TeamPCP Hits Cisco & EU Commission; Claude Code CVEs; ShareFile Pre-Auth RCE

The research findings have already been gathered and are comprehensive. I have everything needed to write the newsletter. Let me synthesize now.

---

TeamPCP's Expanding Blast Radius: Cisco Source Code, EU Commission 92 GB Exfil

• Wired confirms Cisco was compromised via TeamPCP's earlier footholds in Trivy, LiteLLM, and Checkmarx — source code from Cisco and some of its customers was exfiltrated. (Previously: TeamPCP's CanisterWorm hit 66+ packages across npm, PyPI, Docker Hub, and the VS Code marketplace — scope has now reached a Fortune 100 network vendor.)
• CERT-EU formally attributed a European Commission breach to Team PCP; attackers accessed europa.eu AWS infrastructure via a stolen Amazon API key, exfiltrating ~92 GB of compressed data; ShinHunters subsequently accessed the stolen dataset.
• Microsoft names the Axios maintainer hijacking actor "Sapphire Sleet", alongside Google/GTIG's designation UNC1069; the maintainer had MFA enabled — the exploitable gap was a legacy npm token coexisting with OIDC trusted publishing, which npm's auth hierarchy silently preferred.

---

Claude Code Under Siege: Source Leak, Three CVEs, and a PyPI Prompt Hijack

• Anthropic accidentally published the Claude Code CLI source code publicly; threat actors are redistributing copies on GitHub with embedded infostealer malware. Anthropic is issuing DMCA takedowns. This follows an earlier incident where sponsored Google ads directed users to fake Claude Code install guides delivering malware.
• Phoenix Security disclosed three CWE-78 command injection CVEs in Claude Code CLI v2.1.91: CVE-2026-35020 (CVSS 8.4) passes the TERMINAL env var to which.ts unsanitized, enabling zero-interaction RCE for any attacker controlling the environment; CVE-2026-35022 (CVSS 9.9 in CI/CD -p mode) has four sinks in auth.ts — apiKeyHelper, awsCredentialExport, awsAuthRefresh, gcpAuthRefresh — exfiltrating ~/.aws/credentials, ~/.ssh/id_rsa, and MEMORY.md conversation history via HTTP.
• Chained attack path: CVE-2026-35020 plants a malicious .claude/settings.json; CVE-2026-35022 exfiltrates secrets on the next auth cycle. Anthropic's VDP initially closed both reports as "Informative." Mitigations: avoid passing TERMINAL in CI, audit .claude/settings.json in code review, avoid -p mode on branches from external contributors.
• JFrog found hermes-px on PyPI — presented as an OpenAI-compatible secure inference proxy, it exfiltrates all user messages and AI responses to an attacker-controlled Supabase instance; a bundled base_prompt.pz decompresses to a 246K-character Claude Code system prompt with branding swapped out. Remove hermes-px, rotate exposed secrets, and block the Supabase exfiltration domain.

---

Supply Chain: OtterCookie Targets AI Dev Tools; LiteLLM's .pth Persistence; ILSpy and Bruno Hit

• The gemini-ai-checker npm package (published March 20 under account gemini-check) delivered a 4-module OtterCookie JavaScript backdoor linked to North Korea's Contagious Interview; Module 2 specifically enumerated .cursor, .claude, .windsurf, PearAI, Gemini CLI, and Eigent AI directories for API keys and conversation logs. Two related packages — express-flowlimit and chai-extensions-extras — used the same Vercel-hosted C2 and remained live at time of publication (~500 collective downloads).
• A 48-hour LiteLLM incident post-mortem reveals the poisoned wheel contained litellm_init.pth (34,628 bytes) — a .pth file auto-executed by Python on every interpreter startup, giving the malware persistence across all Python invocations, not just install time. (Previously: versions 1.82.7/1.82.8 were live ~40 minutes; now confirmed the payload survived pip uninstall.)
• The ILSpy official WordPress site was breached; attackers modified download links to prompt visitors to install a malicious browser extension, then redirected to a third-party domain for secondary malware delivery. The site has been taken down; extension analysis is ongoing.
• Bruno API IDE (CVE-2026-34841), a widely used open-source Postman alternative, was affected by a supply chain attack prior to v3.2.1; update immediately.

---

Critical RCE: ShareFile Pre-Auth Chain; Apache Traffic Server Request Smuggling

• watchTowr disclosed a two-flaw pre-auth RCE chain in Progress ShareFile Storage Zone Controller: CVE-2026-2699 (CVSS 9.8) is an Execution After Redirect flaw on /ConfigService/Admin.aspx exposing the full admin panel without credentials; CVE-2026-2701 (CVSS 9.1) allows webshell upload via ZIP extraction into the webroot. ~30,000 instances are internet-exposed; a public PoC is available. Patch to v5.12.4 (released March 10); audit access logs for /ConfigService/Admin.aspx and unauthorized zone configuration changes.
• Apache Traffic Server patched CVE-2025-58136 (CVSS 7.5) and CVE-2025-65114 on April 2 — unauthenticated DoS via crafted POST requests and HTTP request smuggling via improper chunked body parsing, respectively. Affects ATS 9.x ≤9.2.12 and 10.x ≤10.1.1; upgrade to 9.2.13+ or 10.1.2+. No active exploitation confirmed yet.

---

Project Glasswing, Vibe Security Radar, and CISA Budget Cuts

• Anthropic unveiled Project Glasswing built on Claude Mythos Preview, a model described as capable of autonomous vulnerability discovery at scale; early testing reportedly surfaced thousands of high-severity flaws across OSes and browsers, including a 27-year-old bug in OpenBSD. Access is restricted to a closed consortium of 40+ companies (Amazon, Microsoft, Apple, Google, CrowdStrike, Palo Alto, Cisco) with $100M in usage credits committed. OWASP founder Jeff Williams notes Anthropic likely cannot prevent offensive misuse of the same capability.
• Georgia Tech SSLab's Vibe Security Radar scans 50,000+ public advisories to identify CVEs where AI-generated code introduced the flaw — dozens confirmed so far; live dashboard at vibe-radar-ten.vercel.app.
• AI coding assistants leak secrets at 2× the rate of non-AI coding, with overall secret leaks up 34% per new SC Media analysis; most scanners still miss exposure in HTTP proxy traffic, binary files (JARs, APKs, exported spreadsheets), and browser-rendered JavaScript. Recommended controls: automated credential validation, LLM-based denoising of false positives, and short-lived tokens as primary mitigation.
• Proposed FY2027 CISA budget cuts of $361M–$777M from the agency's ~$3B prior budget; the budget summary reportedly recycles language from 2026 and references programs already shuttered.