← Back to Blog
Security Briefing
14 min read
March 28, 2026
TeamPCP Hides Stealer in WAV Files via Telnyx PyPI, LangChain & LangGraph Flaws Expose Secrets, European Commission AWS Breach, Dutch Police Phished, GitHub VS Code Malware Campaign
TeamPCP escalates its open-source supply chain rampage by compromising the Telnyx Python package and hiding credential-stealing malware inside WAV audio files. Three critical LangChain and LangGraph vulnerabilities expose filesystem data, environment secrets, and conversation databases across millions of AI deployments. The European Commission investigates a breach of its AWS environment with 350 GB allegedly exfiltrated. Dutch Police discloses a phishing breach — their second incident in 18 months. A large-scale GitHub campaign uses fake VS Code security alerts to distribute malware to developers.
1. TeamPCP Compromises Telnyx PyPI Package — WAV Audio Steganography Hides Credential Stealer
⚠️ SUPPLY CHAIN ATTACK — Audio Steganography Used to Evade Detection
TeamPCP, the threat actor behind the Trivy, KICS, and LiteLLM supply chain attacks, has now compromised the Telnyx Python package on PyPI. Malicious versions 4.87.1 and 4.87.2 conceal credential-stealing malware inside WAV audio files to bypass security scanners.
TeamPCP continues its unprecedented open-source supply chain campaign. On March 27, 2026, researchers from Aikido, Endor Labs, JFrog, Socket, and StepSecurity confirmed that the Telnyx Python package on PyPI had been compromised with two malicious versions. The attack represents a significant evolution in technique: credential-stealing payloads are now hidden inside WAV audio files using steganography.
Attack Chain Details
The malicious code is injected into telnyx/_client.py, triggering automatically when the package is imported. The three-stage attack chain works differently depending on the target OS:
- Windows: Downloads
hangup.wav from C2, extracts a hidden executable, drops it into the Startup folder as msbuild.exe for persistence across reboots
- Linux/macOS: Fetches
ringtone.wav from C2, extracts a collector script that runs in-memory, harvests credentials from environment variables, .env files, and shell histories
- All platforms: Exfiltrates stolen data as
tpcp.tar.gz via HTTP POST to 83.142.209[.]203:8080
- Kubernetes: Abuses service account tokens to deploy privileged pods across all nodes for lateral movement
The entire chain operates within a self-destructing temporary directory, leaving near-zero forensic artefacts. This is the same WAV steganography technique TeamPCP previously used in the "kamikaze" wiper malware — now refined for credential theft.
How TeamPCP Got the Token
Endor Labs researchers believe the Telnyx PyPI token was harvested during the earlier LiteLLM compromise. TeamPCP's credential harvester swept environment variables, .env files, and shell histories from every system that imported LiteLLM. If any developer or CI pipeline had both LiteLLM installed and access to the Telnyx PyPI token, that token was already in TeamPCP's hands — creating a cascading supply chain compromise.
CRA and NIS2 Implications
- CRA Software Supply Chain: The cascading nature of this attack — from Trivy to LiteLLM to Telnyx — demonstrates exactly why the Cyber Resilience Act mandates vulnerability handling processes and coordinated disclosure across the entire dependency graph
- NIS2 Article 21(2)(d): Supply chain security must now account for credential exposure from one compromised dependency enabling attacks on unrelated packages
- SBOM urgency: Organisations without complete Software Bills of Materials cannot assess exposure to this cascading attack chain
What This Means for Your Organisation
- Immediately downgrade Telnyx to version 4.87.0 — the PyPI project is now quarantined
- Audit all systems that imported LiteLLM for exposed PyPI tokens, API keys, and credentials
- Check Kubernetes clusters for unauthorised privileged pods — TeamPCP's lateral movement component targets k8s
- Implement package integrity verification beyond simple version checks — steganographic payloads bypass traditional scanners
2. LangChain & LangGraph Vulnerabilities Expose Files, Secrets, and Databases
⚠️ CRITICAL VULNERABILITIES — Three Independent Data Exfiltration Paths in World's Most Popular AI Framework
Three vulnerabilities in LangChain and LangGraph (CVE-2026-34070, CVE-2025-68664, CVE-2025-67644) expose filesystem data, environment secrets, and conversation history. LangChain-Core alone was downloaded 23 million times last week.
Cyera security researcher Vladimir Tokarev has disclosed three critical vulnerabilities in LangChain and LangGraph — the world's most popular frameworks for building LLM-powered applications. Each flaw provides an independent path to drain sensitive enterprise data:
| CVE |
CVSS |
Type |
Impact |
Fixed Version |
| CVE-2026-34070 |
7.5 |
Path Traversal |
Arbitrary file read via prompt-loading API |
langchain-core ≥1.2.22 |
| CVE-2025-68664 |
9.3 |
Deserialization |
API key and environment secret leakage |
langchain-core 0.3.81 / 1.2.5 |
| CVE-2025-67644 |
7.3 |
SQL Injection |
Full database access via checkpoint metadata |
langgraph-checkpoint-sqlite 3.0.1 |
The most severe flaw, CVE-2025-68664 (CVSS 9.3), allows attackers to leak API keys and environment secrets by passing a crafted data structure that LangChain interprets as a pre-serialised object rather than user input. This vulnerability — dubbed "LangGrinch" by Cyata who first identified it in December 2025 — can be exploited via prompt injection.
The Ripple Effect
Cyera warns that LangChain doesn't exist in isolation — it sits at the centre of a massive dependency web. Hundreds of libraries wrap, extend, or depend on LangChain. When a vulnerability exists in LangChain's core, it ripples through every downstream library, wrapper, and integration. With 52 million downloads per week for LangChain alone, the blast radius is enormous.
EU AI Act and CRA Context
- EU AI Act Article 15: AI systems must meet cybersecurity requirements — a CVSS 9.3 deserialization flaw in the world's most popular AI framework represents a systemic risk to high-risk AI systems built on LangChain
- CRA vulnerability handling: The gap between CVE-2025-68664's initial discovery (December 2025) and full patching raises questions about the CRA's "without delay" patching requirement
- GDPR Article 32: Conversation histories exposed via CVE-2025-67644 may contain personal data — organisations processing personal data through LangGraph are now at risk of GDPR enforcement
What This Means for Your Organisation
- Patch immediately: Update langchain-core to ≥1.2.22 and langgraph-checkpoint-sqlite to 3.0.1
- Audit all LangChain deployments for exposed API keys — rotate any keys that may have been accessible
- Review conversation histories stored in SQLite checkpoints for sensitive data exposure
- Assess all downstream dependencies that wrap LangChain — they may inherit these vulnerabilities
3. European Commission Investigates AWS Breach — 350 GB Allegedly Stolen
🔶 INSTITUTIONAL BREACH — EU Executive Body's Cloud Environment Compromised
The European Commission, the EU's main executive body, is investigating a security breach after a threat actor gained access to at least one of its AWS accounts. The attacker claims to have exfiltrated over 350 GB of data including employee information and databases.
The European Commission is investigating what appears to be a significant breach of its Amazon Web Services (AWS) cloud environment. Key details reported by BleepingComputer:
- At least one AWS account was compromised
- The attack was quickly detected and the incident response team is investigating
- The threat actor claims to have stolen over 350 GB of data including multiple databases
- Screenshots provided as proof show access to employee information and an email server used by Commission staff
- The attacker states they will not extort the Commission but intend to leak the data publicly
- AWS confirmed their services were not compromised — the breach was on the Commission's side
This is the second Commission breach in two months. In February, the Commission disclosed that its mobile device management platform was hacked on January 30, in an incident linked to Ivanti EPMM code-injection vulnerabilities that also affected the Dutch Data Protection Authority and Finland's Valtori.
Regulatory and Political Implications
The irony is not lost on observers — the institution drafting Europe's cybersecurity laws is itself suffering repeated breaches:
- NIS2 compliance: As an EU institution, the Commission is subject to Regulation (EU) 2023/2841 on cybersecurity for Union institutions — repeated breaches raise questions about its own compliance posture
- Cloud security: The breach underscores risks of public cloud adoption by government institutions — the EU's own Cloud Code of Conduct and EUCS certification scheme are meant to address precisely this
- Data protection: If employee personal data was exfiltrated, the European Data Protection Supervisor (EDPS) will investigate under Regulation (EU) 2018/1725
- Credibility gap: The Commission proposed new cybersecurity legislation on January 20, 2026, to strengthen defences against state-backed actors — it must now demonstrate it can protect its own infrastructure
What This Means for Your Organisation
- Audit your AWS IAM configurations — compromised credentials remain the leading cause of cloud breaches
- Implement cloud security posture management (CSPM) with real-time alerting
- If your organisation interacts with the European Commission, monitor for data exposure from the alleged 350 GB leak
- Review your own cloud incident response — can you detect and contain a breach as quickly as the Commission claims?
4. Dutch Police Discloses Phishing Breach — Second Incident in 18 Months
🔶 LAW ENFORCEMENT BREACH — Quick Detection Limits Impact
The Dutch National Police (Politie) has disclosed a phishing breach detected by its Security Operations Center. While it reports limited impact with no citizen data exposed, this marks the second breach since September 2024, when a state actor compromised officer contact data.
The Dutch National Police has reported being targeted by a phishing attack that resulted in a security breach. According to the March 25 press release:
- The Security Operations Center (SOC) detected the incident quickly and immediately blocked access
- Impact appears limited — citizens' data and investigative information were not exposed or accessed
- A criminal investigation has been launched
- The police have not disclosed which systems or accounts were affected
In September 2024, the Dutch police suffered a more severe breach linked to a "state actor" that stole work-related contact information for multiple officers, including names, email addresses, phone numbers, and some private data. That investigation remains ongoing.
NIS2 and Law Enforcement Cybersecurity
- NIS2 scope: While law enforcement agencies are generally excluded from NIS2's scope, they are still subject to national cybersecurity frameworks — the Dutch NCSC provides guidance that the police are expected to follow
- Pattern of targeting: Two breaches in 18 months targeting the same organisation suggests persistent adversary interest — potentially from the same state actor behind the 2024 breach
- Post-breach improvements: After the 2024 breach, the police implemented stronger 2FA requirements and continuous monitoring — this time the SOC detected the attack quickly, suggesting those investments paid off
What This Means for Your Organisation
- Phishing remains the #1 initial access vector — even organisations with mature SOCs get phished
- Quick detection is as important as prevention — the Dutch police's SOC caught this before serious damage occurred
- After a breach, invest in detection capabilities alongside prevention — the improved 2FA and monitoring from the 2024 response helped contain this incident
- Conduct regular phishing simulations and measure time-to-detection, not just click rates
5. Fake VS Code Security Alerts on GitHub Spread Malware to Developers
⚠️ DEVELOPER-TARGETED CAMPAIGN — Thousands of Repositories Hit with Fake Vulnerability Advisories
A large-scale, coordinated campaign is posting fake VS Code security alerts in the Discussions section of thousands of GitHub repositories, tricking developers into downloading malware via Google Drive links. The campaign triggers email notifications to repository watchers.
Application security company Socket has uncovered a sophisticated, large-scale campaign targeting developers on GitHub. The attackers:
- Post fake security advisories in the Discussions section of thousands of GitHub repositories, with titles like "Severe Vulnerability — Immediate Update Required"
- Use realistic fake CVE IDs and urgent language to create a false sense of urgency
- Impersonate real code maintainers or researchers using newly created or low-activity accounts
- Post in an automated, coordinated fashion across thousands of repositories within minutes
- Trigger GitHub email notifications to all tagged users and project followers
The fake alerts include links to supposedly patched VS Code extensions hosted on Google Drive. Clicking these triggers a cookie-driven redirect chain leading to a JavaScript reconnaissance script that collects timezone, locale, user agent, OS details, and automation indicators before delivering a second-stage payload to validated victims.
Social Engineering at Scale
This campaign is notable for its abuse of trust signals:
- GitHub Discussions are a legitimate notification channel — developers expect security alerts here
- Email notifications arrive in inboxes alongside real GitHub alerts
- Google Drive links provide a veneer of legitimacy
- The campaign targets developers specifically — who are more likely to act quickly on security advisories
CRA Developer Security Obligations
- CRA secure development: The Cyber Resilience Act requires manufacturers to follow secure development practices — developers who fall for this campaign may unknowingly introduce compromised extensions into their development environments
- Supply chain integrity: If compromised developer machines have access to package registries or CI/CD pipelines, the blast radius extends well beyond the individual developer
- GitHub's responsibility: Under the DSA, GitHub as a hosting service has obligations around illegal content — automated spam impersonating security researchers may qualify
What This Means for Your Organisation
- Train developers to verify vulnerability reports through authoritative sources (NVD, CISA KEV, CVE.org) before acting
- Never download extensions or patches from external sources like Google Drive — use official marketplaces only
- Implement email filtering rules to flag GitHub notification emails containing external download links
- Audit developer workstations for VS Code extensions installed from non-marketplace sources
Today's Threat Landscape Summary
| Development |
Regulation |
Impact |
Action Required |
| TeamPCP Telnyx WAV Steganography |
CRA / NIS2 |
Cascading supply chain compromise via audio steganography |
Downgrade Telnyx to 4.87.0, audit LiteLLM exposure |
| LangChain/LangGraph Flaws |
EU AI Act / CRA / GDPR |
Files, secrets, databases exposed across millions of AI apps |
Patch langchain-core ≥1.2.22, rotate API keys |
| European Commission AWS Breach |
NIS2 / EUCS / Reg. 2018/1725 |
350 GB allegedly stolen from EU executive body |
Audit AWS IAM, implement CSPM |
| Dutch Police Phishing Breach |
National Cybersecurity |
Second breach in 18 months, limited impact |
Strengthen phishing defences, invest in SOC detection |
| GitHub VS Code Malware Campaign |
CRA / DSA |
Thousands of repos hit with fake security advisories |
Verify CVEs via official sources, audit extensions |
Protect Your AI & Developer Infrastructure
From supply chain attacks hiding in audio files to critical AI framework vulnerabilities — your software supply chain is under siege. KENSAI provides automated security scanning with CRA, NIS2, and AI Act compliance mapping built in.
Start Your Free Security Scan →
Published by the KENSAI Threat Intelligence Team · March 28, 2026
Stay informed. Stay protected. Read more briefings →