Ilya Kabanov

Five notable incidents in one week

The TeamPCP supply chain cascade reached three more victims this week. Telnyx was compromised on March 27 through credentials harvested from LiteLLM. Cisco had 300+ GitHub repositories cloned, including AI Defense and AI Assistants source code, through credentials from Trivy. Mercor confirmed it was compromised through LiteLLM; LAPSUS$ claimed 4 TB of exfiltrated data via Mercor's Tailscale VPN. Separately, a hijacked Axios npm account delivered a RAT to its 100 million weekly downloads, and Anthropic leaked Claude Code source code to npm.

Five notable incidents with ATLAS technique mappings, Mar 24-31 2026
Five notable incidents with ATLAS technique mappings, Mar 24-31 2026

1. Telnyx SDK poisoned on PyPI (TeamPCP cascade).

On March 27, malicious Telnyx SDK versions 4.87.1 and 4.87.2 appeared on PyPI using credentials traced to the LiteLLM harvest. The payload used WAV steganography to deliver a credential stealer targeting SSH keys, cloud provider tokens, Docker/npm/Git authentication, database passwords, and Kubernetes secrets. Where a K8s service account token existed, the malware deployed privileged pods with host filesystem access across all nodes. Version 4.87.1 had a typo that broke execution; TeamPCP corrected it within minutes in 4.87.2.

2. Cisco AI source code stolen (TeamPCP cascade).

On March 31, threat actors used credentials from the original Trivy compromise to breach Cisco's internal development environment through a malicious GitHub Action plugin. They cloned 300+ repositories, including source code for AI Defense, AI Assistants, and unreleased AI products. Cisco disclosed that customer repositories belonging to banks, outsourcing firms, and US government agencies were also accessed, and that AWS keys were stolen. Cisco attributed the breach to TeamPCP through the presence of Cloud Stealer malware.

3. Mercor: 4 TB exfiltrated via LiteLLM credentials (TeamPCP cascade).

On March 31, Mercor, an AI hiring platform that contracts domain experts to train frontier models for OpenAI and Anthropic, confirmed it was compromised through the LiteLLM supply chain attack. The hacking group LAPSUS$ claimed possession of 4 TB of data exfiltrated through Mercor's Tailscale VPN: 939 GB of platform source code, a 211 GB user database, and 3 TB of storage buckets containing video interviews used in its AI training pipeline and identity verification documents.

4. Axios npm: maintainer account hijacked, cross-platform RAT deployed.

On March 30, an attacker social-engineered Axios's primary maintainer by posing as an open-source collaborator, gained full device access, and compromised his npm and GitHub accounts. Two malicious versions followed, running a multi-stage dropper via npm's postinstall hook that delivered platform-specific RATs for Windows, macOS, and Linux. The malware deleted its dropper and restored a clean package.json after execution.

5. Anthropic: Claude Code source code leaked to npm.

On March 31, Anthropic shipped a Claude Code update to npm that included a 60 MB source map file embedding approximately 500,000 lines of original TypeScript across 1,900 files, including the system prompt and tool-use logic. Claude Code's package.json has no "files" whitelist, and development files like bun.lock still ship in the current version. The same type of leak had occurred in February 2025. OpenAI Codex and Google Gemini CLI, both open source, use restrictive whitelists. Claude Code is the only proprietary CLI of the three without one. Full analysis in the deep dive.

TeamPCP supply chain cascade from Trivy to Telnyx, Cisco, and Mercor
TeamPCP supply chain cascade from Trivy to Telnyx, Cisco, and Mercor

My take:

1. Supply chain attacks cascade, and open-source security tools are the entry point.

One stolen token on March 19. Six organizations compromised by March 31 across GitHub Actions, PyPI, and multiple cloud environments. Each victim's credentials unlocked the next target. As I wrote in the TeamPCP analysis, vendors' open-source projects are go-to-market tools, not products. Aqua and Checkmarx secured their commercial platforms; the open-source tools that enterprises run in CI/CD were left exposed. For this class of attack, the highest-ROI starting point is one workflow file change: run third-party scanners in a separate CI job with no secrets and a read-only token.

2. The attack surface moved from code to pipeline.

Five incidents. Zero CVEs. Stolen credentials, social engineering, a missing config field. None followed the path we expect: vulnerability disclosed, exploit developed, system compromised. Trivy, itself a security scanner, was the entry point for the entire TeamPCP cascade. All five incidents happened in the spaces between the code: CI/CD pipelines, package registries, maintainer accounts, publish configurations.

3. Anthropic still ships like a research lab, not a software company.

A packaging error leaked 500,000 lines of Claude Code source to npm. The same leak happened in February 2025. Five days earlier, a CMS default exposed 3,000 unpublished assets. The deep dive into Anthropic's npm packages shows no "files" whitelist, bun.lock still shipping post-fix, and no shared packaging standard across teams. OpenAI and Google both use restrictive whitelists for their proprietary CLIs. Anthropic does not.

Sources:

  1. TeamPCP Telnyx supply chain compromise (Help Net Security)
  2. Cisco source code stolen in Trivy-linked dev environment breach (BleepingComputer)
  3. Axios maintainer post-incident disclosure (GitHub)
  4. Anthropic Mythos CMS exposure (Fortune)
  5. Anthropic Claude Code source leak (Fortune)
  6. Mercor confirms supply chain attack via LiteLLM (X)