剣 KENSAI
← All posts · security · 2026-03-30 · 4 min

LangChain Triple CVE Exposes AI Stacks, Red Menshen BPFDoor Haunts Telecom Backbone, Infinity Stealer Hits macOS, TeamPCP Hides Malware in WAV Files

Three critical vulnerabilities in the world's most popular AI framework give attackers independent paths to drain enterprise secrets. A China-nexus threat actor has embedded kernel-level sleeper cells deep inside telecom infrastructure. A new macOS infostealer uses Nuitka-compiled Python to evade detection. And the TeamPCP supply chain campaign now targets the Telnyx PyPI package using audio steganography.


🔴 LangChain & LangGraph: Three CVEs, Three Paths to Your Enterprise Data

Cyera security researcher Vladimir Tokarev disclosed three independent vulnerabilities in LangChain and LangGraph — the open-source AI frameworks downloaded over 84 million times per week from PyPI. Each flaw exposes a different class of enterprise data: filesystem files, environment secrets, and conversation history.

The Triple Threat

CVECVSSTypeImpact
CVE-2026-340707.5Path TraversalArbitrary file read via prompt-loading API — no validation on template paths
CVE-2025-686649.3DeserializationLeaks API keys and environment secrets by tricking the app into treating input as a serialized LangChain object
CVE-2025-676447.3SQL InjectionArbitrary SQL queries against LangGraph's SQLite checkpoint database via metadata filter keys

⚠️ Critical Context

CVE-2025-68664 (CVSS 9.3) allows an attacker to siphon all API keys and environment variables from the LangChain deployment via prompt injection. This is a "LangGrinch" variant first identified by Cyata in December 2025 — now with a confirmed exploitation path.

Why This Matters Beyond LangChain

"LangChain doesn't exist in isolation," Cyera warned. "It sits at the center of a massive dependency web that stretches across the AI stack. Hundreds of libraries wrap LangChain, extend it, or depend on it." When a vulnerability exists in LangChain's core, it ripples outward through every downstream library, wrapper, and integration that inherits the vulnerable code path.

This disclosure comes days after CVE-2026-33017 in Langflow was actively exploited within 20 hours of public disclosure — sharing the same root cause of unauthenticated code execution.

Patch Now


🔴 China-Linked Red Menshen Deploys BPFDoor Sleeper Cells Inside Telecom Backbone

Rapid7 has uncovered a long-term espionage campaign attributed to Red Menshen (also tracked as Earth Bluecrow, DecisiveArchitect, Red Dev 18) — a China-nexus threat actor that has embedded itself deep within telecom networks across the Middle East and Asia since at least 2021.

Rapid7 described the covert access mechanisms as "some of the stealthiest digital sleeper cells" ever encountered in telecommunications networks.

How BPFDoor Works

The core weapon is BPFDoor, a Linux backdoor that operates at the kernel level by abusing Berkeley Packet Filter (BPF) functionality. Unlike conventional malware:

🎯 Strategic Implications

BPFDoor doesn't just provide backdoor access — it functions as an access layer embedded within the telecom backbone, giving the threat actor long-term, low-noise visibility into critical network operations. The SCTP capability suggests potential for tracking individuals of interest through subscriber data.

Attack Chain

Red Menshen targets internet-facing infrastructure from Ivanti, Cisco, Juniper, Fortinet, VMware, Palo Alto Networks, and Apache Struts for initial access. Post-compromise tooling includes CrossC2 beacon frameworks, Sliver, TinyShell Unix backdoors, keyloggers, and brute-force utilities for credential harvesting and lateral movement.

A previously undocumented BPFDoor variant conceals trigger packets within seemingly legitimate HTTPS traffic and introduces a novel parsing mechanism, making detection even harder in modern enterprise environments.


🟡 Infinity Stealer: New macOS Malware Combines ClickFix with Nuitka Evasion

Malwarebytes has documented the first macOS campaign combining ClickFix social engineering with a Nuitka-compiled Python infostealer — a significant evolution in macOS threats.

The Attack Chain

  1. ClickFix Lure: Victim visits update-check[.]com, sees a fake Cloudflare CAPTCHA verification
  2. Terminal Command: User is tricked into pasting a base64-obfuscated curl command into macOS Terminal
  3. Nuitka Loader: An 8.6 MB Mach-O binary containing a 35MB zstd-compressed archive with the stealer payload
  4. Data Exfiltration: Stolen data sent via HTTP POST; Telegram notification alerts attackers upon completion

What Gets Stolen

Why Nuitka matters: Unlike PyInstaller (which bundles Python with bytecode), Nuitka compiles Python to C code and produces a genuine native binary. There's no obvious bytecode layer to decompile, making reverse engineering and static analysis significantly harder.


🟡 TeamPCP Hijacks Telnyx PyPI Package, Hides Stealer in WAV Audio Files

The TeamPCP threat actor — already notorious for supply chain attacks on Trivy, KICS, and litellm — has now compromised the Telnyx Python package on PyPI. Two malicious versions (4.87.1 and 4.87.2) were published on March 27, 2026, concealing credential-stealing capabilities inside a .WAV audio file using steganography.

Three-Stage Attack on Linux/macOS

  1. Delivery: Malicious code injected into telnyx/_client.py, executed on import
  2. Extraction: Audio steganography decodes the payload from a WAV file — hiding malware in plain sight
  3. Execution: In-memory data harvester targets credentials and environment secrets

⚠️ Action Required

Immediately downgrade to Telnyx version 4.87.0. The PyPI project is currently quarantined. Investigate any systems that pulled versions 4.87.1 or 4.87.2 for signs of credential theft.

Multiple security firms — Aikido, Endor Labs, JFrog, Ossprey Security, SafeDep, Socket, and StepSecurity — have confirmed the analysis. The malware targets Windows, Linux, and macOS systems.


📋 Quick Reference

ThreatSeverityAction
LangChain CVE-2025-68664CRITICAL (9.3)Patch langchain-core to 0.3.81 or 1.2.5
LangChain CVE-2026-34070HIGH (7.5)Patch langchain-core to ≥1.2.22
LangGraph CVE-2025-67644HIGH (7.3)Patch langgraph-checkpoint-sqlite to 3.0.1
Red Menshen / BPFDoorCRITICALHunt for BPF-based anomalies in telecom/enterprise Linux
Infinity Stealer (macOS)HIGHBlock update-check[.]com; monitor Terminal paste activity
Telnyx PyPI (TeamPCP)CRITICALDowngrade to 4.87.0; audit for credential theft