Your Security Scanner Got Backdoored
Big Picture
Your vulnerability scanner got hacked this week. TeamPCP backdoored Trivy, a scanner with 100M+ Docker pulls and deep CI/CD access, then hit LiteLLM and Checkmarx in the same coordinated campaign. Meanwhile, Mandiant reported attackers now go from breach to lateral movement in 22 seconds.
TL;DR
When Your Vulnerability Scanner Is the Vulnerability
TeamPCP didn't go after a random npm package. They went after the tools security teams depend on to protect their code. The group compromised Trivy (32,000 GitHub stars, 100M+ Docker Hub downloads) by exploiting credentials that Wiz traced to an incomplete rotation after an earlier breach. Attackers returned using credentials that were supposed to be dead. Over 1,000 cloud environments infected so far, with Mandiant's Charles Carmakal estimating up to 10,000.
The campaign expanded. LiteLLM versions 1.82.7-1.82.8 on PyPI delivered a multi-stage credential stealer targeting SSH keys, AWS/GCP/Azure credentials, Kubernetes configs, and .env files. Checkmarx disclosed that its KICS GitHub Action and VSCode plugins were hit via stolen CI credentials from Trivy. Then CanisterWorm appeared: the first npm worm to use Internet Computer Protocol blockchain for C2, making conventional takedown impossible. It compromised 28 packages in under 60 seconds by stealing npm tokens and auto-publishing backdoored patch versions.
CrowdStrike, Microsoft, and Aqua Security (with Sygnia) all published IR guidance with the same message: treat all secrets accessible to runner environments during March 19-20 as fully compromised. Pin GitHub Actions to commit SHAs, not version tags.
Takeaways
Audit what credentials your vulnerability scanner has access to. If you use Trivy in CI/CD, rotate every secret those runners touched between March 19-20.
RSAC 2026 and the Agentic Security Land Grab
Snyk, Black Duck, Apiiro, Palo Alto, and Wiz all launched "agentic security" products at RSAC within 72 hours. The approaches diverge: Snyk bets on runtime identity controls, Black Duck on remediation, Apiiro on pre-code threat modeling that scans Jira tickets before a line is written, and ZeroPath made the Innovation Sandbox Top 10 with AI-native SAST. Gartner treats this as a top-priority trend. Forrester is more skeptical, wanting runtime security that is "measurable and actionable, not a 'trust me, we scan prompts' offering."
The economic incentives keep pushing toward autonomy regardless. Cursor shipped Composer 2 with a 10x cost reduction. Anthropic added auto-approval mode to Claude Code. Less human oversight, more code, faster. None of the RSAC launches have converged on what the right controls look like, which means early adopters who define requirements now have genuine influence over how these tools mature.
Takeaways
Five vendors, five different approaches, zero consensus. If you're evaluating agentic security platforms, define your requirements before the vendors define them for you.
The 22-Second Window
M-Trends 2026 from Mandiant: initial access handoff dropped from over 8 hours in 2022 to 22 seconds in 2025. Exploits remain the #1 intrusion vector at 32%, vishing surged to #2 at 11% while email phishing cratered to 6%, and high-tech overtook financial services as the most-targeted sector for the first time. Google's threat intelligence group identified 714 new malware families in 2025, up from 632.
Separately, Google blocked AI-generated bug submissions from its vulnerability reward program due to hallucinations. The curl project ended its bug bounty entirely for the same reason. The Linux Foundation secured $12.5M from Google, Anthropic, AWS, Microsoft, and OpenAI through Alpha-Omega to help maintainers triage the AI-generated report flood.
Takeaways
Time your actual incident response workflow end-to-end the next time a critical advisory drops. If it exceeds single-digit minutes, you know where you stand relative to the 22-second benchmark.
StoatWaffle and the End of "Don't Run Untrusted Code"
NTT Security disclosed StoatWaffle, a Node.js malware family operated by WaterPlum, a DPRK-linked group (Team 8 sub-cluster). The malware uses .vscode/tasks.json with runOn: folderOpen settings to trigger execution the moment a developer opens a project folder in VS Code. No clicks, no social engineering. Just open the folder. StoatWaffle's stealer module exfiltrates credentials from Chromium, Firefox, and macOS iCloud Keychain, while its RAT module provides shell access and arbitrary code execution.
VS Code v1.109 (January 2026) defaults task.allowAutomaticTasks to off, closing that specific vector. But StoatWaffle is one of several concurrent campaigns targeting developers. The PolinRider campaign injected split payloads into 675 GitHub repositories by hiding obfuscated JavaScript in postcss.config.mjs and tailwind.config.js files, using blockchain-based dead drop C2. Microsoft published a full timeline of the Contagious Interview evolution showing the progression from fake job interviews to npm staging to IDE auto-execution.
TeamPCP targets the tools. StoatWaffle targets the workflow. Both exploit the same vulnerability: trust relationships that security controls haven't caught up with. Developers trust their IDEs. Organizations trust their scanners. Attackers are targeting both simultaneously.
Takeaways
If you're on VS Code v1.109+, the specific auto-run vector is patched. If you're not, update. Then check your .vscode/tasks.json files in shared repositories for runOn: folderOpen settings you didn't create. More broadly: your IDE config files, your npm postinstall scripts, and your CI/CD task definitions are all code that executes with developer privileges. Are they getting the same review scrutiny as your application code?
Vulnerabilities in the Wild
Actively Exploited
• CVE-2026-20963 — Microsoft SharePoint Severity: Critical | Impact: RCE (Deserialization) | Status: Actively Exploited (CISA KEV)
• iOS DarkSword exploit kit — Apple iOS (3 CVEs) Severity: Critical | Impact: RCE / Code Execution | Status: Actively Exploited (CISA KEV)
• TeamPCP / Trivy — Aqua Security Trivy (vulnerability scanner) Severity: Critical | Impact: Credential Theft / CI/CD Pipeline Compromise | Status: Actively Exploited
• TeamPCP / LiteLLM — LiteLLM (PyPI, versions 1.82.7-1.82.8) Severity: Critical | Impact: Multi-Stage Credential Stealer | Status: Actively Exploited
• TeamPCP / Checkmarx KICS — Checkmarx KICS GitHub Action + VSCode plugins Severity: High | Impact: Credential Theft / CI Pipeline Compromise | Status: Actively Exploited
• CanisterWorm — npm ecosystem (28+ packages) Severity: High | Impact: Supply Chain / Backdoor Installation | Status: Actively Exploited
• PolinRider — GitHub (675 repositories) Severity: High | Impact: Code Execution / Credential Theft | Status: Actively Exploited
Patch Available
• CVE-2026-21992 — Oracle Identity Manager Severity: Critical | Impact: RCE (Pre-Auth) | Status: Emergency OOB Patch
• PTC Windchill / FlexPLM — PTC Windchill / FlexPLM Severity: Critical | Impact: RCE | Status: "Imminent Threat" (German govt warning)
• Citrix NetScaler — Citrix NetScaler Severity: Critical | Impact: RCE | Status: Poised for Exploitation
• Quest KACE — Quest KACE Systems Management Severity: Critical | Impact: RCE | Status: Potentially Exploited
• CVE-2026-25253 — OpenClaw (AI agent platform) Severity: High | Impact: RCE / Privilege Escalation | Status: Patch Available (severity understated per community analysis)
• StoatWaffle — VS Code (.vscode/tasks.json abuse) Severity: High | Impact: RCE / Credential Theft | Status: Patched in VS Code v1.109+
• CVE-2026-20817 — Windows Error Reporting Service Severity: High | Impact: Elevation of Privilege | Status: Patch Available
• QNAP Pwn2Own — QNAP NAS (4 CVEs) Severity: High | Impact: RCE / EoP | Status: Patched post-Pwn2Own
• Chrome 146 — Google Chrome Severity: High | Impact: RCE / Code Execution | Status: Patch Available
No Patch Available
• CVE-2026-28500 — ONNX Hub (ML model distribution) Severity: Critical (CVSS 9.1) | Impact: Supply Chain / Arbitrary Model Loading | Status: No Patch Available
Curated Reading List
Thought-Provoking
We scanned 900 MCP configs on GitHub. 75% had security problems. — Why it's worth your time: Original empirical research on the infrastructure connecting AI coding agents to your systems. 75% misconfiguration rate at this scale is a systemic risk hiding in plain sight. Check your own MCP configs.
We Found Eight Attack Vectors Inside AWS Bedrock — Why it's worth your time: Eight documented attack vectors in AWS's managed LLM service. As organizations move AI workloads into managed cloud, the attack surface shifts to the platform itself. Practical for any team evaluating managed AI infrastructure.
Slightly safer vibecoding by adopting old hacker habits — Why it's worth your time: While RSAC vendors pitched expensive platforms, this argues old-school attacker thinking applies directly to AI code review. Practical, non-vendor, refreshingly grounded.
Current Events
Wiz: Trivy Compromise Root Cause Analysis — Why it's worth your time: The deep dive covers what happened to Trivy. Wiz covers why it happened: incomplete credential rotation let attackers return using credentials that should have been dead. Tactical for any team auditing CI/CD secrets rotation.
From Our Team
Pixee CTO Arshan Dabirsiaghi joined Daniel Miessler on Unsupervised Learning to discuss automated remediation, false positives, and what it looks like when AI fixes code instead of just finding it.
