The Lyceum: Cybersecurity Daily — Mar 26, 2026

The supply chain is still burning, and the fire is spreading room to room. TeamPCP — the criminal group behind the Trivy scanner compromise — just poisoned a popular AI gateway library on PyPI, confirming this isn't a one-off but a conveyor belt. Meanwhile, CISA's remediation deadline for two CVSS 9.8 flaws in Hikvision cameras and Rockwell industrial software expires today, a full-chain iPhone exploit kit is now public on GitHub, and a tax-season malvertising campaign is actively blinding endpoint security tools before robbing victims. It's a patch-or-perish morning.

• CVE-2026-21385 — Qualcomm display component (234 Android chipsets): patched via Android March 2026 security bulletin, high-severity memory corruption, actively exploited in limited, targeted attacks.
• CVE-2026-21262 — Microsoft SQL Server 2016+: patched (March 2026 Patch Tuesday), CVSS 8.8 Elevation of Privilege, publicly disclosed zero-day, no active exploitation confirmed.
• CVE-2026-26127 — Microsoft .NET 9.0/10.0: patched (March 2026 Patch Tuesday), CVSS 7.5 Denial of Service, publicly disclosed zero-day, no active exploitation confirmed.

If you use LiteLLM — the Python library that lets developers talk to multiple large language models through a single API — two poisoned versions sat on the official PyPI repository until yesterday.

On March 24, versions 1.82.7 and 1.82.8 of LiteLLM were published to PyPI by attackers using credentials stolen during an earlier phase of the TeamPCP campaign, the same criminal operation that compromised the Trivy vulnerability scanner on March 19 and then pivoted into Checkmarx's CI/CD workflows. This wasn't a typosquatting trick with a similarly named package — this was the real project, hijacked. GoSecure's analysis traces the chain directly: stolen Trivy credentials enabled the Checkmarx compromise, and that compromise enabled the LiteLLM poisoning. One breach became the skeleton key for the next.

What changes if this pattern continues: every open-source dependency in your build pipeline becomes a potential propagation vector, not just a risk in isolation. TeamPCP is demonstrating that a single set of stolen CI/CD credentials can cascade across unrelated projects in days. PyPI has quarantined LiteLLM, but any environment that pulled those versions should be treated as fully compromised — secrets, environment variables, source code, all of it.

What to watch: if a fourth project surfaces with TeamPCP's credential-stealer payload this week, it confirms the group has automated the hop-and-poison cycle. The signal will be another popular open-source tool suddenly publishing an unexpected minor version bump with obfuscated code in its post-install hook.

CISA added CVE-2026-33017 — a CVSS 9.3 remote code execution flaw in Langflow, the open-source platform for building AI agent workflows — to its Known Exploited Vulnerabilities catalog on March 25. Federal civilian agencies must patch by April 8.

The timeline is the story. Sysdig observed the first exploitation attempts within 20 hours of the advisory's March 17 publication, with no public proof-of-concept code available at the time. Attackers reverse-engineered working exploits directly from the patch diff — the same document your team reads to understand what changed. Per Rapid7's 2026 Global Threat Landscape Report, the median time from vulnerability publication to KEV inclusion has dropped to five days, while the median time for organizations to actually deploy patches sits at roughly 20 days. That's a 15-day window where defenders are exposed and attackers are already inside.

If your organization runs Langflow or any internet-exposed AI/ML tooling, patch now and remove public access until you do. If you miss the April 8 deadline, you become exactly the kind of straggler that threat actors scan for following federal deadlines.

A full-chain exploit kit for iOS 18 and earlier — dubbed DarkSword — was dumped publicly on GitHub yesterday. It chains six vulnerabilities, including three zero-days, to achieve complete device control: contacts, messages, call logs, keychain passwords (your saved app logins and WiFi credentials), all exfiltrated silently. iVerify and Google's Threat Analysis Group flagged it as repurposed state-grade spyware now going commercial. Apple released an emergency update to close the chain.

This matters beyond individual phones. Mobile devices are primary authentication factors for enterprise MFA and SSO. A compromised iPhone isn't just a personal privacy problem — it's a session-token harvesting opportunity that can unlock corporate accounts. FreeBuf's Chinese-language technical analysis confirms the kit's sophistication and notes its modular design makes adaptation to future iOS versions straightforward. (Source: FreeBuf — Chinese).

The failure scenario is slow adoption of the emergency update. Every week of delay gives attackers time to fork DarkSword's public code into commodity campaigns targeting the long tail of devices that never update. Watch app store analytics and MDM compliance dashboards — if your fleet's update rate is below 80% within two weeks, you have a measurable exposure window.

Today — March 26 — is the CISA-mandated remediation deadline for two CVSS 9.8 vulnerabilities in Hikvision IP cameras and Rockwell Automation ThinManager, both confirmed exploited in the wild.

The Rockwell flaw involves insufficient credential protection in Studio 5000 Logix Designer. An attacker with network access to a Logix controller — the device running physical industrial processes — can connect directly without proper authorization. The Hikvision vulnerability is equally severe and affects a camera platform deployed in countless businesses, hospitals, and government facilities as physical security infrastructure.

Industrial control system vulnerabilities don't just threaten data — they threaten physical equipment, manufacturing lines, and building systems. Both patches have been available for weeks. With the federal deadline arriving today, expect proof-of-concept exploits to surface publicly within days, as attackers routinely use KEV deadlines as a shopping list for where to start scanning. If you haven't patched, you're about to become the path of least resistance.

Xakep.ru reports that Tycoon2FA — the phishing-as-a-service platform specifically designed to bypass multi-factor authentication on Microsoft 365 and Google accounts — has rebuilt its infrastructure and resumed operations after a recent law enforcement disruption. The platform uses adversary-in-the-middle techniques to intercept session tokens in real time, rendering standard MFA ineffective. Its return means the MFA-bypass phishing market has no meaningful downtime, and defenders should expect a fresh wave of token-theft campaigns within days. (Source: Xakep.ru — Russian). No English-language coverage confirmed at time of publication.

Xakep.ru reports that a cyberattack on Intoxalock — a major U.S. provider of ignition interlock devices (court-ordered breathalyzer systems that prevent a car from starting if the driver has been drinking) — left vehicles unable to start. The attack disrupted the backend systems that manage device calibration and compliance reporting, effectively stranding drivers whose cars require a functioning interlock to operate. This is a vivid example of how attacking a SaaS backend can produce immediate physical-world consequences for thousands of people. (Source: Xakep.ru — Russian). No English-language coverage confirmed at time of publication.

CERT-UA Advisory #19542 documents UAC-0001 (APT28, Russia's GRU-linked threat group) conducting active cyberattacks against Ukraine and EU member states using an exploit for CVE-2026-21509. The advisory provides indicators of compromise and tactical details for defenders in affected sectors. This is a live, state-sponsored campaign with cross-border reach. (Source: CERT-UA — Ukrainian). No English-language coverage confirmed at time of publication.

A criminal group using stolen keys to poison the tools that check for poison, a tax-season Google Ad that blinds your antivirus before it robs you, and a breathalyzer vendor hack that turned court-ordered sobriety devices into bricks.

Somewhere, a security researcher is drafting a responsible disclosure email and their cursor is hovering over the send button, wondering if they'll get a thank-you note or a cease-and-desist.

Stay patched, stay skeptical.

If someone you know runs WordPress, Node.js, or an iPhone that hasn't been updated this week — forward this their way.