Supply-Chain

• PolyShell: Mass Exploitation of Magento Hits 56.7% of Vulnerable Stores Before a Patch Exists March 27, 2026

  A critical Magento file upload vulnerability is being actively exploited at scale -- 56.7% of vulnerable stores have been hit, there is no patch for production versions, and attackers are deploying a technically novel WebRTC skimmer that bypasses Content Security Policy entirely.

• Telnyx Python SDK Compromised on PyPI: TeamPCP Hides AES-256 Infostealer in WAV Audio Frames March 27, 2026

  TeamPCP's latest move: the official Telnyx Python SDK on PyPI was backdoored with an infostealer delivered via WAV steganography. The payload hides in audio frame data to bypass MIME-type filtering -- a technique TeamPCP first trialled five days earlier and liked enough to deploy at scale.

• Security: Vulnerabilities, Supply Chain, and the Defence Landscape March 27, 2026

  A living signal tracking infosec: CVEs worth knowing, supply chain attacks, cloud security incidents, AI/agentic security risks, and practical mitigations for engineering teams. This week: Citrix NetScaler CVE-2026-3055 (CVSS 9.3) allows unauthenticated session token extraction from SAML appliances; BeyondTrust CVE-2026-1731 now confirmed in active ransomware campaigns; AnythingLLM ships a textbook SQL injection; LAPSUS$ claims a 3GB AstraZeneca breach.

• LangChain and LangGraph CVEs Expose Files, Secrets, and Conversation History Across 84 Million Weekly Downloads March 27, 2026

  Three CVEs in LangChain and LangGraph - path traversal, serialization injection, and SQL injection - expose files, environment secrets, and conversation history in frameworks downloaded 84 million times per week.

• Apifox CDN Supply Chain Attack: Malicious JavaScript Hidden in the Official Analytics Script March 26, 2026

  SlowMist confirmed attackers injected obfuscated JavaScript into an official Apifox CDN script, enabling credential theft and remote code execution across every Electron desktop client that loaded it.

• LAPSUS$ Is Back. This Time It's Pharma. March 26, 2026

  A threat actor identifying itself as LAPSUS$ is claiming a breach of AstraZeneca, with 3GB of alleged source code, CI/CD secrets, and contractor access data up for private sale. AstraZeneca has not confirmed or denied. Here's what the sample data suggests, and why the engineering risk extends well beyond the initial target.

• HackerOne Employee Data Exposed via BOLA Flaw in Benefits Provider Navia March 25, 2026

  A BOLA vulnerability in Navia Benefit Solutions exposed data on almost 300 HackerOne employees over 24 days. HackerOne is publicly criticising Navia's slow disclosure -- an irony worth sitting with, given that responsible disclosure is HackerOne's entire reason for existing.

• WaterPlum's VS Code Trap: How Opening a Folder Deploys a RAT March 25, 2026

  North Korean threat group WaterPlum is distributing StoatWaffle malware via malicious VS Code projects that auto-execute on folder open. Fake developer job interviews deliver the payload -- no click required once you open the repo.

• LiteLLM Was in Your CI/CD Pipeline. So Was the Credential Stealer. March 25, 2026

  On March 24, 2026, LiteLLM versions 1.82.7 and 1.82.8 on PyPI were found to contain a credential-stealing payload planted by TeamPCP, the same group that compromised Trivy five days earlier. The attack is a direct downstream consequence of that breach: stolen CI/CD credentials, reused across targets.

• 44 Aqua Security Repositories Defaced in Two Minutes: The TeamPCP Escalation March 24, 2026

  All 44 repositories in Aqua Security's internal GitHub org were renamed and defaced on March 22, 2026 -- a direct escalation of the ongoing Trivy supply chain breach by threat actor TeamPCP.

• LiteLLM PyPI Supply Chain Attack: The .pth File That Steals Everything March 24, 2026

  LiteLLM versions 1.82.7 and 1.82.8 on PyPI contain a malicious .pth file that auto-executes a credential stealer on every Python interpreter startup -- no import required. The same TeamPCP infostealer that hit Trivy in March.

• Malicious Trivy Images on Docker Hub: Why Tag Pinning Isn't Enough March 23, 2026

  Trivy versions 0.69.4 through 0.69.6 were compromised on Docker Hub as part of the ongoing TeamPCP supply chain attack against Aqua Security. The incident is a concrete demonstration of why mutable Docker tags are a structural trust problem in CI/CD pipelines.

• The Scanner Got Scanned: How Trivy Became a Supply Chain Weapon March 23, 2026

  On March 19, 2026, attackers compromised Aqua Security's Trivy vulnerability scanner, force-pushing malicious code into 75 GitHub Actions tags and a trojanized v0.69.4 release. Stolen credentials from that breach then fuelled CanisterWorm, a self-propagating npm worm that hit 47 packages and used a decentralised ICP canister as its command server.

• The GitHub Actions Trap That Let a Bot Steal Trivy's Release Keys March 23, 2026

  On February 28, 2026, an autonomous bot called hackerbot-claw exploited a pull_request_target misconfiguration in Aqua Security's Trivy repository, stole an org-scoped PAT, and deleted 178 releases. The vulnerability is not obscure -- it is in thousands of public repos right now.

• Trivy Supply Chain Attack Escalates: CanisterWorm Self-Spreads to 47 npm Packages March 21, 2026

  The TeamPCP supply chain attack on Trivy's GitHub Actions has escalated: stolen npm tokens are now fuelling CanisterWorm, a self-propagating worm that has already compromised 47+ npm packages using a decentralised ICP canister as C2.

• When IT incidents become patient harm: Stryker, surgery delays, and the CISA Intune advisory March 20, 2026

  The March 11 Stryker cyberattack delayed surgeries the week of March 16. Personalised implants couldn't be shipped because the ordering systems were down. CISA named the attack vector -- Microsoft endpoint management -- and issued an urgent advisory. What this means for healthcare IT and for anyone running Microsoft infrastructure in critical functions.

• AI Tooling Doubles the Credential Leak Rate: Secrets Sprawl 2026 March 17, 2026

  GitGuardian's 2026 report: 28.65 million hardcoded secrets on public GitHub, 81% surge in AI-service credential leaks, Claude Code commits leaking at double the baseline rate, and 24,000 secrets exposed in MCP config files. The leak surface has grown with the tooling surface.

• OpenClaw's Security Inflection Point: CVE-2026-25253, ClawHavoc, and What AWS Just Multiplied March 15, 2026

  CVE-2026-25253, the ClawHavoc malicious skills campaign, and AWS's managed OpenClaw launch arrived in the same six-week window. Taken together, they mark a security inflection point for AI agent tooling that engineers running these systems need to understand.

• Glassworm: The Supply Chain Attack Hidden in Plain Sight -- Inside Invisible Unicode Characters March 15, 2026

  Glassworm compromised 151+ GitHub repositories, 72 VS Code extensions, and multiple npm packages using malicious payloads hidden inside invisible Unicode characters that no code reviewer can see. The C2 infrastructure runs on Solana -- it cannot be taken down.

• The AppsFlyer SDK Hijack: Registrar Attack, Crypto Stealer, and the SRI Gap March 15, 2026

  On March 9, 2026, attackers hijacked the AppsFlyer Web SDK via a domain registrar incident and served a professional-grade crypto-stealing payload to every site loading the SDK. The defence existed. Almost nobody had deployed it.

• The Cascade Problem: How One Breach Seeds the Next March 15, 2026

  Two incidents this week -- the Drift → Telus Digital credential chain and the AppsFlyer SDK poisoning -- share one structural pattern: a trusted third-party tool becomes the access vector for the next attack. Your blast radius is no longer bounded by your own perimeter.

• Sweden's E-Government Source Code Is Circulating Online. The Entry Point Was a Jenkins Server. March 13, 2026

  ByteToBreach compromised CGI Sverige AB and leaked the source code of Sweden's E-plattform -- the digital identity system used across Swedish government authorities. The attack chain started at a misconfigured Jenkins server and required nothing novel.

• PhantomRaven: How a Four-Wave npm Campaign Used Remote Dynamic Dependencies to Beat Package Scanning March 12, 2026

  PhantomRaven ran four waves of malicious npm packages from August 2025 to February 2026, stealing developer credentials via a technique called Remote Dynamic Dependencies that places the payload outside the package -- making it invisible to every scanner that inspects package contents.

• The Patch Gap Is the Attack Window: Google's Cloud Threat Horizons Report H1 2026 March 12, 2026

  Google's Cloud Threat Horizons Report H1 2026 documents how AI-assisted attacks have collapsed the window from vulnerability disclosure to mass exploitation -- from weeks to days. 83% of cloud breaches started with an identity failure. AI agents are about to make that worse.

• Five Malicious Rust Crates and an AI Bot: A Coordinated Supply Chain Attack March 11, 2026

  In February and March 2026, attackers published five malicious Rust crates to crates.io and used an AI-powered bot to exploit GitHub Actions CI/CD pipelines -- stealing .env secrets and Personal Access Tokens from open source maintainers.

• $130 Billion in Illegal Tariffs: What the Refund Ruling Means for Hardware Teams March 6, 2026

  A US trade court ordered refunds on $130B in tariffs ruled illegal by the Supreme Court, affecting ~300,000 importers including hardware buyers. Here's what it means for engineering budgets, CapEx planning, and procurement strategy.

• Clinejection: How a GitHub Issue Title Took Down a 5 Million User Tool March 5, 2026

  In February 2026, an attacker used a GitHub issue title to hijack Cline's AI triage bot, poison its Actions cache, and publish a malicious npm package to 5 million developers. Every failure point was a documented misconfiguration. This is what went wrong, and what you do differently.