Recent interconnected supply chain incidents and newly disclosed vulnerabilities require immediate attention from security teams protecting developer workstations. While organizations frequently prioritize hardening production environments, developments involving Checkmarx, Aqua Security, and widely used AI coding assistants show that unauthorized parties are shifting focus to the software development life cycle (SDLC). By compromising trusted development tools, these groups aim to establish access during the earliest stages of software creation.
Immediate remediation is necessary for a widening supply chain incident attributed to the threat group TeamPCP. Following unauthorized access to Aqua Security’s Trivy project, Checkmarx reported this morning that unauthorized parties modified its "Keeping Infrastructure as Code Secure" (KICS) GitHub Action and two VS Code plugins. This campaign has rapidly expanded to include the Litellm Python package on PyPI, a component integrated into an estimated 36% of modern cloud environments for AI development. Organizations running automated pipelines using the affected KICS action during a four-hour window on March 23, or downloading the compromised VS Code plugins from the OpenVSX registry on that date, must treat their environments as exposed.
The technical mechanics of these incidents center on credential exfiltration. TeamPCP leveraged compromised privileged credentials and automated service accounts to inject credential-harvesting software into dozens of software versions. Once active, this software targets sensitive data, including SSH keys, cloud provider credentials, API tokens, and Docker configurations. This creates a "snowball effect", a term the threat group used in public Telegram messages—where stolen secrets from one exposure immediately enable subsequent access. The inclusion of the Queen song "The Show Must Go On" in their deployment metadata indicates the group plans to maintain focus on popular open-source projects.
Alongside risks to code-scanning utilities, researchers sharing data at the RSAC 2026 Conference detailed systemic vulnerabilities in the tools used to write code. The rapid adoption of AI coding assistants, including Claude Code, Cursor, and Google’s Gemini—introduces architectural changes that bypass traditional endpoint detection and response (EDR) and browser isolation. Because these AI agents require deep access to local filesystems and developer configurations to function, they operate with elevated permissions that complicate standard endpoint security measures.
Analysis from the conference details how these tools interpret configuration metadata as active instructions. In one high-severity flaw affecting Claude Code (CVE-2025-59536), unauthorized parties can manipulate "hooks", user-defined shell commands—to execute code before a user accepts a trust dialog. Similarly, the Cursor platform contains a remote code execution vulnerability (CVE-2025-54136) where authorization for a plugin is bound to its name rather than a cryptographic hash. This allows a benign, approved command to be swapped for an unauthorized one after the developer grants permission. These vulnerabilities turn AI assistants into unintended access points, processing "Configuration as Code" in ways that existing security products struggle to monitor or distinguish from routine developer activity.
The scale of this risk is compounded by "TroyDen's Lure Factory," a massive operation recently identified by Netskope Threat Labs. This campaign uses AI-generated lures to distribute over 300 compromised GitHub packages, ranging from AI deployment tools like OpenClaw to gaming utilities and VPN software. The operation relies on a dual-component design: a renamed Lua runtime paired with an encrypted script. When analyzed individually, these files appear benign to automated sandboxes. Executed together, they trigger anti-analysis checks. Including a 29,000-year "sleep" delay to outlast timed sandboxes—before exfiltrating full-desktop screenshots and credentials to a command-and-control server in Frankfurt.
We recommend an immediate strategy shift for defensive teams. The priority for any organization potentially exposed during the Checkmarx or Litellm incidents is a comprehensive rotation of all secrets. This includes personal access tokens (PATs), cloud IAM keys, and API credentials. Because the credential-harvesting software targets a broad range of tokens, partial rotation is insufficient; defenders should proceed under the assumption that all secrets present on a developer's workstation or within a CI/CD environment at the time of the incident are compromised.
In addition to reactive secret rotation, the vulnerabilities in AI assistants necessitate a transition toward zero-trust developer environments. Security teams should treat developer workstations as a critical perimeter and enforce strict isolation for AI-automated tasks. Executing AI-driven shell commands within a sandbox is now a foundational requirement for securing these workflows. Organizations must also adopt policies where configuration files (.env,.json,.toml) undergo the same scrutiny as executable binaries. Any GitHub-hosted download pairing a renamed interpreter with an opaque data file should prompt manual contextual review, as these are primary indicators of the stealthy LuaJIT-based threats observed in the "Lure Factory" campaign.
The convergence of automated distribution networks and vulnerable AI agents indicates that the volume of supply chain risks will soon outpace traditional manual triage. Threat groups are successfully using AI to scale their infrastructure and identify subtle bypasses in developer workflows. The collaboration between groups like TeamPCP and extortion units like LAPSUS$ suggests that credential theft serves as the entry point for lateral movement and data ransom.
At this stage, the exact mechanism for the unauthorized code injection in the Checkmarx KICS action remains under investigation, and several CVSS scores for the newly disclosed AI assistant vulnerabilities are still pending. As the industry processes these disclosures, protecting the developer environment requires moving beyond automated scanning to proactive secret management and behavioral isolation. We work with security teams to implement these controls and safeguard the software development life cycle.