TeamPCPBackdoorsCheckmarxJenkinsPluginasnpmWormSpreads

◆ DEEP DIVES

1. 01

   CI/CD Under Active Siege: Two Credential-Theft Campaigns Running Simultaneously

   What Happened

   Two supply-chain compromises are actively exfiltrating credentials from enterprise build pipelines. TeamPCP backdoored the Checkmarx Jenkins AST Scanner plugin, version 2026.5.09, via the Jenkins Marketplace. This is the third vector tied to the actor since the Trivy breach in February. Separately, a Bun-based npm worm tracked as 'Mini Shai-Hulud' poisoned 169 package names across 373 versions, including dependencies in the Mistral AI and TanStack ecosystems, and stole GitHub tokens, npm publish tokens, cloud IAM keys, and CI secrets via prepare hooks on optionalDependencies.

   TeamPCP Campaign Arc

   The chain is straightforward. Trivy (Feb) → GitHub Actions + OpenVSX (Mar) → Checkmarx Jenkins plugin (May). Three developer-tool distribution channels in three months. The plugin runs at build-runner privilege, which puts SCM tokens, artifact registry keys, cloud credentials, and code-signing keys in scope. Checkmarx has not published IOCs for the modified plugin, so defenders are working from worst-case assumptions.

   Mini Shai-Hulud Mechanics

   The worm abuses GitHub Actions weaknesses: unpinned third-party actions, overly permissive GITHUB_TOKEN scopes, and pull_request_target with untrusted checkout. It steals npm publishing credentials and injects payloads into release workflows. TanStack deprecated 84 malicious versions across 42 packages. Several of those packages carry 12M+ weekly downloads — react-query, router, table, form. Trusted publishing did not stop it. The abused workflows minted valid tokens on demand.

   Trusted publishing died this week. The npm worm ran inside install, not at publish. Any CI pipeline that touched a tainted package should be treated as credential-compromised until rotated.

   Cross-Source Pattern

   Six independent sources describe the same operational picture. The attack surface is the build environment itself, and every credential reachable from it is compromised. What separates this week from last quarter is that both campaigns bypass the controls the industry put in place after the previous round — marketplace publisher verification and trusted publishing provenance.

   ---

   Why This Matters Now

   The gap between disclosure and opportunistic scanning is measured in hours. TeamPCP has shown persistence across three vectors in three months. The npm worm self-propagates using stolen publish tokens, so the exposure is not bounded by the two named packages. It extends to anything a compromised maintainer could push.

   Action items

   • Audit all Jenkins controllers for Checkmarx AST Scanner plugin v2026.5.09; roll back to 2.0.13-829.vc72453fa_1c16 and rotate every credential accessible from affected runners
   • Scan all lockfiles, CI caches, and container images for the 169 affected npm package versions (TanStack May 10-12 window is priority); purge GitHub Actions caches on affected repos
   • Rotate all GitHub PATs, npm tokens, cloud IAM keys, and CI secrets that touched affected pipelines in the last 30 days
   • Enforce --ignore-scripts on CI npm installs, pin GitHub Actions to commit SHAs, set GITHUB_TOKEN to read-only by default, and deploy outbound egress allowlisting during build phase
   • Hunt for TeamPCP IOCs across GitHub Actions, OpenVSX, and Jenkins installs — including Dune-themed repository names — going back to March 2026

   Sources:SANS NewsBites · Daniel Miessler · TLDR · Techpresso · TLDR Dev · TLDR InfoSec

2. 02

   Ollama CVE-2026-7482: Your AI Inference Fleet Is Leaking Secrets to Unauthenticated Callers

   The Vulnerability

   Cyera disclosed CVE-2026-7482 on the Ollama GGUF tensor quantization path. It is a pre-authentication heap-memory leak in Go's unsafe package. The attacker uploads a malformed GGUF with inflated tensor shape values. An out-of-bounds read fires. Heap contents stream back over HTTP to any unauthenticated caller. Total cost to the attacker: three API calls. Upload, name-as-URI, push.

   What Leaks

   The heap of a running inference server holds the things a running inference server touches: user prompts, system prompts, API keys, OAuth tokens, and environment variables. Internal enterprise deployments had already loaded these instances with cloud IAM keys, database connection strings, and SaaS tokens baked into the process environment. That is the payload.

   Dimension	Detail
   Auth Required	None
   Exposed Servers	~300,000 (Shodan/Censys scan)
   Detection Difficulty	High — looks like normal API traffic
   Data at Risk	API keys, prompts, env vars, model state

   The Larger Pattern

   Ollama was written as a local developer tool. It ended up bound to 0.0.0.0 on production hosts. The 300,000 exposed endpoints are the distance between those two facts. Inference servers now sit in the same class of infrastructure as the misconfigured Elasticsearch, Redis, and MongoDB instances that generated the 2018-2020 headline cycle. Same failure mode, new process name.

   If Ollama is in production, assume the heap is already on someone's disk. The three-hundred-thousand number will come down slowly. It always does.

   Compensating Controls

   Block /api/push at the perimeter tonight if you cannot patch tonight. Bind to localhost and front with a reverse proxy that authenticates the caller; that closes the pre-auth path. The harder work is rotating every secret that lived in the process memory of an exposed instance. Disclosure is today. Exploitation may be older.

   Action items

   • Inventory all Ollama instances (including shadow deployments by ML/data teams); patch immediately or pull off the internet and bind to localhost
   • Block /api/push at the perimeter for any Ollama instance that cannot be updated within 24 hours
   • Rotate every API key, OAuth token, and environment-variable secret that was accessible to exposed Ollama processes
   • Add Hugging Face and GGUF/safetensors to software supply chain controls — enforce pinned hashes, allowlist publishers, sandbox model pulls in dev/CI
   • Deploy network segmentation preventing inference servers from reaching secrets managers, cloud metadata services, or production databases directly

   Sources:TLDR InfoSec · SANS NewsBites

3. 03

   AI Agent Frameworks Cross the RCE Threshold: Semantic Kernel, OAuth Fanout, and the Confused Deputy at Scale

   Semantic Kernel: Prompt Injection Becomes Host-Level RCE

   Microsoft Semantic Kernel is the orchestration library that shipped quietly into production across many .NET teams last year. It treats LLM output as trusted input to the execution layer. Prompt injection in retrieved content or user input escalates directly to remote code execution on the host running the agent. No sandbox. No validation layer. The framework invokes shell, HTTP, file, and MCP tools on whatever the model returns.

   Publicly: Semantic Kernel is embedded in Microsoft Copilot extensibility and a wide set of enterprise agent projects. MITRE mapping is T1059 (Command/Scripting Interpreter) via T1566 (Phishing) or poisoned retrieval corpora. Not publicly confirmed but consistent with field reporting: the deployed surface is larger than any asset inventory reflects.

   OAuth-Fanout Agents: One Identity, Unlimited Blast Radius

   Viktor-class Slack-resident agents connect to 3,000+ downstream tools under a single OAuth grant. SOC 2 attestation covers the vendor's controls. It does not cover the OAuth scopes the customer granted, the prompt-injection surface of Slack channels, or the path by which a malicious DM coerces the agent to exfiltrate from Jira, Salesforce, and GitHub in one session.

   Agent Surface	Vector	Blast Radius	Detection Gap
   Semantic Kernel	Prompt injection → shell exec	Host-level RCE, lateral movement	Looks like normal agent operation
   OAuth-fanout agents (Viktor)	Crafted Slack message → tool abuse	Cross-SaaS data exfiltration	UEBA not tuned for agent behavior
   Codex-in-Chrome	Indirect prompt injection via tab	Every SSO session in the browser	EDR doesn't model in-browser agents
   MCP tool registries	Poisoned tool definition	Agent executes attacker-controlled code	SLSA doesn't cover runtime tools

   Sub-200ms Deepfake Enables Agent Impersonation

   Thinking Machines' TML-Interaction-Small does full-duplex voice and video synthesis under 200ms. That is below the threshold where humans detect the seam. Pair it with agent infrastructure that can initiate calls and the confused-deputy problem extends to voice. Real-time video impersonation of a CFO on a Zoom bridge is now a tractable engineering problem.

   Developers running Semantic Kernel, finance still verifying wires by voice: two AI-era initial-access vectors open right now. Close both before the next board cyber update.

   The Governance Gap

   Five sources independently flag the same structural issue. Agents act with the user's authority across systems designed for a human at the keyboard. Every existing trust boundary — browser sessions, repo configs, PR reviews, voice verification — is now an untrusted-input boundary when an agent sits in the middle. Telemetry on agent tool-call behavior is absent in most organizations. Decide for yourself how long that holds.

   Action items

   • Inventory every Semantic Kernel deployment (internal, ISV, Copilot extension) and audit for unsanitized model-output-to-system-call paths; disable tool execution for unpatched instances by EOW
   • Enumerate every AI agent with OAuth grants into Slack/Teams/Google Workspace; enforce per-agent scope minimization, short-lived tokens, and SIEM detections for anomalous tool invocation patterns
   • Block Codex-in-Chrome and similar browser-resident agents on managed browsers via Chrome Enterprise policy until a threat model is approved
   • Update vishing/BEC playbooks: mandate out-of-band callback to known-good numbers for any wire, credential reset, or privileged access request — voice and video alone are no longer sufficient verification
   • Add AI agent frameworks and MCP tool-call anomalies as explicit categories in the SOC detection engineering backlog; deploy rules for anomalous tool invocations, egress from agent service accounts, and unusual PR authorship

   Sources:AINews · TLDR IT · TLDR AI · ben's bites · TLDR · TLDR InfoSec