#3 — TeamPCP Hits Five Ecosystems, Axios Gets Hijacked, Agentic Security Goes Mainstream

AppSec Santa Weekly is a weekly newsletter that tracks new AppSec tools and the latest releases from 196+ existing ones. Each issue covers what shipped, what changed, and why it matters.

Last week I covered the Trivy compromise at RSAC. This week, the group behind it — TeamPCP — kept going, hitting Checkmarx KICS, LiteLLM, and Telnyx.

And separately, someone hijacked an axios maintainer’s npm account and pushed a RAT to roughly 100 million weekly downloaders. Whether or not these are connected, it was the worst week for open-source supply chain security in recent memory.

This Week at a Glance

22 releases across 6 active categories this week.

• SCA (8) — Renovate 5 releases, SCANOSS 2 releases, OSV-Scanner v2.3.5 adds Python transitive scanning
• Mobile (6) — Frida 17.9 eBPF spawn gating, Ostorlab adds HarmonyOS, Objection reconnect command
• SAST (4) — SonarLint 12.0, PMD 7.23.0, TruffleHog v3.94.1, Codacy 7.10.1
• IaC Security (2) — Checkov 3.2.511–3.2.513 bug fixes
• ASPM (1) — DefectDojo 2.56.4
• AI Security (1) — Promptfoo 0.121.3

Quiet this week: DAST, IAST, RASP, API Security

But the real story is what happened outside of GitHub releases. Read on.

New on the Radar

TeamPCP supply chain campaign escalates — The threat group behind the Trivy compromise in issue #2 didn’t stop. TeamPCP (also tracked as PCPcat/ShellForce) hit four more targets across three ecosystems in under two weeks. Here’s the full timeline:

• Mar 19 — Trivy (Docker Hub + GitHub Actions): Infostealer in v0.69.4–0.69.6, 75 tags hijacked
• Mar 23 — Checkmarx KICS (GitHub Actions): Multiple tags hijacked via stolen CI/CD secrets
• Mar 24 — LiteLLM (PyPI): Versions 1.82.7–1.82.8 poisoned
• Mar 27 — Telnyx (PyPI): Versions 4.87.1–4.87.2 backdoored
• Mar 31 — axios (npm, unattributed): Versions 1.14.1 and 0.30.4 , maintainer account hijacked, ~100M weekly downloads

The axios hit landed the same week but has no confirmed link to TeamPCP — it may be a separate actor. Either way, the impact is massive. With roughly 100 million weekly npm downloads, axios is one of the most widely used packages in the JavaScript ecosystem.

The compromised versions injected a cross-platform RAT dropper via a malicious plain-crypto-js dependency. Socket and Aikido both published analysis within hours.

The LiteLLM compromise was particularly sophisticated: a multi-stage payload that included credential harvesting (environment variables, SSH keys, cloud credentials, Kubernetes data), encrypted exfiltration via a lookalike domain, Kubernetes lateral movement through privileged pods, and a persistent backdoor via systemd.

The campaign also spawned a self-propagating npm worm across 28+ packages in @EmilGroup and 16 in @opengov.

If you use any of these packages in CI/CD pipelines: check your versions, rotate credentials, and pin dependencies to commit hashes. Datadog’s analysis of the LiteLLM/Telnyx compromise is the most detailed technical write-up.

SonarQube Server 2026.2 — SonarQube released Server 2026.2 on March 25, adding model-agnostic AI CodeFix (works with multiple LLMs), new AI-specific bug detection rules, and expanded language support (Java 25, Python web frameworks, Groovy with 20+ new rules, Apex with sub-5% false-positive rate).

Storybook WebSocket hijacking (CVE-2026-27148) — Aikido discovered that Storybook’s dev server WebSocket has no authentication, enabling XSS, RCE, and supply chain compromise in development environments. Patched in versions 7.6.23, 8.6.17, 9.1.19, 10.2.10. If you run Storybook, update.

RSAC 2026 Post-Conference

Last week’s RSAC coverage focused on launch announcements. This week, the recaps rolled in. The unanimous theme: Agentic AI Security moved from buzzword to operational reality.

Key vendor moves that materialized this week:

• JFrog — Announced MCP Registry and Agent Skills Registry for governing MCP servers, agent skills, models, and AI assets in enterprises
• Black Duck — GA of Black Duck Signal , an agentic AI security platform purpose-built for AI-generated code, using MCP integration
• Checkmarx — Published RSAC recap positioning Agentic Security as the industry’s turning point, with Triage Assist and Remediation Assist agents
• Snyk — Partnered with Tessl for security scoring in agent skills registries
• GitHub — Published Actions 2026 Security Roadmap (secure defaults, policy controls, CI/CD observability)

The irony wasn’t lost on anyone: vendors were announcing “agent security” products while TeamPCP was demonstrating exactly why supply chain security still isn’t solved. The RSAC hallway conversations shifted from “How do I secure AI agents?” to “How do I secure my CI pipeline first?”

Notable Updates

• OSV-Scanner v2.3.5 — Enables transitive scanning for Python requirements.txt files using the deps.dev API. If you scan Python projects with OSV-Scanner, this is a meaningful upgrade — transitive dependency analysis catches vulnerabilities that flat scanning misses.
• Frida 17.9.0 — Adds eBPF spawn gater for Linux and override_option() for host sessions (release notes ). The eBPF addition is significant for mobile security researchers — it enables intercepting process spawns at the kernel level on rooted Android devices. v17.9.1 (Mar 27) fixes a semver pre-release overflow bug.
• PMD 7.23.0 — Fixes HTML report generation, CloseResource false positives, and InsecureCryptoIv false negatives (release notes ). The InsecureCryptoIv fix is a security-relevant improvement.
• DefectDojo 2.56.4 — Maintenance release (upgrade guide ).
• SonarLint 12.0.0 — Major release for IntelliJ with updated analysis engine (JIRA ). Notable timing — shipped the same week as SonarQube Server 2026.2.

SCA

SCA leads for the third straight week with 8 releases across the SCA category .

Renovate shipped 5 releases (43.100.1 through 43.101.2), including config validation documentation for Mend Hosted and a Docker base image update. The cadence is normal for Renovate.

SCANOSS shipped two releases: v1.50.1 fixed bom.replace rules silently dropping license fields, and v1.51.0 added --format raw option to folder-scan for exporting HFH results in snippet-scanner JSON format.

OSV-Scanner v2.3.5 is covered in Notable Updates above — the Python transitive scanning via deps.dev is the highlight.

Mobile Security

Mobile was the second busiest category with 6 releases.

Frida shipped three releases (17.8.3 through 17.9.1). The 17.9.0 release is the noteworthy one — eBPF spawn gating for Linux enables kernel-level process interception. Covered in Notable Updates.

Ostorlab v1.16.0 added Docker image download retry logic, and v1.16.1 brought HarmonyOS support with new metadata and asset handling. HarmonyOS support is an interesting move — Huawei’s mobile OS has growing market share outside the US, and mobile security tools that support it will have an edge in APAC markets.

Objection 1.12.4 added a reconnect command and reconnect_spawn for reattaching to targets. If you use Objection for mobile pentesting, this saves time on repeated app restarts during analysis sessions.

SAST

PMD 7.23.0 and SonarLint 12.0.0 are the notable releases, both covered in Notable Updates. TruffleHog v3.94.1 refactored SourceMetadataFunc signatures across git sources. Codacy 7.10.1 was a minor release.

Quiet This Week

No GitHub releases from DAST , IAST , RASP , or API Security .

Deals & Funding

• RunSybil raised $40M (Khosla Ventures lead) — AI autonomous pentesting startup founded by OpenAI’s first security hire
• Native raised $42M (out of stealth) — Cloud security control plane, founded by AWS veterans
• Palo Alto Networks acquiring CyberArk for $25B — Identity security mega-deal
• ServiceNow agreed to acquire Armis for $7.75B — IoT/OT security meets IT service management (deal expected to close H2 2026)

Quick Hits

• Checkov 3.2.511 prevents run failure on invalid policies; 3.2.513 logging update
• Promptfoo 0.121.3 adds block-no-verify PreToolUse hook to Claude settings
• SCANOSS v1.50.1 fixes bom.replace license field loss
• GitHub Copilot data privacy update : starting April 24, Free/Pro/Pro+ user interaction data may train models unless opted out

On AppSec Santa This Week

Updated this week:

• Trivy Added TeamPCP campaign expansion details (Checkmarx KICS, LiteLLM, Telnyx, axios)
• SonarQube Added Server 2026.2 with AI CodeFix and expanded language support
• Frida

Updated to v17.9.1 with eBPF spawn gating

• OSV-Scanner Updated to v2.3.5 with Python transitive scanning
• Objection Updated to 1.12.4 with reconnect command

Worth Reading

• Socket: axios npm package compromised — Real-time analysis of the axios maintainer account hijacking. Socket detected the malicious versions within hours. If you want to understand how modern supply chain detection works in practice, this is a good case study.

• Datadog: LiteLLM and Telnyx compromised on PyPI — Deep technical analysis of the multi-stage LiteLLM payload: credential harvesting, encrypted exfiltration, Kubernetes lateral movement, and persistent backdoor. The most detailed write-up on TeamPCP’s techniques.

• Semgrep: Security Companies Under Attack — Published March 26, analyzing how security vendors themselves are being targeted. Prescient timing given the TeamPCP campaign hitting Trivy and Checkmarx KICS.

• GitHub Actions 2026 Security Roadmap — Secure defaults, policy controls, and CI/CD observability features coming this year. Directly relevant given how TeamPCP exploited GitHub Actions.

Wrapping Up

That’s issue #3. 22 releases tracked, but the supply chain attacks are the story. TeamPCP hit multiple ecosystems across Docker Hub, GitHub Actions, and PyPI.

The axios npm compromise — whether related or not — affected a package with roughly 100 million weekly downloads. If your organization runs CI/CD pipelines — and every organization does — this is your wake-up call to pin dependencies, rotate credentials, and audit your supply chain.

I track 70 GitHub repos, 89 vendor blogs, and industry news sources every week. If a tool ships a release, changes its pricing, or gains traction — it’ll show up here.

If you found this useful, forward it to a colleague who’d benefit.

And if I missed something or got something wrong, just reply — I read every response.

See you next Tuesday.

AppSec Santa Weekly covers new tools and the latest releases from 196+ AppSec tools. Browse all tools or subscribe for weekly updates.