Aggregator

AI Dependency Attack Reportedly Exposes Data and Source Code
A LiteLLM supply-chain compromise enabled attackers to harvest credentials and access internal environments at scale at Mercor. The firm was the first to confirm a LiteLLM breach, and researchers are warning about growing AI system exposure and limited visibility.

Report Reveals Growing Trend of Fraudsters Intercepting SMS-Based Verification
Financial institutions have historically relied on one-time passcodes as a primary authentication control for their accountholders. But OTP verification is less reliable as fraudsters increasingly exploit SMS-based verification weaknesses to carry out account takeover and payment fraud schemes.

人间四月，春和景明 仲春与暮春交替之际，又是一年清明时。 【清明】 清明，又称踏青节、行清节、三月节、祭祖节等，是春季的第五个节气，节期在仲春与暮春之交，也就是春分后15天，此时正值仲春(农历二月)与暮春(农历三月)交替之际。 二十四节气中，只有清明节既是节日又是节气。最初清明只是一个节气名称，到了唐代才慢慢演变成节日，如今的清明节由清明节气、寒食节和上巳节三者融合而来，是节气兼节日的日子。

IntroductionThere was a significant increase in software supply chain attacks in March 2026. There were five major software supply-chain attacks that occurred including the Axios NPM package compromise, which has been attributed to a North Korean threat actor. In addition, a hacking group known as TeamPCP was able to compromise Trivy (a vulnerability scanner), KICS (a static analysis tool), LiteLLM (an interface for AI models), and Telnyx (a library for real-time communication features).In this blog, we cover two of these supply chain attacks, which are significant given the scale and popularity of these packages.Axios NPM Package Compromised to Distribute Cross-Platform RATSummaryOn March 30, 2026, security researchers discovered that the widely-used NPM package Axios was compromised through an account takeover attack targeting a lead maintainer. Threat actors bypassed the project's GitHub Actions CI/CD pipeline by compromising the maintainer's NPM account and changing its associated email. The threat actor manually published two malicious versions via NPM CLI.These poisoned releases inject a hidden dependency called [email protected], which executes a postinstall script functioning as a cross-platform Remote Access Trojan (RAT) dropper targeting macOS, Windows, and Linux systems.During execution, the malware contacts command-and-control (C2) infrastructure at sfrclak[.]com to deliver platform-specific payloads, then deletes itself and replaces its package.json with a clean version to evade detection.RecommendationsReview package.json, package-lock.json, and yarn.lock files for [email protected], [email protected], or [email protected]. Remove any compromised packages, clear caches, and reinstall clean ones.Downgrade to [email protected] (for 1.x users) or [email protected] (for 0.x users) and update lockfiles.Search for connections to sfrclak[.]com or 142.11.206[.]73 from developer workstations and CI/CD systems.Use private registry proxies and Software Composition Analysis (SCA) tools to filter and monitor third-party packages.Restrict open-source package consumption on corporate devices and CI systems to enterprise-open source package managers. Use Zscaler Internet Access controls to block access to internet package managers from corporate devices. Use native controls and Zscaler Private App Connectors to block access to internet package managers from CI systems.Apply lockfiles strictly (e.g., package-lock.json, pnpm-lock.yaml) and use npm ci instead of npm install.Reduce dependency surface by auditing and removing unused packages.Apply least privilege principles using scoped, short-lived keys and tokens.Revoke NPM tokens, GitHub PATs, cloud keys, and CI/CD secrets.Enable phishing-resistant multifactor authentication (MFA) on NPM, GitHub, and cloud platforms.Flag abnormal NPM publishes, unexpected GitHub workflow additions, or secret scanner usage in CI.Treat impacted systems as compromised by isolating, scanning, or reimaging them.Update response playbooks for supply chain attacks and run practice drills.Restrict build environments to internal package managers or trusted mirrors, and limit internet access to reduce exfiltration risk.Reinforce the secure handling of tokens and secrets, and train teams on phishing awareness and supply chain security best practices.Enforce a release cooldown period to ensure users can’t check out newly released packages, stopping emerging supply chain attacks.Affected packages and versionsThe following packages are impacted by this compromise.Package VersionAxios1.14.1Axios0.30.4Table 1: Axios package versions impacted by the compromise.How it worksAll NPM packages include a package.json file that declares dependencies. In the compromised version of Axios, the threat actor added a dependency for a malicious package called plain-crypto-js, which included a postinstall script that ran a setup.js script via node.When developers or CI pipelines run npm install [email protected], NPM resolves the dependency tree, downloads [email protected], and runs the postinstall script. Running node setup.js triggers the compromise sequence.Attack chainThe figure below shows the attack chain.Figure 1: Attack chain for the compromised Axios package.TeamPCP Supply Chain Attack Targets LiteLLM on PyPISummarySummaryOn March 26, 2026, a supply chain attack was uncovered targeting LiteLLM, a popular AI infrastructure library hosted on PyPI with roughly 3.4 million downloads per day. Two LiteLLM package versions were found to include malicious code published by a threat group called TeamPCP. TeamPCP has been associated with multiple recent supply chain attacks such as KICS, Telnyx, and an attack on Aqua Security’s Trivy. The impacted package versions of LiteLLM were only available in PyPI for about three hours before they were quarantined.The poisoned LiteLLM packages appear to be part of an attack designed to harvest high-value secrets such as AWS, GCP, and Azure tokens, SSH keys, and Kubernetes credentials, enabling lateral movement and long-term persistence across compromised CI/CD systems and production environments. RecommendationsRotate or revoke all potentially exposed secrets such as PyPI tokens, API keys, SSH keys, and cloud credentials. Remove unused secrets, and restrict access to sensitive stores and configuration files (for example, .env files, SSH keys, and cloud CLI configs) using least-privilege controls and strict filesystem or secret-store permissions.Closely monitor PyPI publishing activity and recent release history, limit and regularly review maintainer access, and enforce MFA for all maintainers. Strengthen dependency integrity by prioritizing review of Git diffs for dependency version changes to spot suspicious modifications, and implement alerting for any unexpected direct or transitive dependency updates. Verify hashes and signatures where supported.Restrict who or what can run builds and publish artifacts, eliminate plaintext secrets in pipelines, and move to secret managers plus short-lived and ephemeral tokens. Add protected branches and tags, mandatory reviews for release workflows, and limit runner and network permissions.Apply least-privilege Identity and Access Management (IAM), tighten Kubernetes Role-Based Access Control (RBAC), and reduce credential exposure paths. Ensure container and runtime policies prevent credential harvesting and restrict workload identity access to only the required resources.Affected versions and deliveryThe following versions of LiteLLM were impacted. Users should upgrade to version 1.82.6 (the last known clean version).VersionDelivery1.82.8This version introduced a .pth file (litellm_init.pth) added to site-packages/. Python automatically executes code within .pth files during startup, meaning the malicious payload triggers on any Python invocation on the host, even if LiteLLM itself is not imported. The .pth file is correctly recorded in the wheel’s RECORD, so pip’s hash verification and other integrity checks still pass because the malicious content was published with legitimate credentials rather than injected afterward.1.82.7This version introduced an obfuscated Base64-encoded payload within proxy_server.py. This payload is designed to execute immediately upon the library being imported.Table 2: LiteLLM package versions affected and their corresponding delivery mechanism.How it worksLiteLLM is a wrapper or proxy for AI models that lets developers call different LLMs using an OpenAI-style API. Since it’s published on PyPI, a developer might download it by installing it for a project with the standard Python package installer, either directly or as part of an automated dependency install. Attack chainThe attack chain for the compromised packages is shown below.Figure 2: Attack chain for compromised LiteLLM packages.ConclusionThese supply chain threats highlight the fragility of the global software supply chain, especially with respect to open source software. ThreatLabz encourages readers to review the recommendations in this blog to help protect against these kinds of threats and minimize their impacts. Zscaler CoverageZscaler has added coverage for the threats associated with these campaigns, ensuring that any attempts to download a compromised package will be detected with the following threat names.For AxiosAdvanced Threat ProtectionJS.Malicious.npmpackagePS.RAT.npmpackagePython.RAT.npmpackageOSX.RAT.npmpackageFor LiteLLMAdvanced Threat ProtectionLiteLLM-ZABTrojan.SKMGPython.Trojan.LiteLLMIndicators Of Compromise (IOCs)For AxiosPackageVersionHashaxios0.30.4e56bafda15a624b60ac967111d227bf8axios1.14.121d2470cae072cf2d027d473d168158cplain-crypto-js4.2.052f3311ceb5495796e9bed22302d79bcplain-crypto-js4.2.1db7f4c82c732e8b107492cae419740ab@shadanai/openclaw2026.3.31-11b8615b9732833b4dd0a3e82326982fa@qqbrowser/openclaw-qbot0.0.130759e597c3cc23c04cd39301bd93fc79fsetup.js-7658962ae060a222c0058cd4e979bfa1osx script-7a9ddef00f69477b96252ca234fcbeebpython script-9663665850cdd8fe12e30a671e5c4e6fpowershell script-04e3073b3cd5c5bfcde6f575ecf6e8c1system.bat-089e2872016f75a5223b5e02c184dfec For LiteLLMFile hashesMD5 HashNamecde4951bee7e28ac8a29d33d34a41ae5litellm_init.pthf5560871f6002982a6a2cc0b3ee739f7proxy_server.py7cac57b2d328bd814009772dd1eda429p.py85ed77a21b88cae721f369fa6b7bbba3LiteLLM v1.82.7 Package2e3a4412a7a487b32c5715167c755d08LiteLLM v1.82.8 PackageNetwork indicators IndicatorTypecheckmarx[.]zoneC2 pollingmodels[.]litellm[.]cloudExfiltration URL 

The post Supply Chain Attacks Surge in March 2026 appeared first on Security Boulevard.

We uncovered two job scams posing as legitimate offers from Coca-Cola and Ferrari that could pry into Google and Facebook accounts.

The post That dream job offer from Coca-Cola or Ferrari? It’s a trap for your passwords appeared first on Security Boulevard.

A vulnerability was found in Apple iOS and iPadOS. It has been rated as critical. Affected by this issue is some unknown functionality of the component Kernel Memory Handler. The manipulation leads to memory corruption. This vulnerability is referenced as CVE-2024-27840. The attack can only be performed from a local environment. No exploit is available. Upgrading the affected component is advised.

A vulnerability categorized as critical has been discovered in Apple macOS. This affects an unknown part of the component Kernel Memory Handler. The manipulation results in memory corruption. This vulnerability is identified as CVE-2024-27840. The attack is only possible with local access. There is not any exploit available. It is advisable to upgrade the affected component.

A vulnerability identified as critical has been detected in Apple visionOS. This vulnerability affects unknown code of the component Kernel Memory Handler. This manipulation causes memory corruption. This vulnerability is tracked as CVE-2024-27840. The attack is restricted to local execution. No exploit exists. You should upgrade the affected component.

A vulnerability labeled as critical has been found in Apple watchOS. This issue affects some unknown processing of the component Kernel Memory Handler. Such manipulation leads to memory corruption. This vulnerability is listed as CVE-2024-27840. The attack must be carried out locally. There is no available exploit. The affected component should be upgraded.

A vulnerability marked as critical has been reported in Apple tvOS. Impacted is an unknown function of the component Kernel Memory Handler. Performing a manipulation results in memory corruption. This vulnerability is cataloged as CVE-2024-27840. The attack must be initiated from a local position. There is no exploit available. It is suggested to upgrade the affected component.

A vulnerability marked as problematic has been reported in Apple macOS. This affects an unknown function. The manipulation leads to denial of service. This vulnerability is listed as CVE-2024-27844. The attack may be initiated remotely. There is no available exploit. It is suggested to upgrade the affected component.

A vulnerability described as problematic has been identified in Apple visionOS. This impacts an unknown function. The manipulation results in denial of service. This vulnerability is cataloged as CVE-2024-27844. The attack may be launched remotely. There is no exploit available. Upgrading the affected component is recommended.

A vulnerability classified as problematic has been found in Apple Safari. Affected is an unknown function. This manipulation causes denial of service. This vulnerability is registered as CVE-2024-27844. Remote exploitation of the attack is possible. No exploit is available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as problematic, has been found in Apple macOS. Affected by this issue is some unknown functionality of the component Webpage Handler. Performing a manipulation results in information exposure through discrepancy. This vulnerability is reported as CVE-2024-27838. The attack is possible to be carried out remotely. No exploit exists. It is advisable to upgrade the affected component.

A vulnerability, which was classified as problematic, was found in Apple visionOS. This affects an unknown part of the component Webpage Handler. Executing a manipulation can lead to information exposure through discrepancy. This vulnerability appears as CVE-2024-27838. The attack may be performed from remote. There is no available exploit. You should upgrade the affected component.

A vulnerability has been found in Apple watchOS and classified as problematic. This vulnerability affects unknown code of the component Webpage Handler. The manipulation leads to information exposure through discrepancy. This vulnerability is traded as CVE-2024-27838. It is possible to initiate the attack remotely. There is no exploit available. The affected component should be upgraded.

A vulnerability was found in Apple Safari and classified as problematic. This issue affects some unknown processing of the component Webpage Handler. The manipulation results in information exposure through discrepancy. This vulnerability is known as CVE-2024-27838. It is possible to launch the attack remotely. No exploit is available. It is suggested to upgrade the affected component.

A vulnerability was found in Apple tvOS. It has been classified as problematic. Impacted is an unknown function of the component Webpage Handler. This manipulation causes information exposure through discrepancy. This vulnerability is handled as CVE-2024-27838. The attack can be initiated remotely. There is not any exploit available. Upgrading the affected component is recommended.

A vulnerability described as critical has been identified in Apple iOS and iPadOS. The affected element is an unknown function of the component Web Handler. Executing a manipulation can lead to integer overflow. This vulnerability is registered as CVE-2024-27833. It is possible to launch the attack remotely. No exploit is available. Upgrading the affected component is recommended.

A vulnerability classified as critical has been found in Apple visionOS. The impacted element is an unknown function of the component Web Handler. The manipulation leads to integer overflow. This vulnerability is documented as CVE-2024-27833. The attack can be initiated remotely. There is not any exploit available. It is recommended to upgrade the affected component.