500k Creds in 7 Days: Free AV Fail Dunks US Corps

TL;DR

• Microsoft Defender and macOS XProtect remain primary defenses as enterprises face rising endpoint threats, per 2026 security trends
• TeamPCP expands campaign to target Checkmarx KICS scanner and OpenVSX extensions, exfiltrating 300GB of corporate credentials
• TeamPCP supply chain attack compromises LiteLLM on PyPI, exfiltrates 500K+ credentials via backdoored versions 1.82.7 and 1.83.8

🧨 99% Detection, 100% Delusion: Free AV Fails AI Malware Surge

70% of corp laptops still lean on freebie AV like it’s 1998—yet AI malware laughs in 99% detection faces! 🧨 30% faster breach time, 0% dignity left. Your “zero-cost” Defender moment? A credential-theft piñata. US enterprises—wake TF up: layer or be laid bare. Who’s still disabling MFA to "speed up" Outlook?

Microsoft Defender and macOS XProtect still ship with every laptop, but 99 % lab scores don’t stop the 70 % of breaches that start with a stolen password. Built-in scanners chew only 3-5 % of your disk I/O—nice—yet miss credential-theft that sidesteps signatures entirely. Translation: the box is “protected,” the user is still toast.

Detection: ≥ 99 % malware caught → 0 % empathy for the one that lands.
Performance: 1-2 % CPU hit → 100 % user rage when false positives nuke Excel.
Coverage: 10 000 endpoints per firm → 30 % faster MTTD only if you bolt on extra telemetry that costs actual money.

How we got here without noticing

• 2026: Defender bundles Smart App Control, BitLocker, MFA nags—Microsoft’s polite way of saying “please don’t buy Symantec.”
• Apple drip-feeds XProtect cloud lists daily; Gatekeeper still waves through anything signed with a $299 stolen dev cert.
• Labs crown both “top tier,” yet no product blocks 100 % of phishing; humans click anyway.

What happens next (spoiler: more invoices)

• 2026 Q4: 18 % YoY jump in EDR purchases—compliance auditors discovered AI malware, panic ensues.
• 2027: Defender 2.0 pushes kernel-level ML; IT budget line item for “telemetry storage” appears.
• 2029: >80 % of firms run layered XDR; native AV relegated to checkbox on SOC wall of shame.

Bottom line: the free shield keeps the casual riff-raff out, but the real enemy is your own credentials wandering off with a phishing link. Until the OS ships a “don’t-be-stupid” patch, budget for identity controls or keep a breach-response retainer warm—both cost more than that shiny zero-dollar antivirus.

😱 500 000 Cloud Creds Looted: Trivy, KICS Backdoored in Global Supply-Chain Heist

500k creds jacked in 7 days—your scanner just snitched on you! 😱 That’s 5× the pop. of Iceland, now for sale. Trivy & KICS turned Judas while you were sipping coffee. VW-size giants already getting ransom-dunked—who’s next, your startup? Rotate or rot, fam.

TeamPCP slipped a 300 GB needle into the DevOps haystack last week, and every “trusted” badge in your CI pipeline helped.

How did a typo own the toolchain?

• Push 75 poisoned Trivy tags → GitHub Actions auto-runs them.
• One fake KICS tag (2.2.3-28) phones home to checkmarx.zone.
• RSA-4096 signature looks legit; AES-256 blob hides the loot.
• Result: 500 000 cloud keys, DB creds, VPN configs—compressed, encrypted, gone.

Impacts, translated to human

• Wallet: Crypto wallets drained before you finished your stand-up.
• Reputation: “We scan for security” now equals “We leaked it.”
• Budget: Rotating every principal, key, and token in a global fleet costs more than your Q2 coffee bill—times ten.

What happens next

• 0–30 days: PyPI/GitHub yank packages; interns become full-time key-rotators.
• 3–12 months: New compliance checkbox “SLSA Level 3 or GTFO”; vendors slap Sigstore stickers on slide decks while hoping nobody audits.

Cheap defense for the rest of us

1. Mirror every third-party action in-house; diff updates like your life depends on it—because it does.
2. Burn every credential older than your last grocery run; automate it with 20 lines of bash and a cron job.
3. Route CI egress through a DNS sinkhole that answers “scan.typo” with 0.0.0.0—zero cost, zero mercy.

The takeaway

If your security scanner can be weaponized to steal secrets, it’s not a scanner—it’s a conveyor belt for crooks. Turn the belt off, or keep feeding TeamPCP’s 300 GB habit.

💥 95M Downloads Hijacked: LiteLLM PyPI Poisoning Loots 500K US Cloud Keys

95 M downloads in 3 h & LiteLLM turned your laptop into a free Airbnb for TeamPCP—500 k creds Airbnb’d, 300 GB squatted 💥 While you pip-installed, they systemd-Airbnb’d your AWS keys. US corps, your cloud is now a hostile sublet—rotate or keep paying rent to Vlad!

LiteLLM v1.82.7 & 1.83.8, posted 24 Mar, carried a 34 kB .pth tapeworm that auto-fired the second Python woke up. Three hours on PyPI = 9.5 million daily pulls, now a credential piñata of 500 000+ SSH, cloud and K8s keys.

How the worm turned

• Compromised CI keys to Aqua’s Trivy scanner let TeamPCC force-push a tainted GitHub Action.
• That Action injected the same RSA-4096 public key into LiteLLM wheels.
• site-packages loads litellm_init.pth → spawns sysmon.service → scrapes every ~/.aws, ~/.ssh, SA token and .env in sight, compresses 40 kB per host, AES-wraps it, phones home to models.litellm.cloud.

Impact in one breath

Cloud bills: 300 GB of your secrets now touring Eastern Europe.
DevOps budget: rotation sprint = ~1 000 engineer-days of unpaid overtime.
Legal heat: regulators love multi-cloud breaches—fines scale with “negligence”; expect 7-digit numbers.
AI pipeline trust: LangChain, DSPy, Anthropic, OpenAI et al. all ingest LiteLLM—your shiny LLM stack is a transitive traitor.

What actually works (no vendor fairy dust)

• pip uninstall those versions—then hunt ~/.config/sysmon/ and nuke the service.
• Rotate everything, not just “the important” keys; the malware vacuumed metadata too.
• Switch PyPI to “Trusted Publishers” so a stolen PAT can’t push squat.
• Sign your builds; reproduce them; stop @v3 tag roulette in CI.

Outlook—calendar of joy

• 0-30 days: class-action letters land; expect “we take your security seriously” spam.
• 30-90 days: insurers hike premiums >15 % for any repo that touches AI gateways.
• ≥90 days: SBOM bills become law; budget 5 % of dev-op spend for supply-chain bouncers or keep bleeding keys.

The takeaway: open-source convenience just externalised your security budget to a bunch of strangers. Until the ecosystem stops trusting version tags like gospel, “pip install” is Russian-roulette with a fully loaded chamber.

In Other News

• Meta held liable by New Mexico jury for misleading consumers on child safety, ordered to pay $75M in penalties
• Google integrates Post-Quantum Cryptography (ML-DSA) into Android 17 beta to protect bootloader, keystore, and remote attestation
• Ubuntu 26.10 to strip signed GRUB bootloader features for enhanced security, dropping ZFS, LVM, and Btrfs support
• Amazon EKS introduces session policies to dynamically scope IAM permissions without new roles