privacy

AI Security Roundup: TeamPCP's Supply Chain Rampage, LiteLLM Poisoned, Langflow Exploited in 20 Hours

A coordinated supply chain campaign has compromised Trivy, LiteLLM, and dozens of npm packages. Meanwhile, Langflow attackers built working exploits within hours of disclosure.

Digital padlock with circuit board pattern against dark background

The AI security infrastructure is under siege. A threat actor group known as TeamPCP has been running a coordinated multi-week campaign that has now compromised some of the most widely-used tools in the AI development stack: Aqua Security’s Trivy vulnerability scanner, the LiteLLM proxy library, and dozens of npm packages through a self-spreading worm.

If you’re building with AI tools, you need to assume your CI/CD secrets are a target.

The LiteLLM Catastrophe: 97 Million Monthly Downloads Poisoned

On March 24, attackers uploaded backdoored versions of LiteLLM to PyPI. LiteLLM is the most popular open-source LLM proxy in Python, handling approximately 97 million downloads per month. Versions 1.82.7 and 1.82.8 contained credential-stealing malware.

The malware harvested:

  • AWS and GCP cloud credentials
  • GitHub tokens
  • SSH keys
  • Kubernetes tokens
  • Cryptocurrency wallets (Bitcoin, Litecoin, Ethereum, Solana)
  • Slack and Discord keys

The entire LiteLLM package is now quarantined on PyPI. No version is currently available for download—not just the compromised ones.

If you installed LiteLLM version 1.82.7 or 1.82.8 at any point, assume full credential compromise for that machine and all systems reachable from it. This isn’t an abundance of caution—it’s the minimum reasonable response.

Trivy Attack Spawns CanisterWorm: The First Blockchain-Based AI Malware

The LiteLLM compromise was part of a larger operation. On March 19, TeamPCP compromised Aqua Security’s Trivy vulnerability scanner, injecting credential-stealing malware into official releases and GitHub Actions workflows.

The attackers then used their foothold to spread a previously undocumented self-propagating worm called CanisterWorm. What makes this worm notable: it uses an ICP canister—a tamperproof smart contract on the Internet Computer blockchain—as a dead drop resolver to fetch command-and-control server addresses. This is the first publicly documented abuse of an ICP canister for malware C2.

The CanisterWorm has now infected 141 malicious package artifacts across more than 66 unique npm packages. Over 1,000 cloud environments are confirmed to be dealing with this threat actor.

On March 22, TeamPCP defaced all 44 internal repositories belonging to Aqua Security’s “aquasec-com” GitHub organization. They renamed every repo with a “tpcp-docs-” prefix and changed descriptions to “TeamPCP Owns Aqua Security”—all in a scripted 2-minute burst.

Langflow: From Advisory to Exploitation in 20 Hours

While TeamPCP ran their supply chain campaign, another threat emerged. On March 17, a critical vulnerability (CVE-2026-33017, CVSS 9.3) was disclosed in Langflow, the open-source visual framework for building AI agents and RAG pipelines.

Cloud security firm Sysdig observed the first exploitation attempts within 20 hours of the advisory’s publication. No proof-of-concept code existed publicly at the time—attackers built working exploits directly from the advisory description.

The vulnerability is straightforward: Langflow’s /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without authentication. When an attacker supplies the optional data parameter, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of stored data. This code is passed to exec() with zero sandboxing.

The result: unauthenticated remote code execution. Attackers exfiltrated keys, credentials, and anything else that gave them access to connected databases or supply chain systems.

All Langflow versions through 1.8.1 are affected. Version 1.9.0 fixes both this vulnerability and a second CI shell injection flaw (CVE-2026-33475, CVSS 9.1) disclosed on March 24.

MCP: The Next Attack Surface

The Model Context Protocol has become critical infrastructure for connecting AI models with external tools. Prompt injection through MCP is already a documented attack vector.

In January, researchers disclosed three security vulnerabilities in mcp-server-git, Anthropic’s official Git MCP server. These flaws can be exploited through prompt injection—an attacker who can influence what an AI assistant reads (a malicious README, a poisoned issue description) can weaponize these vulnerabilities without direct system access.

Palo Alto’s Unit 42 has documented new attack vectors through MCP sampling, including resource theft, conversation hijacking, and covert tool invocation. MCP’s implicit trust model lacks robust built-in security controls.

What You Should Do

Immediate actions:

  1. Audit LiteLLM installations. Check if versions 1.82.7 or 1.82.8 were ever installed. If yes, rotate all credentials on affected systems.

  2. Check Trivy versions. If you’re using Trivy in CI/CD, verify you’re on a clean version. Review all Actions workflows that use Trivy.

  3. Update Langflow to 1.9.0. If you can’t update immediately, block unauthenticated access to the /api/v1/build_public_tmp/ endpoint.

  4. Audit npm dependencies. Run npm audit and check for any of the 66+ packages associated with CanisterWorm.

  5. Review MCP server configurations. Assume that any data an AI assistant can read could be used for prompt injection.

Longer-term:

  • Implement dependency pinning with hash verification
  • Use private registries that mirror only verified package versions
  • Run security scanners in isolated environments without access to production credentials
  • Treat AI agent outputs as untrusted input that needs validation

The 20-hour exploitation window for Langflow should be a wake-up call. The time between vulnerability disclosure and active exploitation is now measured in hours, not days. Your security posture needs to account for that reality.