Three critical vulnerabilities in the world's most popular AI framework give attackers independent paths to drain enterprise secrets. A China-nexus threat actor has embedded kernel-level sleeper cells deep inside telecom infrastructure. A new macOS infostealer uses Nuitka-compiled Python to evade detection. And the TeamPCP supply chain campaign now targets the Telnyx PyPI package using audio steganography.
Cyera security researcher Vladimir Tokarev disclosed three independent vulnerabilities in LangChain and LangGraph β the open-source AI frameworks downloaded over 84 million times per week from PyPI. Each flaw exposes a different class of enterprise data: filesystem files, environment secrets, and conversation history.
| CVE | CVSS | Type | Impact |
|---|---|---|---|
CVE-2026-34070 | 7.5 | Path Traversal | Arbitrary file read via prompt-loading API β no validation on template paths |
CVE-2025-68664 | 9.3 | Deserialization | Leaks API keys and environment secrets by tricking the app into treating input as a serialized LangChain object |
CVE-2025-67644 | 7.3 | SQL Injection | Arbitrary SQL queries against LangGraph's SQLite checkpoint database via metadata filter keys |
CVE-2025-68664 (CVSS 9.3) allows an attacker to siphon all API keys and environment variables from the LangChain deployment via prompt injection. This is a "LangGrinch" variant first identified by Cyata in December 2025 β now with a confirmed exploitation path.
"LangChain doesn't exist in isolation," Cyera warned. "It sits at the center of a massive dependency web that stretches across the AI stack. Hundreds of libraries wrap LangChain, extend it, or depend on it." When a vulnerability exists in LangChain's core, it ripples outward through every downstream library, wrapper, and integration that inherits the vulnerable code path.
This disclosure comes days after CVE-2026-33017 in Langflow was actively exploited within 20 hours of public disclosure β sharing the same root cause of unauthenticated code execution.
langchain-core β₯1.2.22langchain-core 0.3.81 or 1.2.5langgraph-checkpoint-sqlite 3.0.1Rapid7 has uncovered a long-term espionage campaign attributed to Red Menshen (also tracked as Earth Bluecrow, DecisiveArchitect, Red Dev 18) β a China-nexus threat actor that has embedded itself deep within telecom networks across the Middle East and Asia since at least 2021.
Rapid7 described the covert access mechanisms as "some of the stealthiest digital sleeper cells" ever encountered in telecommunications networks.
The core weapon is BPFDoor, a Linux backdoor that operates at the kernel level by abusing Berkeley Packet Filter (BPF) functionality. Unlike conventional malware:
BPFDoor doesn't just provide backdoor access β it functions as an access layer embedded within the telecom backbone, giving the threat actor long-term, low-noise visibility into critical network operations. The SCTP capability suggests potential for tracking individuals of interest through subscriber data.
Red Menshen targets internet-facing infrastructure from Ivanti, Cisco, Juniper, Fortinet, VMware, Palo Alto Networks, and Apache Struts for initial access. Post-compromise tooling includes CrossC2 beacon frameworks, Sliver, TinyShell Unix backdoors, keyloggers, and brute-force utilities for credential harvesting and lateral movement.
A previously undocumented BPFDoor variant conceals trigger packets within seemingly legitimate HTTPS traffic and introduces a novel parsing mechanism, making detection even harder in modern enterprise environments.
Malwarebytes has documented the first macOS campaign combining ClickFix social engineering with a Nuitka-compiled Python infostealer β a significant evolution in macOS threats.
update-check[.]com, sees a fake Cloudflare CAPTCHA verificationcurl command into macOS Terminal.env, config files)Why Nuitka matters: Unlike PyInstaller (which bundles Python with bytecode), Nuitka compiles Python to C code and produces a genuine native binary. There's no obvious bytecode layer to decompile, making reverse engineering and static analysis significantly harder.
The TeamPCP threat actor β already notorious for supply chain attacks on Trivy, KICS, and litellm β has now compromised the Telnyx Python package on PyPI. Two malicious versions (4.87.1 and 4.87.2) were published on March 27, 2026, concealing credential-stealing capabilities inside a .WAV audio file using steganography.
telnyx/_client.py, executed on importImmediately downgrade to Telnyx version 4.87.0. The PyPI project is currently quarantined. Investigate any systems that pulled versions 4.87.1 or 4.87.2 for signs of credential theft.
Multiple security firms β Aikido, Endor Labs, JFrog, Ossprey Security, SafeDep, Socket, and StepSecurity β have confirmed the analysis. The malware targets Windows, Linux, and macOS systems.
| Threat | Severity | Action |
|---|---|---|
| LangChain CVE-2025-68664 | CRITICAL (9.3) | Patch langchain-core to 0.3.81 or 1.2.5 |
| LangChain CVE-2026-34070 | HIGH (7.5) | Patch langchain-core to β₯1.2.22 |
| LangGraph CVE-2025-67644 | HIGH (7.3) | Patch langgraph-checkpoint-sqlite to 3.0.1 |
| Red Menshen / BPFDoor | CRITICAL | Hunt for BPF-based anomalies in telecom/enterprise Linux |
| Infinity Stealer (macOS) | HIGH | Block update-check[.]com; monitor Terminal paste activity |
| Telnyx PyPI (TeamPCP) | CRITICAL | Downgrade to 4.87.0; audit for credential theft |
Get daily cybersecurity intelligence delivered to your feed. KENSAI Security Briefings cover the vulnerabilities, attacks, and threat actors that matter.
Read All Briefings βPublished by KENSAI Security Intelligence Β· March 30, 2026 05:00 CET
Sources: Cyera, Rapid7, Malwarebytes, The Hacker News, BleepingComputer, SecurityWeek