CISO Daily Briefing
Cloud Security Alliance Intelligence Report
Executive Summary
Today’s intelligence cycle is dominated by a qualitative escalation in AI infrastructure attacks: adversaries are actively exploiting LiteLLM CVE-2026-42208 (CVSS 9.3, pre-auth SQL injection) within 36 hours of disclosure, while North Korea’s Famous Chollima group has weaponized Claude Opus to generate and insert malicious npm packages in a seven-month supply chain campaign — the first confirmed nation-state use of a frontier AI model as an attack participant. A concurrent pattern of CVSS 10.0 RCE vulnerabilities in AI coding tools (Gemini CLI, Cursor IDE) confirms that the CI/CD pipeline attack surface has expanded to include AI agents with trusted repository and cloud credentials access.
On the governance side, CISA released its first comprehensive Zero Trust guidance for OT environments, immediately actionable for hybrid IT/OT portfolios. Wiz’s 2026 State of AI Cloud report provides the clearest empirical picture yet of AI-as-infrastructure risk: 81% of cloud environments now run managed AI services, and one in five vibe-coding organizations has already introduced systemic cross-project security defects.
Overnight Research Output
LiteLLM CVE-2026-42208: Pre-Auth SQL Injection in AI Proxy Infrastructure
CRITICAL
Summary: CVE-2026-42208 (CVSS 9.3) is a pre-authentication SQL injection in LiteLLM, the widely deployed open-source LLM gateway used by enterprises to route requests to OpenAI, Anthropic, AWS Bedrock, and other AI providers. An unauthenticated attacker can send a crafted Authorization header to any LLM API route, reaching a vulnerable query through the proxy’s error-handling path. Successful exploitation grants read/write access to the litellm_credentials table — which typically holds organization-level API keys with five-figure monthly spend caps and IAM credentials, making the effective blast radius equivalent to a full cloud account compromise. First exploitation was recorded approximately 26 hours after the advisory was indexed by NVD, confirming zero-day-speed targeting of AI infrastructure even without a public proof-of-concept.
CISO Action: Patch LiteLLM to the latest release immediately. If patching is not immediately possible, restrict network access to the LiteLLM instance to internal networks only and rotate any API keys stored in the credentials table. Audit LiteLLM deployment architecture to ensure it is not internet-facing without authentication controls in front of it.
Key Sources:
‣ The Hacker News — LiteLLM CVE-2026-42208 SQL Injection Exploited within 36 Hours of Disclosure
‣ BleepingComputer — Hackers are exploiting a critical LiteLLM pre-auth SQLi flaw
‣ Sysdig — CVE-2026-42208: Targeted SQL injection against LiteLLM’s authentication path
PromptMink: North Korea’s Famous Chollima Weaponizes AI for npm Supply Chain Attack
CRITICAL
Summary: ReversingLabs has attributed a seven-month npm supply chain campaign — comprising 60+ malicious packages and 300+ versions — to North Korea’s Famous Chollima threat actor (Lazarus Group). The forensic pivot is significant: a commit introducing the malicious @validate-sdk/v2 transitive dependency was generated by Anthropic’s Claude Opus LLM. The malware steals .env and .json configuration files, cryptocurrency wallet credentials, and — in the Rust-based payload variant — entire project source trees, while also installing persistent SSH access. This is the first widely documented case of a nation-state actor using a frontier AI model as an active participant in a supply chain compromise workflow, not merely for phishing content generation. AI code review tools trained on adversarial patterns may fail to flag AI-generated malicious commits because they share structural characteristics with legitimate AI-assisted code.
CISO Action: Audit transitive npm dependencies in any cryptocurrency, financial, or developer tool projects. Enable package-lock enforcement and dependency review in CI. Do not assume AI-powered SCA tools will catch AI-generated malicious packages without additional behavioral analysis.
Key Sources:
‣ The Hacker News — New Wave of DPRK Attacks Uses AI-Inserted npm Malware, Fake Firms, and RATs
‣ ReversingLabs — Claude adds PromptMink malicious dependency to crypto agent
‣ CybersecurityNews — Claude-Generated Commit Adds PromptMink Malware to Crypto Trading Agent
AI Developer Tools as a High-Value Attack Surface: Gemini CLI CVSS 10.0 & CI/CD RCE Pattern
HIGH URGENCY
Summary: Google patched a maximum-severity (CVSS 10.0) vulnerability in Gemini CLI allowing an unauthenticated external attacker to execute arbitrary commands on host systems before the agent’s sandbox initialized, by forcing malicious content to load as Gemini configuration during headless CI/CD execution. Concurrently, Cursor IDE was found vulnerable to CVE-2026-26268, a git hook injection flaw enabling arbitrary code execution. Together with the TeamPCP and Cline supply chain attacks documented in prior intelligence cycles, these incidents confirm a maturing attacker focus on AI developer tools as a pivot point for CI/CD pipeline compromise. When an AI coding agent running in a GitHub Action holds repository write access and cloud credentials, its compromise is equivalent to owning the build system.
CISO Action: Audit the permission scope of AI coding agents deployed in CI/CD pipelines. Apply least-privilege principles to GitHub Actions: no AI agent runner should hold write access to the main branch or production cloud credentials unless strictly required. Update Gemini CLI and Cursor IDE to patched versions. Review GitHub Actions security hardening guidance.
Key Sources:
‣ The Hacker News — Google Fixes CVSS 10 Gemini CLI CI RCE and Cursor Flaws Enable Code Execution
‣ Novee Security — CVE-2026-26268: How an AI Coding Agent Can Run Exploits in Cursor IDE
‣ Penligent — Gemini CLI RCE, Workspace Trust and the CI/CD Agent Attack Surface
CISA “Adapting Zero Trust to OT” — First U.S. Government Framework for AI-Era ICS Security
GOVERNANCE
Summary: Released April 29, 2026, this joint guidance from CISA, DoD, DOE, FBI, and State Department is the U.S. government’s first comprehensive framework for applying Zero Trust architecture principles to operational technology environments. The document directly addresses the hardest OT implementation challenges: legacy infrastructure technology gaps, the operational constraint that OT systems often cannot be patched or rebooted during production windows, and the safety-criticality link between cyber events and physical processes. Recommendations are structured across the NIST CSF 2.0 lifecycle (Govern/Identify/Protect/Detect/Respond/Recover) and aligned with CISA’s Cross-Sector Cybersecurity Performance Goals 2.0. For CISOs managing hybrid IT/OT portfolios — especially in manufacturing, energy, and healthcare — this document resets the compliance baseline for OT security programs.
CISO Action: Read the full guidance document. Map your current OT security program against the NIST CSF 2.0 structure used in the guide. Identify technology gaps in legacy OT environments and develop a phased remediation roadmap with appropriate operational constraints documented.
Key Sources:
‣ CISA.gov — CISA and U.S. Government Partners Unveil Guide to Accelerate Zero Trust Adoption in OT
‣ CISA.gov — Adapting Zero Trust Principles to Operational Technology (full document)
‣ Industrial Cyber — CISA OT Zero Trust Guidance: Never Assume the Network Is Safe
AI Has Become Infrastructure: Wiz 2026 Cloud Report & the AI Monoculture Risk
STRATEGIC RISK
Summary: Wiz’s 2026 State of AI in the Cloud report provides the most comprehensive empirical picture to date of AI’s embedment as cloud infrastructure: 81% of cloud environments use managed AI services, 90% run self-hosted AI software, 80% have deployed MCP servers, and 57% have deployed self-hosted AI agents. Critically, 68% of organizations running self-hosted models ingest them through third-party software — meaning most enterprise AI deployments are a single dependency away from supply chain compromise. The report also quantifies vibe-coding systemic risk: approximately one in five organizations using AI-powered code generation had applications affected by shared AI generation patterns that introduced widespread, correlated security defects across projects. When AI is infrastructure, the security assumptions of a single centralized toolchain replicate across thousands of production systems simultaneously — a monoculture risk profile for which the security community has not yet developed adequate frameworks.
CISO Action: Inventory all AI services and self-hosted models in your environment. Assess third-party software supply chain exposure for AI model ingestion pipelines. Establish a policy for AI-generated code review that does not rely solely on other AI tools. Consider AI concentration risk in your enterprise risk register analogously to cloud provider concentration.
Key Sources:
‣ Wiz Blog — State of AI in the Cloud 2026 Report
‣ SiliconANGLE — Wiz finds AI has moved from tool to infrastructure, broadening the attack surface
‣ Wiz Blog — Cloud Threats Retrospective 2026: What AI Changed
Notable News & Signals
GitHub CVE-2026-3854: Critical RCE via git push
Critical RCE in GitHub infrastructure disclosed and patched. Discovered by Wiz and reported to GitHub in March; full exploitation details now public. Well-covered in DevSecOps circles — less differentiated for CSA’s AI-specific mandate than Topic 3.
cPanel/WHM CVE-2026-41940: Authentication Bypass Zero-Day
Actively exploited authentication bypass affecting 70,000+ web hosting deployments. First exploited in late February 2026. High-impact general vulnerability not specific to AI infrastructure; operational priority for hosting-heavy environments.
SAP npm Supply Chain Attack (Mini Shai-Hulud / TeamPCP)
Multiple official SAP CAP framework packages compromised with credential-stealing preinstall scripts. Significant general supply chain incident; the AI-specific angle is better addressed by PromptMink (Topic 2), but SAP environments should audit dependencies immediately.
EtherRAT: SEO Poisoning & Blockchain C2 Targeting Enterprise Admins
Sophisticated campaign targeting enterprise administrators via GitHub Facades and SEO poisoning, using blockchain for C2 resilience. High-sophistication attack but not AI-specific; worth awareness for IT/admin-targeted threat models.
Linux “Copy Fail” CVE-2026-31431: Kernel LPE Affecting All Major Distros Since 2017
Privilege escalation in all major Linux distributions since 2017. Important general patch advisory; apply Linux kernel updates across your fleet. Outside AI Safety Initiative scope but operationally relevant for all Linux-based infrastructure.
ENISA National Capabilities Assessment Framework 2.0 (April 22)
Updated national cybersecurity maturity methodology from ENISA. More relevant to government/CSIRT audiences than enterprise CISOs; worth a mention in a future governance roundup for policy-focused organizations operating in EU jurisdictions.
Topics Already Covered — No New Action Required
- GitHub CVE-2026-3854 RCE via git push: Critical flaw patched by GitHub. Well-covered in general DevSecOps circles; less differentiated for CSA’s AI-specific portfolio than the AI coding tool RCE pattern in Topic 3.
- cPanel/WHM CVE-2026-41940 authentication bypass zero-day: Actively exploited since late February; affects 70,000+ web hosting deployments. High-impact general vulnerability not specific to AI infrastructure.
- SAP npm supply chain attack (Mini Shai-Hulud / TeamPCP): Multiple official SAP CAP framework packages compromised. Significant general supply chain incident; AI-specific supply chain angle better addressed by PromptMink (Topic 2).
- EtherRAT campaign via SEO poisoning and blockchain C2: Sophisticated targeting of enterprise administrators via GitHub Facades. High-resilience attack but not AI-specific.
- Linux “Copy Fail” CVE-2026-31431 LPE: Kernel privilege escalation affecting all major Linux distributions since 2017. Important general patch advisory but outside AI Safety Initiative scope.
- ENISA National Capabilities Assessment Framework 2.0: Updated national cybersecurity maturity methodology. More relevant to government/CSIRT audiences; may be worth a future governance roundup mention.