CISO Daily Briefing
Cloud Security Alliance — AI Safety Initiative Intelligence Report
Executive Summary
The 48-hour scan window reveals a threat landscape shaped by three converging trends: escalating supply chain sophistication, aggressive exploitation of enterprise edge devices, and a surge in advanced phishing tradecraft. The most consequential development is the TeamPCP supply chain campaign — a financially motivated threat actor that systematically compromised four open-source security tools (Trivy, KICS, LiteLLM, Axios) within two weeks, ultimately breaching the European Commission and exposing data from 30 EU entities. Simultaneously, CVE-2026-35616 (CVSS 9.1) in Fortinet FortiClient EMS is under active zero-day exploitation, and device code phishing has surged 37× in 2026 as commodity kits democratize a technique that bypasses MFA entirely. On the strategic front, NIST’s AI Agent Standards Initiative signals that a compliance framework for agentic AI is 12–18 months away — enterprises must begin bridging the gap now.
Overnight Research Output
Fortinet FortiClient EMS CVE-2026-35616: Pre-Auth API Bypass Under Active Zero-Day Exploitation
CRITICAL URGENCY
Summary: CVE-2026-35616 is a CVSS 9.1 pre-authentication API bypass in Fortinet FortiClient EMS that allows an unauthenticated attacker to execute unauthorized code or commands via crafted API requests. The Hacker News reported that Defused Cyber confirmed zero-day exploitation of this flaw before Fortinet released its out-of-band hotfix on April 5, 2026. A full patch (version 7.4.7) has not yet shipped. FortiClient EMS is widely deployed to manage endpoint security policies across hybrid workforces, meaning compromise delivers persistent access to endpoint telemetry and policy enforcement infrastructure across the organization.
Recommended Actions: Apply the April 5 out-of-band hotfix immediately. Audit FortiClient EMS access logs for anomalous API calls from unauthenticated sources. Isolate EMS management interfaces from untrusted network segments. Prioritize upgrade to v7.4.7 when released. Review endpoint policy configurations for unauthorized changes.
TeamPCP: Systematic Assault on Developer Security Tooling
CRITICAL URGENCY
Summary: TeamPCP executed a coordinated, multi-week campaign in March–April 2026 that compromised four widely used open-source security tools: the Trivy vulnerability scanner (75 GitHub Action tags hijacked), the Checkmarx KICS scanner (35 tags hijacked), the LiteLLM Python library (backdoored via Python .pth persistence in versions 1.82.7–1.82.8), and the Axios npm package through maintainer social engineering. Each compromise injected credential-harvesting malware that exfiltrated SSH keys, cloud credentials, CI/CD secrets, Kubernetes tokens, and API keys. CERT-EU attributed the European Commission cloud breach — exposing data from 29 additional EU entities — to the same campaign infrastructure. The qualitatively novel aspect: TeamPCP specifically targeted security scanner binaries so that the act of running a security check itself becomes the infection vector.
Recommended Actions: Immediately audit CI/CD pipeline execution logs for Trivy, KICS, and LiteLLM invocations during March–April 2026. Rotate all cloud credentials, SSH keys, and API tokens accessible from affected pipelines. Pin tool versions to verified SHA hashes rather than floating tags in GitHub Actions workflows. Verify LiteLLM installations are not running versions 1.82.7–1.82.8. Brief engineering leadership on the security-scanner-as-attack-vector pattern.
OAuth Device Code Phishing Surges 37×: MFA-Bypassing Account Takeover at Scale
HIGH URGENCY
Summary: Device code phishing exploits the OAuth 2.0 Device Authorization Grant flow to hijack authenticated sessions without ever touching a user’s password or MFA code. BleepingComputer reported the technique has increased more than 37 times in 2026 compared to prior year levels, driven by the proliferation of commodity phishing kits that have democratized what was previously a nation-state tradecraft. TA416 (China-linked) is actively deploying OAuth redirect abuse against European government and NATO diplomatic organizations as part of a multi-stage PlugX delivery chain. Victims are directed through a legitimate-looking OAuth device code flow; the attacker receives a valid, long-lived token with no visibility into the attack.
Recommended Actions: Implement conditional access policies that block device code flow for unmanaged or untrusted devices. Deploy authentication strength policies requiring phishing-resistant MFA (FIDO2/passkeys) for privileged accounts and external-facing services. Audit Azure AD/Entra ID sign-in logs for anomalous device code grant approvals. Brief help desk and IT on recognizing social engineering patterns that route users into device code flows.
NIST AI Agent Standards Initiative: Enterprise Compliance Implications
HIGH URGENCY
Summary: In February 2026, NIST formally announced the AI Agent Standards Initiative, targeting interoperability and security standards for AI agent systems — a direct response to the accelerating deployment of autonomous AI agents in enterprise and critical infrastructure. This followed the January 2026 CAISI Request for Information actively soliciting enterprise input on securing AI agent systems. The initiative is expected to yield NIST Special Publications and new AI RMF profiles focused on agentic architectures within 12–18 months, creating a procurement and compliance standards gap that organizations deploying AI agents today must begin addressing proactively. CSA’s AICM and MAESTRO frameworks are uniquely positioned to bridge this gap until formal NIST standards are finalized.
Recommended Actions: Designate ownership for tracking NIST AI agent standards development and submit input to the CAISI RFI. Inventory current AI agent deployments and map them to existing AICM and MAESTRO controls. Conduct a gap assessment against anticipated NIST requirements to identify control deficiencies before standards are mandated. Brief procurement and legal teams on expected changes to AI vendor assessment requirements.
CI/CD Pipeline as Systemic Attack Control Plane
HIGH URGENCY
Summary: Q1 2026 has produced an unprecedented convergence of sophisticated threat actors targeting CI/CD pipelines as their primary enterprise entry vector. TeamPCP compromised four security tool repositories via GitHub Actions tag hijacking; North Korean UNC1069 used maintainer social engineering for code commit access via an Axios maintainer; the prt-scan campaign (tracked by Wiz) demonstrates AI-powered automated exploitation of pull_request_target workflow misconfigurations; and the tl;dr sec newsletter documented an AI bot autonomously hacking GitHub Actions in February 2026. The structural condition that unites these incidents: CI/CD pipelines aggregate an enterprise’s highest-value credentials (cloud provider keys, signing certificates, deployment tokens, SaaS secrets) in a single execution environment that is routinely over-permissioned, difficult to audit in real time, and accessible to a wide circle of contributors. A dedicated CSA whitepaper will synthesize the incident pattern and map controls to AICM and the Secure Software Development Framework (SSDF).
Recommended Actions: Conduct an immediate audit of GitHub Actions workflow permissions — particularly any workflow using pull_request_target with write permissions. Implement secrets scanning across all repositories. Enforce least-privilege pipeline permissions and rotate all long-lived CI/CD credentials to short-lived, environment-scoped tokens. Establish a pipeline security baseline aligned to the SSDF and AICM control families before the forthcoming CSA whitepaper provides formal guidance.
Wiz Blog — Trivy, KICS, LiteLLM, Axios, prt-scan campaign deep-dives (March–April 2026)
KrebsOnSecurity — TeamPCP infrastructure profile (March 2026)
The Hacker News — UNC1069/Axios supply chain attack post-mortem (April 3, 2026)
BleepingComputer — CERT-EU European Commission breach (April 3, 2026)
Notable News & Signals
36 Malicious npm Strapi Plugin Packages (Redis/PostgreSQL Exploitation)
Active supply chain campaign targeting Strapi CMS users with malicious npm packages that exploit Redis and PostgreSQL connections. Attribution linkage to TeamPCP under investigation; recommend monitoring closely for convergence.
SparkCat iOS/Android Malware: Crypto Wallet Phrase Theft
Emerging mobile malware campaign targeting cryptocurrency wallet recovery phrases on iOS and Android. Limited enterprise applicability at this time; relevant primarily for organizations with cryptocurrency holdings or BYOD policies covering financial applications.
Cisco IMC/SSM CVE-2026-20093 (CVSS 9.8) — Watch Status
Critical Cisco Integrated Management Controller flaw with CVSS 9.8. No confirmed active exploitation as of scan window close. Re-evaluation scheduled for 48 hours if exploitation is confirmed in the wild.
ENISA EU Digital Wallet Certification Scheme
European Union finalizing technical and security certification requirements for the EU Digital Identity Wallet under eIDAS 2.0. Relevant for organizations with European operations or identity infrastructure; primarily a compliance matter for identity and digital infrastructure teams.
Topics Already Covered — No New Action Required
- Axios / UNC1069 npm Supply Chain Attack: Covered by CSA Research Note: DPRK OSS Maintainer Social Engineering (April 4, 2026). The social engineering tradecraft and North Korean attribution angle have been addressed; Topic 2 above covers the distinct TeamPCP infrastructure and European Commission breach dimensions.
- AI-Generated Code Vulnerability Patterns: Covered by CSA Research Note: AI-Generated Code Vulnerability Surge (April 4, 2026). tl;dr sec and Trail of Bits blog posts from this scan window reinforce existing coverage without adding new findings.
- US Federal AI Regulatory Preemption: Covered by CSA Research Note: US AI Regulation Preemption & Compliance (April 4, 2026). The NIST AI Agent Standards Initiative (Topic 4 above) covers the distinct standards-track governance angle not addressed by the preemption note.