Security briefing: March 2026

March saw rapid, machine-speed exploitation of public-facing services and AI infrastructure—critical flaws in Pac4j, Ingress‑NGINX, and Langflow enabled authentication bypasses and unauthenticated RCE that were weaponized within hours. A supply‑chain campaign attributed to TeamPCP abused GitHub Actions to spread credential‑stealing backdoors across Trivy, Checkmarx, PyPI packages, and more, highlighting the need for runtime detection and AI‑infrastructure inventorying. #TeamPCP #Langflow

Keypoints

Critical JWT signature validation flaw in Pac4j (CVE-2026-29000) allowed authentication bypass by manipulating public-key interpretation.
Ingress‑NGINX configuration injection (CVE-2026-3288) enabled remote code execution via crafted Ingress path fields, exposing secrets and internal services.
Langflow (CVE-2026-33017) was exploited for unauthenticated RCE and key/credential exfiltration within ~20 hours of disclosure.
TeamPCP executed a fast-moving supply chain campaign by compromising GitHub Actions in Trivy, then spreading identical credential‑stealing activity to Checkmarx, PyPI packages (LiteLLM), and other vendors.
Security and CI/CD tooling are high-value targets because compromises grant trusted execution and broad secrets access; runtime detection succeeded where static checks failed.
Anthropic’s Mythos model and Claude Code source were leaked, increasing risk for AI-driven attack/defense escalation.
Recommended mitigations: inventory and govern AI infrastructure, deploy real-time protections for CI/CD and runtime, rotate keys and kill sessions after patching, and segment IoT devices.

MITRE Techniques

[T1190 ] Exploit Public-Facing Application – Public-facing services and components were exploited to gain initial access and achieve RCE, e.g., Langflow and Ingress‑NGINX; (‘With a single HTTP request, attackers are able to exfiltrate keys and credentials’).
[T1195 ] Supply Chain Compromise – Attackers abused CI/CD and package supply chains to insert malicious code and spread credentials theft across tools and libraries; (‘TeamPCP exploited a misconfigured GitHub Actions workflow in Trivy’).
[T1078 ] Valid Accounts / Authentication Bypass – Weaknesses in authentication handling (JWT signature validation) allowed attackers to bypass authentication controls without valid credentials; (‘By manipulating how public keys are interpreted during verification, attackers could bypass authentication controls.’).
[T1552 ] Unsecured Credentials – Attackers exfiltrated API keys and credentials from exposed services and libraries, enabling broader compromise; (‘exfiltrate keys and credentials from a potentially massive number of victims’).
[T1041 ] Exfiltration Over C2 Channel (HTTP) – Data and secrets were extracted via network requests after exploitation, including via single HTTP requests to remote endpoints; (‘With a single HTTP request, attackers are able to exfiltrate keys and credentials’).

Indicators of Compromise

[CVE ] referenced vulnerabilities – CVE-2026-29000 (Pac4j authentication bypass), CVE-2026-33017 (Langflow unauthenticated RCE), and other CVEs like CVE-2026-3288 and CVE-2026-24512.
[Software/Package ] targeted projects and components – Langflow, Pac4j, Ingress‑NGINX, Trivy, Checkmarx, LiteLLM (PyPI), and Claude Code (source leak).
[CI/CD artifacts ] malicious Git activity and action tags – Trivy GitHub Action version tags were force-pushed to malicious commits (76 of 77 tags), and identical malicious activity moved to Checkmarx workflows.
[Leaked model/source ] public disclosures and leaks – Anthropic Mythos model leak and Claude Code source code leak (publicly posted March 30–31) as indicators of increased attacker/defender tooling availability.