Dependabot Auto-Merge Hijacked, AI Frameworks Under Fire, 28-Day TTX

Now I have all the data I need. Let me write the newsletter.

A GitGuardian analysis of the Axios and LiteLLM incidents shows Dependabot created pull requests to update the poisoned axios package within 5 minutes of publication; a significant portion were auto-merged, pushing malicious code to production in under an hour with zero human review.
Auto-merge configurations on non-major version bumps are the core risk vector — Renovate can also update pinned commit SHAs for reusable workflows, and if those workflows trigger on pull_request or pull_request_target, the compromised SHA executes with full runner credentials.
Specific mitigations: set minimumReleaseAge: "3 days" in Renovate config; use the cooldown option with default-days: 3 in Dependabot; add min-release-age=3d to .npmrc; use exclude-newer in uv.toml. A 3–5 day window gives time for malicious packages to be flagged before auto-merge fires.
AI coding agents compound the problem: they install dependencies without adhering to established security practices, frequently bypassing version-age controls entirely.

Three vulnerabilities disclosed in LangChain and LangGraph affect frameworks downloaded 60M+ times weekly: CVE-2026-34070 (CVSS 7.5, path traversal in the prompt-loading module allowing arbitrary file access); CVE-2025-68664 "LangGrinch" (CVSS 9.3, serialization injection in dumps()/dumpd() enabling secret extraction and potential RCE); and CVE-2025-67644 (CVSS 7.3, SQLi in LangGraph's SQLite checkpoint implementation leaking conversation histories).
Langflow CVE-2026-33017 (CVSS 9.3) — unauthenticated RCE via a public flow-build endpoint accepting arbitrary Python — was weaponized within 20 hours of disclosure; it is the second critical Langflow RCE added to CISA KEV within a year. Upgrade to Langflow 1.9.0+ or restrict the build endpoint; rotate credentials if the instance was internet-exposed.
The LiteLLM supply chain attack (previously reported: .pth persistence, ~300 GB exfiltrated) has been formally assigned CVE-2026-33634 (CVSS 9.4); LiteLLM 1.83.0 is the remediated release.
AI frameworks sit between applications and cloud credentials, making a single compromise's blast radius substantially larger than a traditional library flaw — every API key, DB connection, and IAM token passed through the framework is at risk. Treat AI framework upgrades with the same urgency as database or OS patches.

CVE-2026-39987 (CVSS 9.3) in Marimo — an open-source Python notebook — allows unauthenticated RCE via a WebSocket endpoint (/terminal/ws); Sysdig honeypot data puts first exploitation at 9 hours 41 minutes after disclosure, with no public PoC at the time — attacker harvested .env files and SSH keys. Update to Marimo 0.23.0 immediately; do not expose Marimo instances to the public internet.
A supply chain attack on CPUID (CPU-Z / HWMonitor) compromised the vendor's API between April 9–10, redirecting official download links to a multi-staged, in-memory infostealer; the same actor compromised FileZilla last month. The attack is now remediated — verify any CPUID tool downloaded in that window against current official hashes.
CISA added CVE-2026-3502 (CVSS 7.8) in TrueConf on-premises video conferencing to the KEV catalog following confirmed state-sponsored exploitation; the flaw is in the update mechanism, which lacks integrity checks, enabling malicious tool distribution (Havoc framework observed in the wild). Federal remediation deadline: April 16.
Juniper Networks patched CVE-2026-33784 (CVSS 9.8) in JSI vLWC: the virtual lightweight collector ships with a default privileged admin password that is never forced to change, allowing unauthenticated network-adjacent attackers full device control. Upgrade to vLWC 3.0.94+; workaround is manual password change via JSI Shell. No active exploitation confirmed.

Rapid7's 2026 Cyber Threat Landscape Report documents confirmed exploitation of high/critical CVEs rising 105% year-over-year (146 in 2025 vs. 71 in 2024); median time from disclosure to CISA KEV inclusion dropped from 8.5 days to 5.0 days; mean time-to-exploit fell from 61.0 to 28.5 days. Veracode's Chris Wysopal: "disclosure increasingly starts the race, and defenders are already behind when the starting gun fires."
Veracode's Spring 2026 supply chain threat research finds typosquats up 104.3% quarter-over-quarter (4,708 packages), malicious URLs in packages up 179.2% (42,313 packages), and obfuscation up 65.1% (555,258 packages); dependency confusion attacks dropped 77.1% as attackers shift toward direct-compromise tactics that exploit human error rather than registry misconfigurations.
Cloudsmith's SBOM survey (505 respondents across US and UK) finds only 25% of engineering teams auto-generate and verify SBOMs at every build; 74% could not quickly produce a comprehensive artifact provenance report under a surprise audit — a direct gap against the EU Cyber Resilience Act's 48-hour breach-assessment requirement.

Get AppSec Briefing in your inbox