsibility for the attack stated that they had stolen over 350 GB of data (including multiple databases).
The EU's executive cabinet has yet to disclose the incident publicly, and an AWS spokesperson has state, "AWS did not experience a security event, and our services operated as designed."
The threat actor stated they will not attempt to extort the Commission using the allegedly stolen data as leverage but intend to leak the data online in future.
After hackers hit an Iowa company, cars around the country failed to start
Many states require drivers, if they want to keep using their cars, to install ignition interlock devices that measure alcohol levels before allowing the vehicle to start.
One of the most common is from Des Moines, Iowa-based Intoxalock, which takes the form of a small box with a plastic tube into which the driver blows. The box then measures the level of alcohol in the breath. You must be below your state’s legal limit to start the vehicle. The interlock device can only be leased, and it costs around $70–$120 per month.
Intoxalock users need to have the devices calibrated about once a month at a local service center. If you miss your calibration window, the device also locks you out.
But what happens if the databases and backend systems supporting this whole scheme are unavailable?
A system outage made calibrations impossible, which meant that some users in each state weren’t able to calibrate on time and their vehicles were locked for days.
How Connected Vehicles Expand Cyber Risk Surface
Modern vehicles are interconnected cyber-physical platforms with an attack surface spanning mobile applications, backend servers, over-the-air update pipelines and artificial intelligence-driven decision systems. Each layer introduces risks that conventional IT security frameworks were never built to handle.
[rG: Reminiscent of BMWs in Russia being stalled due to anti-theft tracking network disruption.]
Open VSX Bug Let Malicious VS Code Extensions Bypass Pre-Publish Security Checks
With Open VSX also serving as the extension marketplace for Cursor, Windsurf, and other VS Code forks
The vulnerability, codenamed Open Sesame, has to do with how this Java-based service reports the scan results. Specifically, it's rooted in the fact that it misinterprets scanner job failures as no scanners are configured, causing an extension to be marked as passes, and then immediately activated and made available for download from Open VSX.
At the same time, it can also refer to a scenario where the scanners exist, and the scanner jobs have failed and cannot be enqueued because the database connection pool is exhausted. Even more troublingly, a recovery service designed to retry failed scans suffered from the same problem, thereby allowing extensions to skip the entire scanning process under certain conditions.
An attacker can take advantage of this weakness to flood the publish endpoint with several malicious .VSIX extensions, causing the concurrent load to exhaust the database connection pool. This, in turn, leads to a scenario where scan jobs fail to enqueue.
What's notable about the attack is that it does not require any special privileges. A malicious actor with a free publisher account could have reliably triggered this vulnerability to undermine the scanning process and get their extension published.
[rG: Fail-open is never a good QA/Security practice. SSDLC Security Design Review using process flow diagrams could have identified this to provide remediation before implementation.]
North Korean Hackers Abuse VS Code Auto-Run Tasks to Deploy StoatWaffle Malware
The use of VS Code "tasks.json" to distribute malware is a relatively new tactic adopted by the threat actor since December 2025, with the attacks leveraging the "runOn: folderOpen" option to automatically trigger its execution every time any file in the project folder is opened in VS Code.
This task is configured so that it downloads data from a web application on Vercel regardless of executing OS [operating system].
Threat actors achieve initial access to developer systems through "convincingly staged recruitment processes" that mirror legitimate technical interviews, ultimately persuading victims into running malicious commands or packages hosted on GitHub, GitLab, or Bitbucket as part of the assessment.
What’s Weak This Week:
CVE-2025-53521 F5 BIG-IP Unspecified Vulnerability:
Could allow a threat actor to achieve remote code execution.CVE-2026-33634 Aquasecurity Trivy Embedded Malicious Code Vulnerability:
Allows an attacker to gain access to everything in the CI/CD environment, including all tokens, SSH keys, cloud credentials, database passwords, and any sensitive configuration in memory.
Related CWE: CWE-506
[rG: See below attacks.]CVE-2026-33017 Langflow Code Injection Vulnerability:
Could allow building public flows without requiring authentication.
Related CWEs: CWE-94| CWE-95| CWE-306
HACKING
TeamPCP: ‘CanisterWorm’ Springs Wiper Attack Targeting CICD and Iran
The group TeamPCP began compromising corporate cloud environments using a self-propagating worm that went after exposed Docker APIs, Kubernetes clusters, Redis servers, and the React2Shell vulnerability.
The group weaponizes exposed control planes rather than exploiting endpoints, predominantly targeting cloud infrastructure over end-user devices, with Azure (61%) and AWS (36%) accounting for 97% of compromised servers.
TeamPCP’s strength does not come from novel exploits or original malware, but from the large-scale automation and integration of well-known attack techniques.
The group industrializes existing vulnerabilities, misconfigurations, and recycled tooling into a cloud-native exploitation platform that turns exposed infrastructure into a self-propagating criminal ecosystem.
TeamPCP’s infrastructure is being called “CanisterWorm” because the group orchestrates their campaigns using an Internet Computer Protocol (ICP) canister: a system of tamperproof, blockchain-based “smart contracts” that combine both code and data. ICP canisters can serve Web content directly to visitors, and their distributed architecture makes them resistant to takedown attempts. These canisters will remain reachable so long as their operators continue to pay virtual currency fees to keep them online.
TeamPCP executed a supply chain attack against the vulnerability scanner Trivy from Aqua Security, injecting credential-stealing malware into official releases on GitHub actions. Aqua Security said it has since removed the harmful files, but the attackers were able to publish malicious versions that snarfed SSH keys, cloud credentials, Kubernetes tokens and cryptocurrency wallets from users.
The extortion group TeamPCP is attempting to inject itself into the Iran war, unleashing a worm that spreads through poorly secured cloud services and wipes data on infected systems that use Iran’s time zone or have Farsi set as the default language.
The malicious campaign started with Trivy and Checkmarx and has shifted to LiteLLM — and now telnyx
The latest victim in the ongoing TeamPCP supply chain campaign includes compromised versions 4.87.1 and 4.87.2 of the telnyx PyPI package, which has been downloaded more than 3.75 million times. The ultimate goal of this latest compromise is exfiltration of cloud secrets like that observed in previous attacks in this campaign.
The LiteLLM package, an open-source Python library and proxy server that provides a unified interface to call over 100+ large language model (LLM) APIs — including OpenAI, Anthropic, Bedrock, and VertexAI — using a single, standardized format.
Python interface for LLMs infected with malware via polluted CI/CD pipeline
LiteLLM v1.82.7 and v1.82.8 have been taken down because they contain credential-stealing code in a component file, litellm_init.pth. Anyone who has installed and run the LiteLLM should assume any credentials available to LiteLLM environment may have been exposed, and revoke/rotate them accordingly.
Trivy is an open source vulnerability scanner maintained by Aqua Security that many other projects include as a security measure. The malware campaign began in late February, when the attackers took advantage of a misconfiguration in Trivy's GitHub Actions environment to steal a privileged access token that allowed the manipulation of CI/CD, according to Aqua Security.
TeamPCP used compromised credentials to publish a malicious Trivy release (v0.69.4), and again when malicious Trivy versions v0.69.5 and v0.69.6 were published as DockerHub images.
By modifying existing version tags associated with [the GitHub Action script] trivy-action, they injected malicious code into workflows that organizations were already running. Because many CI/CD pipelines rely on version tags rather than pinned commits, these pipelines continued to execute without any indication that the underlying code had changed.
TeamPCP Hacks Checkmarx GitHub Actions Using Stolen CI Credentials
Two more GitHub Actions workflows have become the latest to be compromised by credential-stealing malware by a threat actor known as TeamPCP.
The workflows maintained by the supply chain security company Checkmarx, are:
checkmarx/ast-github-action
checkmarx/kics-github-action
Like in the case of Trivy, the threat actors have been found to force-push tags to malicious commits containing the stealer payload ("setup[.]sh"). The stolen data is exfiltrated to the domain "checkmarx[.]zone" (IP address: 83.142.209[.]11:443) in the form of an encrypted archive ("tpcp.tar.gz").
The new version creates a "docs-tpcp" repository using the victim's GITHUB_TOKEN to stage the stolen data as a backup method if the exfiltration to the server fails. In the Trivy incident, the threat actors used the repository name "tpcp-docs" instead.
The stealer's primary function is to harvest credentials from CI runner memory allows the operators to extract GitHub personal access tokens (PATs) and other secrets from when a compromised Trivy action executes in a workflow. To make matters worse, if those tokens have write access to repositories that also use Checkmarx actions, the attacker can weaponize them to push malicious code.
Wiz: Checkmarx KICS GitHub Action Compromised
Trivy Scanner Compromised in Supply Chain Attack
The malicious component collected environment variables, scanned the file system for credentials (SSH keys, cloud configurations for AWS, GCP, Azure, Kubernetes, Docker, .env files, database passwords, Slack and Discord tokens, TLS keys, VPN configurations, and cryptocurrency wallet data), and also enumerated network interfaces. In addition, the script scanned the memory regions of the GitHub Actions Runner.Worker process in search of JSON strings containing secrets.
Trivy Supply Chain Attack Triggers Self-Spreading CanisterWorm Across 47 npm Packages
28 packages in the @EmilGroup scope
16 packages in the @opengov scope
@teale[.]io/eslint-config
@airtm/uuid-base32
@pypestream/floating-ui-dom
Vibe Coded LiteLLM Malware with AI Powered SOC2 and ISO-27001 Certifications
LiteLLM had 40K stars on GitHub and thousands of forks (those who used it as a base to alter and make it their own).
The malware was discovered by researcher Callum McMahon of FutureSearch.
The malware caused McMahon’s machine to shut down after he downloaded LiteLLM. That event prompted him to investigate and discover it. Ironically, a bug in the malware caused his machine to blow up. Because that bit of nasty code was so sloppily designed, he (as well as famed AI researcher Andrej Karpathy) concluded it must have been vibe coded.
LiteLLM, as of March 25 when we looked, still proudly displays on its website that it has passed two major security compliance certifications, SOC2 and ISO 27001. But it used a startup called Delve for those certifications. Delve is the Y Combinator AI-powered compliance startup that’s been accused of misleading its customers about their true compliance conformity by allegedly generating fake data and using auditors that rubber-stamp reports. Delve has denied these allegations.
Certifications don’t automatically prevent a company, like LiteLLM, from being hit by malware. While SOC 2 is supposed to cover policies surrounding software dependencies, malware can still slip in.
Self-propagating malware poisons open source software and wipes Iran-based machines
TeamPCP’s targeting of a country that the US is currently at war with is a curious choice. Up to now the group’s motivation has been financial gain. With no clear connection to monetary profit, the wiper seems out of character. While there may be an ideological component, it could just as easily be a deliberate attempt to draw attention to the group.
[rG CICD Software Supply Chain Attack Prevention: Shift-Left code signing with hash monitoring alerting.]
APPSEC, DEVSECOPS, DEV
NIST Releases Two New CSF 2.0 Quick-Start Guides
NIST Special Publication (SP) 1308 NIST Cybersecurity Framework 2.0: Cybersecurity, Enterprise Risk Management, and Workforce Management Quick-Start Guide
Initial Public Draft of SP 1347, NIST Cybersecurity Framework 2.0: Informative References Quick‑Start Guide
NIST SP 800-81r3: Updated DNS security guidance for the first time in over a decade
The document describes two general deployment models: cloud-based protective DNS services and on-premises deployments using DNS firewalls or Response Policy Zones (RPZs). A hybrid approach combining both is recommended where feasible, on the basis that a cloud outage with on-premises fallback still preserves protection.
The guidance recommends that protective DNS logs be integrated with SIEM or log analysis platforms, and that DNS query data be correlated with DHCP lease histories to map IP addresses to specific assets during incident response.
NIST Helps Fingerprint Examiners With New Data and Software Release
Two releases are intended to help improve forensic fingerprint examination, an important aspect of criminal investigations.
A NIST collection of 10,000 fingerprints has now been fully annotated with details that will help train both human fingerprint examiners and AI tools.
NIST has also released open-source software that can help evaluate and sort fingerprints according to their quality, potentially helping fingerprint examiners work more efficiently.
Apostol Vassilev of NIST on Why LLM Defenses Always Fall Short
Large language models are inherently vulnerable to prompt injection attacks, and no amount of hardening will ever fully close that gap. The imbalance between available attacks and available mitigations isn't a temporary problem - it's a mathematical certainty.
We Found Eight Attack Vectors Inside AWS Bedrock. Here's What Attackers Can Do with Them
AWS Bedrock is Amazon's platform for building AI-powered applications.
These eight attack vectors share a common logic: attackers target the permissions, configurations, and integrations surrounding the model - not the model itself. A single over-privileged identity is enough to redirect logs, hijack an agent, poison a prompt, or reach critical on-premises systems from a foothold inside Bedrock.
Securing Bedrock starts with knowing what AI workloads you have and what permissions are attached to them. From there, the work is mapping attack paths that traverse cloud and on-premises environments and maintaining tight posture controls across every component in the stack.
1. Model Invocation Log Attacks
2. Knowledge Base Attacks - Data Source
3. Knowledge Base Attacks - Data Store
4. Agent Attacks – Direct
5. Agent Attacks – Indirect
6. Flow Attacks
7. Guardrail Attacks
8. Managed Prompt Attacks
OWASP AIVSS Project Announces the Release of v0.8 Scoring System for Agentic AI Security Risks in Co-Publication with AIUC-1 and Leading OWASP Projects
The AIVSS project team has integrated over 1,900 public comments from industry practitioners and cybersecurity experts. This collaborative feedback has driven significant improvements, making the framework more robust and actionable for enterprise environments.
OWASP Agentic Skills Top 10
Covering OpenClaw (SKILL[.]md YAML), Claude Code (skill.json), Cursor/Codex (manifest.json), and VS Code (package.json) ecosystems.
AST01 Malicious Skills
AST02 Supply Chain Compromise
AST03 Over-Privileged Skills
AST04 Insecure Metadata
AST05 Unsafe Deserialization
AST06 Weak Isolation
AST07 Update Drift
AST08 Poor Scanning
AST09 No Governance
AST10 Cross-Platform Reuse
Zero Trust Anchors AI Security Strategy
Traditional security differs from AI training infrastructure. It requires real-time validation and precise access control, warning against broad claims that AI will replace SaaS. Mission-critical systems demand proven controls, not unchecked automation.
Fundamentally, AI is non-deterministic. You ask an answer twice, and you get two different answers. So, we need to carefully apply it for the right applications the right way.
How the AI Coding Boom Is Rewriting Application Security
We're going to need to have dynamic analysis running at all times in application security,. This is the transition from AI Security 1.0 - guarding AI at the edges through prompt filtering and LLM input controls - to AI Security 2.0, in which security must monitor what agents are actually doing in runtime, across distributed systems, in real time.
Decouple SIEM data to reshape your AppSec
More than a decade ago, as a Gartner analyst, Chuvakin devised the SOC visibility triad, whose three pillars are to monitor logs, endpoint sources, and network sources. Just last year, he added a fourth monitoring need, applications. “SaaS, cloud applications, and AI agents require deep application visibility. This enables deeper insights into the application’s internals, as well as business logic. To have a good 2025 SOC you must have the fourth pillar of application visibility.”
SANS 2025 Global SOC Survey, 42% of SOCs dump all incoming data into a SIEM without a retrieval or management plan. Unsurprisingly, Forrester Research has noted that one of the most common inquiry questions it receives from security clients is “How do we reduce our SIEM ingest costs?
The shift isn’t simply about moving data from SIEMs to data lakes. After all, security teams have been adopting platforms like Snowflake and Databricks for threat hunting and long-term retention for years. What is new with the pipeline layer is that it addresses what happens before data reaches any destination.
The economic gain of spending less on SIEM ingestion will be augmented by the security payoffs of getting fewer false positives, onboarding new data sources faster, migrating between platforms more easily, and getting more reliable output from every AI tool they deploy.
Quantum-Safe Cryptography: Companies and Players Across the Landscape [2026]
NIST’s August 2024 finalization of three PQC standards created the regulatory foundation for enterprise migration:
FIPS 203 (ML-KEM, based on CRYSTALS-Kyber) covers key encapsulation.
FIPS 204 (ML-DSA, based on CRYSTALS-Dilithium) covers digital signatures.
FIPS 205 (SLH-DSA, based on SPHINCS+) provides a hash-based signature alternative.
In March 2025, NIST selected HQC as a backup key encapsulation mechanism. These standards provide the algorithmic building blocks that all the PQC companies listed above are implementing.
Migration timelines are being driven by government mandates. The US government requires federal agencies to inventory and begin transitioning cryptographic systems. Canada has set deadlines requiring federal departments to submit PQC migration plans by April 2026, prioritize critical systems by 2031, and complete full migration by 2035. The EU is developing similar frameworks. These mandates create cascading demand through government supply chains, effectively requiring private sector adoption as well.
Google moves post-quantum encryption timeline up to 2029
While Google has said it is on track to migrate its own systems ahead of the 2035 timeline provided in NIST guidelines, last month leaders at the company teased an updated timeline for migration and called on private businesses and other entities to act more urgently to prepare.
Unlike the federal government, there is no mandate for private businesses to migrate to quantum-resistant encryption, or even that they do so at all.
VENDORS & PLATFORMS
US regulator bans imports of new foreign-made routers, citing security concerns
The FCC order does not impact the import or use of existing models but will ban new ones.
It said malicious actors had exploited security gaps in foreign-made routers "to attack households, disrupt networks, enable espionage, and facilitate intellectual property theft," citing their role in major hacks like Volt and Salt Typhoon.
China is estimated to control at least 60% of the U.S. market for home routers, boxes that connect computers, phones, and smart devices to the internet.
AV-Comparatives ADP Detection Coverage 2026 Test Results
Anti-Malware Performance Comparison Charts
Black Duck Signal Sets a New Standard for Securing AI-Generated Code
Black Duck Signal integrates directly into the modern agentic software development life cycle, via model context protocol (MCP) and APIs that support AI coding assistants, IDEs and automated AI pipelines. It continuously analyzes code across languages, frameworks and architectures—identifying security defects early, eliminating the noise common with AST findings and intelligently working with AI coding assistants to fix issues with little to no developer action required.
LEGAL & REGULATORY
U.S. Sentences Russian Hacker to 6.75 Years for Role in $9M Ransomware Damage
Aleksei Olegovich Volkov facilitated dozens of ransomware attacks across the U.S., causing more than $9 million in actual losses and over $24 million in intended losses. Volkov is said to have served as an initial access broker responsible for obtaining unauthorized access to computer networks and systems belonging to various organizations and selling that access to other criminal groups, including ransomware actors. This was accomplished by exploiting vulnerabilities or finding ways to access the networks without authorization.
Questions to AI Models May Be Discoverable
Judge Rakoff held that a defendant’s written exchanges with a public generative AI platform were not protected by the attorney-client privilege or the work product doctrine. The Government had seized approximately thirty-one documents memorializing the defendant’s interactions with the public platform. Defense counsel asserted privilege because the inputs included attorney-learned information, were created to facilitate consultations with counsel, and were later shared with counsel.
The court emphasized that AI’s novelty does not alter settled privilege and work-product principles. Because the defendant’s use of a public AI platform failed those tests, the documents were not protected.
To preserve existing privilege, publicly available AI platforms should be treated as third parties. One should assume user inputs and outputs may be retained, reviewed, and disclosed per provider policies and do not allow clients to share privileged facts or strategy with such tools. If AI must be used, route usage through documented, counsel-directed instructions, and only use tools offering enterprise-grade confidentiality terms. Litigation hold letters should ask whether any AI-initiated conversations relevant to the case exist to ensure practitioners get ahead of these issues. Lastly, communications with AI models before engagement or without counsel’s direction should be carefully reviewed.
Three Charged with Conspiring to Unlawfully Divert Cutting Edge U.S. Artificial Intelligence Technology to China
The indictment alleges efforts to evade U.S. export laws through false documents, staged dummy servers to mislead inspectors, and convoluted transshipment schemes, to obfuscate the true destination of restricted AI technology to China.
Between 2024 and 2025, “Company-1” purchased approximately $2.5 billion worth of servers from the U.S. Manufacturer, many of which were assembled in the United States. The defendants’ scheme became more brazen over time and resulted in massive quantities of servers with controlled U.S. artificial intelligence technology being sent to China. Between late April 2025 and mid-May 2025 alone, at least approximately $510 million worth of the U.S. Manufacturer’s servers were diverted.
Apple’s Hide My Email Feature Will Not Hide You From the FBI
The system was built specifically to fight annoying marketers and data brokers. It was never intended to serve as an impenetrable shield for those looking to hide illegal activity from the government.
Apple explicitly states in its legal guidelines that it will cooperate with lawful government requests and warrants. While the company takes a very strong public stance on everyday user privacy, that protection stops the moment someone uses its services to commit a crime.
And Now For Something Completely Different …
NIST New Atom-Based Thermometer Measures Temperature More Accurately
Unlike traditional thermometers, a Rydberg thermometer doesn’t need to be first adjusted or calibrated at the factory because it relies inherently on the basic principles of quantum physics. These fundamental quantum principles yield precise measurements that are also directly traceable to international standards.
Rydberg thermometers can measure the temperature of their environment from about 0 to 100 degrees Celsius without needing to touch the object being measured.
This breakthrough not only paves the way for a new class of thermometers but is particularly significant for atomic clocks, because blackbody radiation can reduce their accuracy.
