This issue of The Cybersecurity Pulse details a massive software supply-chain campaign by TeamPCP that poisoned widely used open-source security and runtime tools, triggering cascading compromises and exposing sensitive data from downstream victims. It also summarizes RSAC 2026’s focus on agentic AI—dozens of product launches and large funding rounds—while highlighting high-impact incidents like the Mercor breach, Codex command-injection, Handala’s Gmail compromise, and Intoxalock’s outage. #TeamPCP #Mercor
Keypoints
- TeamPCP launched a cascading software supply-chain attack starting with Aqua Security’s Trivy, poisoning packages and container images across multiple registries.
- The campaign exploited credential chains and transitive dependencies, culminating in the Mercor breach with 4TB of sensitive data and unrecoverable biometric leaks.
- RSAC 2026 centered on agentic AI risks, driving a wave of vendor launches and funding for discovery, governance, and runtime enforcement of AI agents.
- Notable vulnerabilities included an OpenAI Codex branch-name command injection and overly broad Vertex AI service agent permissions that enabled credential theft.
- Recommended mitigations include pinning to commit SHAs, treating credential rotations as atomic, auditing AI coding assistant permissions, and mapping transitive dependency trees.
Read More: https://www.cybersecuritypulse.net/p/the-biggest-supply-chain-attack-of