top of page

Supply Chain Attacks Hit AI Tooling as EU Commission Falls to Cloud Breach

  • Mar 29
  • 4 min read

This Week in Cyber: AI Infrastructure Under Siege


The last week of March 2026 brought a coordinated supply chain campaign that hit the heart of AI and cloud-native tooling, a confirmed breach of the European Commission's cloud infrastructure, and CISA adding multiple critical vulnerabilities to its KEV catalog in rapid succession. If you build with open-source AI tools or run anything in the cloud, this week demands your attention.


TeamPCP's Supply Chain Blitz: LiteLLM, Trivy, Telnyx


The most consequential story this week is the TeamPCP supply chain campaign — a coordinated attack targeting cloud-native and AI tooling. On March 24, compromised versions of LiteLLM (a widely-used AI proxy with three million daily PyPI downloads) were available for at least two hours. The malware ran silently on every Python startup, harvesting AI API keys, cloud credentials, SSH keys, and Kubernetes tokens, then exfiltrating them.


Per The Record, the same threat actor had previously hit Trivy scanner, Checkmarx GitHub Actions, and Aqua Security repos. Then on March 27, TeamPCP pushed two malicious versions (4.87.1 and 4.87.2) of the telnyx Python package to PyPI, concealing credential harvesting capabilities within a .WAV file. CISA assigned CVE-2026-33634 to track the Trivy supply chain compromise.


This is not a one-off. It's a sustained, multi-target campaign by a single threat actor systematically poisoning the AI and DevSecOps supply chain. The NSA released guidance this month defining the AI supply chain as training data, models, software, hardware, infrastructure, and third-party services — all of which can introduce vulnerabilities.

European Commission Cloud Breach


On March 27, the European Commission confirmed a cyberattack after hackers gained access to its Amazon cloud environment, per TechCrunch. The breach affected infrastructure hosting the Commission's web presence on the Europa.eu platform. The EU's top executive body is investigating the scope of the compromise.

This follows a pattern of government and institutional breaches in March. The Dutch Ministry of Finance also confirmed that some of its systems were breached. Combined with the Medusa ransomware gang's attacks on the University of Mississippi Medical Center and Passaic County, New Jersey, March has been brutal for public-sector cybersecurity.


CISA's KEV Catalog Is Growing Fast


CISA has been adding vulnerabilities to its Known Exploited Vulnerabilities catalog at an aggressive pace this month:

  • CVE-2026-33017 (Langflow): Critical RCE exploited within 20 hours of disclosure. CISA added it March 25 with an April 8 patch deadline.

  • CVE-2025-53521 (F5 BIG-IP APM): CVSS v4 score 9.3, remote code execution. Added to KEV this week.

  • CVE-2026-3055 (Citrix NetScaler): CVSS 9.3, memory overread via insufficient input validation. Active reconnaissance observed.

  • CVE-2026-20963 (SharePoint): Deserialization of untrusted data, added to KEV based on evidence of active exploitation.

  • Five Apple + Craft CMS + Laravel vulnerabilities added March 20 in a single batch — buffer overflows, code injection.


Microsoft's March Patch Tuesday addressed 80+ vulnerabilities, with six flagged as "more likely" to be exploited, per Help Net Security and CrowdStrike.


AI Security: Prompt Injection Goes Mainstream


At RSA 2026 on March 23, Zenity demonstrated zero-click prompt injection chains that manipulated Cursor into leaking developer secrets, Salesforce agents into exfiltrating customer data, and ChatGPT into producing persistent attacker-chosen outputs. These aren't theoretical — they're working exploits against production AI systems.

HackerOne reported a 540% year-over-year increase in validated prompt injection vulnerabilities, launching Agentic Prompt Injection Testing on March 21. The message is clear: if you're deploying AI agents with access to sensitive data or actions, prompt injection is no longer an edge case — it's a primary attack vector.


Major Breaches: Crunchyroll, Infinite Campus, Goodwill


Beyond the EU Commission, several significant breaches were disclosed this week. Crunchyroll is investigating after hackers claimed to have stolen personal data for 6.8 million users by compromising an Okta SSO account and planting malware. Infinite Campus, managing data for roughly 11 million K-12 students, was breached via a compromised Salesforce account. And Goodwill was hit by the Interlock threat actor on March 27.

The common thread: identity compromise as the initial access vector. Attackers aren't breaking down doors — they're logging in through stolen credentials and compromised SSO.


What This Means for Your Organization


  • Audit your AI dependencies now. If you use LiteLLM, Trivy, or telnyx, check your installed versions immediately. Pin dependencies, verify checksums, and monitor for anomalous outbound traffic from your CI/CD pipelines.

  • Patch F5 BIG-IP and Citrix NetScaler. Both are actively targeted. If you run either, treat this as a P0.

  • Treat AI agent security as application security. The 540% spike in prompt injection reports means your AI-powered tools are now in scope for pentesting. If your agents can access data or take actions, they need the same security scrutiny as any API endpoint.

  • Harden your SSO and identity layer. Crunchyroll (Okta), Infinite Campus (Salesforce), and multiple others were breached through identity compromise. Enforce phishing-resistant MFA, review SSO admin accounts, and implement session anomaly detection.

  • Review your cloud posture. If the European Commission's AWS environment can be breached, yours can too. Audit IAM roles, enable CloudTrail anomaly alerts, and verify that your cloud security posture management (CSPM) is actually catching misconfigurations.


Sources

 
 
 

Comments

bottom of page