Executive Summary
- TeamPCP continues aggressive supply chain attacks, compromising LiteLLM Python package with credential harvesting and Kubernetes lateral movement capabilities affecting hundreds of thousands of devices.
- Iran-backed hacktivist groups deployed wiper attacks against medical device manufacturer Stryker, wiping over 200,000 devices and disrupting production operations.
- Critical remote code execution vulnerabilities in PTC Windchill and FlexPLM pose imminent threats to manufacturing and product lifecycle management systems.
- AI-powered malvertising campaigns and poisoned package repositories are distributing ScreenConnect malware and trojans with EDR evasion capabilities.
- U.S. government successfully dismantled four major IoT botnets comprising over 3 million compromised devices used in distributed denial-of-service attacks.
Top Threats Today
1. TeamPCP Supply Chain Attack on LiteLLM Package
Severity: CRITICAL Affected: Technology
TeamPCP has compromised LiteLLM versions 1.82.7–1.82.8 on PyPI, injecting malicious code that harvests credentials, includes Kubernetes lateral movement toolkits, and establishes persistent backdoors. This attack follows TeamPCP's earlier compromises of Trivy and KICS security tools, indicating a coordinated campaign against critical development infrastructure. Hundreds of thousands of devices are estimated to be affected by credential theft from this supply chain breach.
Recommended Action
- Immediately audit all LiteLLM installations and upgrade to patched versions beyond 1.82.8
- Scan systems for indicators of compromise including credential harvesting and Kubernetes access patterns
- Review all authentication tokens and credentials for accounts that may have interacted with compromised versions
- Implement strict dependency scanning and verification across all CI/CD pipelines
2. Iran-Backed Wiper Attack on Stryker Medical Devices
Severity: CRITICAL Affected: Healthcare
Iranian hacktivist groups claimed responsibility for a destructive cyberattack against Stryker Corporation, wiping data from over 200,000 company devices and forcing the shutdown of production lines for approximately two weeks. This represents a significant disruption to medical device manufacturing and supply chains, with potential patient safety implications.
Recommended Action
- Ensure critical medical device systems have isolated, offline backup copies with secure restoration procedures
- Implement network segmentation between operational technology and corporate IT systems
- Review incident response plans for wiper malware including communication protocols and recovery prioritization
- Coordinate with healthcare sector ISACs for threat intelligence on Iranian attack patterns
3. PTC Windchill and FlexPLM Critical RCE Vulnerability
Severity: CRITICAL Affected: Manufacturing
PTC Inc. has warned of a critical remote code execution vulnerability in Windchill and FlexPLM product lifecycle management solutions widely used in manufacturing and engineering sectors. The threat is considered imminent with active exploitation anticipated, requiring urgent patching before adversaries can gain control of engineering data and production systems.
Recommended Action
- Obtain and deploy PTC security patches immediately across all Windchill and FlexPLM installations
- Isolate affected systems on separate network segments pending patch deployment if immediate updates are not possible
- Monitor system logs for exploitation attempts including unusual API calls and data access patterns
- Engage with PTC support to obtain detailed vulnerability information and ensure complete remediation
4. ScreenConnect Malware Delivered via Malvertising Tax Campaign
Severity: HIGH Affected: Finance
A large-scale malvertising campaign active since January 2026 targets U.S. individuals searching for tax documents with rogue ScreenConnect installers. The campaign deploys HwAudKiller tool that disables endpoint detection and response systems using Huawei driver vulnerabilities, enabling attackers to evade security controls and establish persistent access on compromised systems.
Recommended Action
- Educate end users to verify legitimacy of tax software through official IRS and vendor websites only
- Deploy EDR tools that monitor for HwAudKiller and driver-based security evasion techniques
- Block malicious ad networks and tax-related domains identified in threat intelligence feeds
- Conduct forensic analysis on any systems running unexpected ScreenConnect installations
5. Poisoned GitHub Repositories and OpenClaw Trojan Campaign
Severity: HIGH Affected: Technology
AI-assisted campaigns are distributing over 300 poisoned packages across GitHub and package repositories disguised as legitimate developer tools and game cheats. The OpenClaw Deployer trojan spreads through these repositories, targeting developers and introducing malware into development pipelines and software supply chains.
Recommended Action
- Implement mandatory code review and dependency verification processes for all third-party packages
- Use software composition analysis tools to identify malicious or suspicious packages in development environments
- Audit GitHub actions and CI/CD workflows for unauthorized package installations or unusual dependencies
- Maintain allowlists of approved package sources and repositories in build systems
Today’s Action Checklist
- ☐ URGENT: Audit and patch all LiteLLM installations to versions after 1.82.8; scan for credential compromise indicators
- ☐ URGENT: Deploy patches for PTC Windchill and FlexPLM critical RCE vulnerabilities immediately
- ☐ URGENT: Review backup and disaster recovery procedures for production systems; test offline restoration capability
- ☐ HIGH: Implement EDR monitoring for HwAudKiller driver exploitation and ScreenConnect installation attempts
- ☐ HIGH: Conduct supply chain risk assessment across all development dependencies and package sources
- ☐ HIGH: Review Microsoft March 2026 patches (77 vulnerabilities) and prioritize critical patches for rapid deployment
- ☐ MEDIUM: Update threat intelligence feeds to include TeamPCP, CanisterWorm, and Iranian hacktivist indicators of compromise
- ☐ MEDIUM: Enhance user awareness training on phishing campaigns using fake resumes and tax-themed social engineering