// #developer-security
11 articles
The AI Infrastructure Security Deficit: Langflow, LiteLLM, and a Repeating Pattern
Two AI infrastructure components — Langflow and LiteLLM — have reached the CISA Known Exploited Vulnerabilities catalogue in June 2026, both with command injection vulnerabilities in Python-based AI tooling. The pattern reflects a systemic gap: AI infrastructure is being deployed in enterprise environments under procurement and security processes designed for end-user applications, not for server-side infrastructure with network-accessible APIs.
Developer Workstations as Supply-Chain Risk: Governance Framework for Engineering Environments
TeamPCP's simultaneous three-vector attack on developer tooling reveals a governance gap that exists in most organisations: developer workstations accumulate privileged access over time but operate outside the security governance processes that manage server infrastructure. A developer machine with production credentials is server-equivalent infrastructure.
TeamPCP 'Mini Shai-Hulud': Inside the Developer Toolchain Attack Campaign Now on CISA KEV
TeamPCP's simultaneous compromise of three developer toolchain components — a code-signed installer, an npm package, and a VS Code extension — follows a refined methodology the group has been developing across multiple 2026 campaigns. The technical approach explains why these attacks reach environments that are otherwise well-defended.
Auditing VS Code Extensions for Supply-Chain Risk: A Practical Assessment Guide
The Nx Console supply-chain compromise in TeamPCP's May 2026 campaign targeted an extension with millions of downloads. With over 60,000 extensions in the VS Marketplace, most organisations have no inventory of which extensions their developers run. This guide covers extension auditing, publisher verification, and policy controls.
pnpm 11 Defaults to 24-Hour Package Age Minimum — Blocking Automated Post-Publish Supply Chain Attacks
pnpm 11, released this week, introduces a package quarantine feature that by default blocks installation of any npm package published within the past 24 hours. The control targets the automated post-publish compromise pattern used by TeamPCP, CanisterSprawl, and similar supply chain threat actors who publish malicious package versions and immediately trigger mass installation before defenders can respond. It is the most substantive supply-chain-defensive default configuration added to a package manager since npm's provenance attestation.
Fake OpenAI Repository on Hugging Face Reached #1 Trending, Delivered Rust Infostealer to 244,000 Users
A malicious repository impersonating an official OpenAI project reached the top trending position on Hugging Face before being removed — delivering a Rust-compiled infostealer to an estimated 244,000 users who executed the repository's loader script. The attack exploited Hugging Face's trending algorithm and the high trust developers place in repositories attributed to the OpenAI organisation. Affected users should rotate all credentials accessible from the compromised machine.
QLNX Linux RAT Harvests Developer Credentials to Enable Malicious Package Publishing on npm and PyPI
Trend Micro researchers have identified QLNX (Quasar Linux), a Linux-targeting remote access trojan specifically designed to harvest developer credentials — npm tokens, PyPI upload credentials, AWS IAM keys, Docker registry credentials, and GitHub CLI tokens — from developer workstations. The harvested credentials are then used to publish malicious packages to npm and PyPI under the compromised developer's identity, enabling second-stage supply chain attacks against the developer's downstream users.
MacSync Stealer Delivered via Malicious Google Ad Targeting macOS Homebrew Users
A macOS infostealer tracked as MacSync has been distributed through a malicious Google search advertisement impersonating the Homebrew package manager — a tool used by virtually all macOS developers. The campaign harvests browser credentials, session tokens, macOS keychain data, and cryptocurrency wallet files from developer machines. macOS users who installed Homebrew via a Google search in the past 30 days should verify their installation source.
PyTorch Lightning PyPI Package Compromised — Credential-Stealing Payload Delivered to AI/ML Development Environments
PyTorch Lightning versions 2.6.2 and 2.6.3 on PyPI were found to contain a credential-stealing postinstall payload, extending the Mini Shai-Hulud supply chain campaign that previously compromised SAP's official npm packages. Organisations running AI/ML workloads should audit Python environments and rotate any credentials stored on affected development or CI/CD systems.
Official SAP npm Packages Compromised to Steal Enterprise Developer Credentials
Threat actors compromised official SAP npm packages to insert credential-harvesting code targeting enterprise developers working on SAP integration projects. The malicious packages exfiltrate environment variables, SSH keys, and cloud credentials from developer workstations. Enterprise teams using SAP npm packages in their CI/CD pipelines should audit package integrity and rotate potentially exposed credentials.
CanisterSprawl: Self-Propagating npm Worm Steals Developer Credentials and Re-Infects Package Ecosystems
Researchers discovered CanisterSprawl, a self-propagating npm supply chain worm attributed to TeamPCP that compromised at least 16 packages including pgserve and @automagik/genie. A postinstall hook harvests npm tokens, cloud credentials, SSH keys, and AI tool configs, exfiltrating to a blockchain canister before using stolen tokens to inject the worm into every other package owned by the compromised developer. Organisations should audit postinstall scripts and rotate all credentials from affected development environments.
Commentary tagged #developer-security
Developer Toolchains Are the New Perimeter — and the Industry Has Not Accepted It
Simultaneous CISA KEV additions for three developer toolchain compromises in one campaign makes the case explicitly: the software supply chain attack surface runs through the tools developers use, not just the code they write. The security industry is still catching up.
CipherWatch Editorial
Security Intelligence Platform
AI Platforms Inherited the npm Trust Model and Its Problems Are Arriving on Schedule
A fake OpenAI repository reached #1 trending on Hugging Face and delivered an infostealer to 244,000 users. This was predictable. The AI/ML developer ecosystem adopted the open-publishing, community-trust model of package registries without adopting the hard-won security lessons those registries learned over the past decade. The attack surface Hugging Face presents in 2026 looks remarkably like the attack surface npm presented in 2016.
CipherWatch Editorial
Security Intelligence Platform
Developer Credentials Are the New Supply Chain Entry Point and the Industry Has Not Caught Up
QLNX's Linux RAT specifically harvests npm tokens, PyPI credentials, and cloud provider keys to enable malicious package publishing under the compromised developer's identity. This is not a new threat — it is a threat that has been escalating systematically for three years while the defensive response has been fragmented. The combination of credential-based package publishing and minimal post-publish scrutiny makes the developer credential the most valuable initial access target in software supply chain attacks.
CipherWatch Editorial
Security Intelligence Platform
Lockfiles Don't Protect You When the Maintainer Is the Threat
Three npm supply chain attacks in a single week — Axios, @bitwarden/cli, and CanisterSprawl — have been met with the same industry response: update your lockfile. This is wrong. When the original maintainer account is compromised, a new legitimate-signed version is published, and lockfiles pin to whatever is current, the entire model breaks down. The industry is treating a trust infrastructure failure as a dependency hygiene problem.
CipherWatch Editorial
Security Intelligence Platform
TeamPCP Has Now Hit Every Developer Distribution Channel. The Pipeline Is the Perimeter.
In six weeks, one supply chain threat group has successfully backdoored GitHub Actions, PyPI, npm, Docker Hub, and the VS Code Marketplace. The security industry's response has been to treat each incident as a separate patching problem. It isn't. It's a systematic demonstration that the developer distribution stack has no defence-in-depth, and that the security controls the industry has built — SCA, SBOM, SAST — operate at entirely the wrong layer.
CipherWatch Editorial
Security Intelligence Platform