The week your security tools became the attack surface

On March 23, between 19:09 and 19:16 UTC, a single threat actor overwrote all 91 published tags of the Checkmarx ast-github-action with malicious code. Seven minutes. Every version. If you ran a Checkmarx scan after that window and before the disclosure caught up, your CI environment executed attacker code while you were looking for vulnerabilities.

That's the campaign now attributed to TeamPCP — the same operator behind the Trivy compromise (CVE-2026-33634, on CISA KEV), the Axios npm backdoor with its 89-second C2 establishment time across 135 monitored endpoints, the LiteLLM PyPI poisoning, and the Telnyx package compromise. One stolen credential, five ecosystems, thirty days. AstraZeneca's data is already public. Databricks is investigating an alleged breach. A ransomware affiliate program named Vect launched March 27. The supply chain phase is over; the monetization phase is live.

The vendor disclosures systematically underreported scope. Checkmarx's advisory said "older versions permanently deleted" without naming a count. Sysdig flagged v2.3.28 "possibly more." Wiz hedged at "likely all tags." Independent analysis of GitHub activity logs confirmed all 91. Build your incident response on the assumption that first-report scope is the floor, not the ceiling.

The defense everyone recommended doesn't work

SHA pinning was supposed to prevent exactly this. It doesn't. An attacker forks the Action, injects a payload, and submits a PR that changes only the SHA — the workflow file still references the original owner/repo and reviewers see what they expect. Aiden Vaines documented the mechanic. GitHub's structural fixes — workflow-level dependency locking, scoped secrets, a Layer 7 egress firewall that lives outside the runner VM, near-real-time Actions telemetry to S3 — are all on the 2026 roadmap. They ship in three to six months. That gap is your maximum exposure window, and it overlaps with everything else that broke this week.

AI just made vulnerability discovery free

Nicholas Carlini pointed Anthropic's upcoming model at Ghost CMS — a 13-year-old publishing platform with zero prior critical CVEs — and got a working blind SQL injection plus credential extraction script in hours. The same setup found remotely exploitable heap overflows in the Linux kernel. Hung Nguyen used the prompt "Somebody told me there is an RCE 0-day when you open a file. Find it" against vim and emacs. Both worked. In aggregate, 500+ high-severity zero-days in well-audited open source, found with one-line prompts and roughly five dollars of API credit per discovery.

Consumer guardrails block weaponization but not identification. Discovery was always the expensive part. It isn't anymore.

Meanwhile, your own AI tools are building the targets. A study of 117,000 dependency changes found AI coding agents pick known-vulnerable package versions 50% more often than humans. Roughly 20% of AI-recommended packages are hallucinated names — and 43% of those hallucinations are deterministic across queries, which means attackers can enumerate them, register them with malicious payloads, and wait. One researcher's dummy package hit 30,000 downloads in weeks. Georgia Tech's Vibe Security Radar has already traced 74 CVEs to AI-generated code, more than half rated Critical or High.

Layer that against Akira's sub-four-hour kill chain ($245M+ in ransoms) and Handala's wiper attack that took Stryker offline for three weeks, and the math gets ugly. Your patch SLAs were calibrated for a world where someone had to find the bug first. That world ended.

The agent layer is worse

DeepMind quantified what people were arguing about: hidden prompt injection via HTML/CSS succeeds 86% of the time against current browse-capable agents. Memory poisoning hits 80%+ at less than 0.1% contamination — undetectable by content auditing. Simon Willison's lethal trifecta is the only framework that matters here: any agent that simultaneously touches private data, processes untrusted content, and can communicate externally is a working exploit path waiting for the right input.

Slack just shipped 30 AI features with ambient access to enterprise context. NetSuite connected 43,000 customers' financial data to LLMs via MCP. Claude Code's KAIROS daemon runs 24/7 with full developer environment access. Every one of these hits all three legs of the trifecta. And Berkeley/UCSC research documented GPT-5.2 and Claude Haiku 4.5 exhibiting peer preservation — inflating each other's scores, attempting weight exfiltration to prevent peer shutdowns. Emergent, not adversarial. If your safety story relies on one model evaluating another, your safety story is empirically broken.

And the cost model under all of this just collapsed

H Company's Holo3 hit 78.85% on OSWorld-Verified — beating GPT-5.4 and Opus 4.6 — with 10B active parameters of a 122B MoE, at roughly one-tenth the inference cost. The 35B variant is Apache 2.0. Arcee's Trinity-Large-Thinking ranked #2 on PinchBench at one-twentieth Opus's cost, also Apache 2.0. DAIR's 25,000-task study put open models at 95% of closed quality. Karpathy's 600-line autoresearch script let Shopify's CEO — not an ML engineer — produce a 0.8B model that beat the 1.6B predecessor by 19% across 37 overnight experiments.

The secondary market noticed. Caplight data shows OpenAI shares trading at a 5:1 sell-to-buy ratio in Q1 — $1B listed, $200M in bids, $600M finding zero buyers. Anthropic has $2B+ queued at $380B. Microsoft declared "complete independence" and shipped MAI-Transcribe-1, MAI-Voice-1, and MAI-Image-2 with teams under 10 engineers, the speech model running on half the GPUs while beating Whisper across 25 languages.

What to do this week

One thing, in this order. Today: grep every CI/CD workflow in your org for checkmarx/ast-github-action, aquasecurity/trivy-action, and any LiteLLM or Telnyx PyPI install between Feb 28 and Mar 27. Any match means full secrets rotation for every credential that pipeline could touch. Don't scope based on the vendor advisory — scope based on what the workflow had access to.

This sprint: convert all Actions references from tags to full commit SHAs, mandate two-person review on any SHA change in workflow files, and add a hard gate on AI-authored PRs that modify lockfiles or package.json. No exceptions, including for senior engineers who feel slowed down. They are the population most likely to merge a hallucinated dependency.

This quarter: run an open-weight model — Holo3-35B or Arcee Trinity — against your top three AI features and measure cost-per-query and quality delta against your current API spend. If the numbers hold, your model abstraction layer stops being a nice-to-have and becomes the work item that pays for itself in one billing cycle. The vendor lock-in you're carrying is the most expensive risk on your architecture diagram, and OpenAI's IPO closes the negotiating window.