1,700 Malicious Packages, Snowflake Breach, and the SHA-Pinning Lie

Contagious Interview Expands to Five Ecosystems: 1,700 Packages Since January 2025

• Socket researcher Kirill Boychenko documents Contagious Interview spreading into Go, Rust, and PHP, with 1,700+ malicious packages identified across npm, PyPI, Go, Rust, and Packagist since January 2025; named packages include logtrace (Rust), logutilkit / fluxhttp (PyPI), and golangorg/logkit (Packagist).
• The latest packages embed malicious code inside legitimate-looking utility functions (e.g., Logger::trace(i32)) rather than install-time hooks — making static analysis and install-time scanning insufficient for detection.
• Windows payloads delivered via license-utils-kit include a full post-compromise implant: keylogger, browser credential stealer, AnyDesk deployment, file uploader, and encrypted archive exfil — going well beyond the credential-harvesting RAT seen in earlier Contagious Interview packages.
• Security Alliance (SEAL) reports blocking 164 UNC1069-linked domains impersonating Microsoft Teams and Zoom between February 6 and April 7; the actor runs multi-week low-pressure social engineering over Telegram, LinkedIn, and Slack before delivering a malicious meeting link. (Previously: UNC1069/Sapphire Sleet attributed to the Axios maintainer hijack — the same cluster is now confirmed behind the cross-ecosystem package campaign.)
• A new Tracebit post-mortem on TeamPCP reveals the LiteLLM compromise alone exfiltrated approximately 300 GB from 500,000 machines via the .pth persistence mechanism, per vxunderground telemetry. (Previously reported: the poisoned wheel survived pip uninstall — scope is now quantified.)

---

New Supply Chain Incidents: Anodot/Snowflake and AppsFlyer SDK

• ShinyHunters breached Anodot (AI analytics SaaS), stealing Snowflake authentication tokens held as a third-party integration; more than a dozen Snowflake customer accounts were compromised, with data theft and extortion following. Snowflake confirmed "unusual activity" and locked impacted accounts; its own infrastructure was not breached. Salesforce access was attempted but blocked.
• Reflectiz flagged a supply chain attack on the AppsFlyer Web SDK, present in 100,000+ web and mobile applications across crypto, fintech, and e-commerce; WAFs, firewalls, and endpoint agents did not detect the malicious code, highlighting the client-side and third-party script monitoring gap.

---

Active Exploitation: Ninja Forms RCE, Ivanti EPMM on CISA KEV

• CVE-2026-0740 (CVSS 9.8) in the Ninja Forms File Uploads WordPress addon is under active exploitation: unauthenticated arbitrary file upload via missing file type validation and insufficient filename sanitization allows PHP webshell placement via path traversal; Wordfence blocked 3,600+ attempts within 24 hours. ~50,000 sites use the addon. Upgrade to Ninja Forms File Uploads v3.3.27 immediately; all prior versions are vulnerable.
• CISA added CVE-2026-1340 (CVSS 9.8) in Ivanti EPMM to its KEV catalog, a code injection flaw enabling unauthenticated RCE; federal patch deadline is April 11.
• Chrome 147 patches CVE-2026-5858 and CVE-2026-5859, both rated Critical with $43,000 bug bounties; the flaws are in WebML and V8. No confirmed in-the-wild exploitation yet, separate from the April 3 zero-day (previously reported).
• GitLab patched 12 vulnerabilities across versions 18.10.3, 18.9.5, and 18.8.9 including critical DoS and code injection flaws; update immediately.

---

GitHub Actions: SHA-Pinning Is Not What You Think; 2026 Roadmap and Canary Credentials

• Aiden Vaines documents how GitHub's SHA scoping allows an attacker to substitute a pinned Action with malicious code by replacing only the referenced SHA — pinning provides weaker assurance than widely assumed.
• GitHub published its 2026 Actions security roadmap with upcoming capabilities: Actions dependency locking, policy-driven execution, scoped secrets, an Actions Data Stream for behavioral telemetry, and a native egress firewall. Interim mitigations: CodeQL scanning, avoid pull_request_target, use OIDC.
• Tracebit released a free GitHub Actions integration that injects canary AWS credentials into the runner environment — placed in ~/.aws/credentials, exported as env vars, and held in process memory — alerting on any usage with full context: repo, workflow, commit SHA, run ID, attacker IP, user-agent, and CloudTrail logs. Validated against reproduced Trivy and LiteLLM attack techniques.

---

AI Code Oversight Gap: 93% Usage, 31% Minimal Validation

• Cloudsmith's 2026 Artifact Management Report (via BetaNews) finds 93% of organizations use AI-generated code, but 31% spend ≤10 hours/month validating it and 5% conduct no audit at all; only 17% are "very confident" AI isn't introducing new vulnerabilities, and 44% experienced a security incident from a third-party dependency in the past year.
• 53% of respondents cannot produce a comprehensive artifact or SBOM report without heavy manual effort — a direct gap against the EU Cyber Resilience Act's 48-hour breach notification requirement.
• Gianluca Brindisi at Synthesia details a production AI-powered triage system that auto-triages SAST/SCA findings, opens GitHub issues, and uses coding agents to validate findings and generate fix PRs — reducing manual security review to 11% of prior workload. Practical reference architecture for teams dealing with AI-generated code volume.