CISO Daily Briefing
Cloud Security Alliance — AI Safety Initiative Intelligence Report
Executive Summary
Three independent supply chain attack threads converged simultaneously this cycle, with North Korea’s Famous Chollima debuting LLMO abuse — the first technique engineered to deceive AI coding agents rather than human reviewers — while TeamPCP’s Mini Shai-Hulud hit SAP npm, PyTorch Lightning, and Intercom across three package registries in 72 hours, compromising 1,800+ environments. Google patched a CVSS 10.0 RCE in Gemini CLI that allowed unauthenticated attackers to execute arbitrary commands in CI/CD pipelines before the agent’s sandbox initialized.
On the policy front, the White House OSTP issued NSTM-4, formally naming Chinese industrial-scale AI model distillation as a national security threat — Anthropic documented 16 million adversarial exchanges across 24,000 fraudulent accounts from three Chinese labs in a single week. The Wiz 2026 State of AI in the Cloud report confirms AI is now present in 81%+ of cloud environments, yet 25% of organizations lack visibility into which AI services are running in their own infrastructure. The week’s attack pattern against AI tooling, model APIs, and developer dependencies confirms that threat actors have identified the AI development toolchain as a high-value, structurally underdefended target.
Overnight Research Output
DPRK PromptMink: AI-Optimized npm Malware Targeting LLM Coding Agents
CRITICAL
What happened: North Korea’s Famous Chollima introduced the PromptMink campaign, which exploits a structural gap in how LLM coding agents evaluate package trustworthiness. Rather than targeting human developers, the group crafts npm packages with documentation engineered to appear authoritative to language models performing autonomous dependency selection. On February 28, 2026, ReversingLabs confirmed that Claude Opus co-authored a commit to the openpaw-graveyard crypto trading agent that introduced @solana-launchpad/sdk — a bait package with no malicious code that silently pulls in @validate-sdk/v2, a compiled Rust payload capable of exfiltrating environment files, cryptocurrency wallets, entire source trees, and injecting persistent SSH access.
Why it matters: This is the first widely documented instance of a nation-state threat actor weaponizing an AI coding agent as an unwitting supply chain insider. The two-layer bait-and-payload architecture bypasses direct-dependency scanners by design. With over 300 package versions deployed across the campaign, the operation has operational scale and sustained investment. ReversingLabs coined the technique LLMO abuse (LLM Optimization abuse) — a new threat category that will persist as agentic development pipelines proliferate. North Korean threat actors accounted for 76% of 2026 crypto hack losses, with total theft since 2017 exceeding $6 billion.
Immediate actions: Require human approval before any AI agent adds a net-new package dependency. Audit agent-authored commits over the past six months for transitive dependency chains. Enforce full dependency-graph scanning — not just direct dependencies — in CI/CD pipelines. Check for @solana-launchpad and @validate-sdk namespace packages in all projects.
ReversingLabs — Claude adds PromptMink malicious dependency to crypto agent
The Hacker News — New Wave of DPRK Attacks Uses AI-Inserted npm Malware, Fake Firms, and RATs
CybersecurityNews — Claude-Generated Commit Adds PromptMink Malware to Crypto Trading Agent
Gemini CLI CVSS 10.0 RCE: Maximum-Severity Flaw in AI Developer Tools
CRITICAL
What happened: Google patched GHSA-wpqr-6v78-jr5g on April 24, 2026 — a CVSS 10.0 remote code execution vulnerability in Gemini CLI affecting all headless/CI deployments prior to v0.39.1. Two compounding design flaws: headless mode automatically trusted any workspace folder (loading attacker-controlled .gemini/ configuration without user consent), and --yolo mode bypassed all tool allowlists entirely. An unauthenticated external contributor submitting a pull request could exploit both to execute arbitrary shell commands on the CI runner before the agent’s sandbox initialized — gaining access to all pipeline secrets, registry tokens, and deployment credentials.
Why it matters: This is not an isolated finding. Cursor IDE was simultaneously patched for CVE-2026-26268 (CVSS 9.9) for a related RCE. Gemini CLI had a prior prompt-injection path documented by Tracebit in 2025. The pattern — early prompt injection finding followed by deeper architectural trust model failure — signals that the entire category of AI CLI tools integrated into privileged CI/CD workflows is undertested. A compromised runner can sign artifacts, push container images, and write to package registries, creating a supply chain propagation risk far beyond the initial victim.
Immediate actions: Upgrade @google/gemini-cli to v0.39.1+ (preview: v0.40.0-preview.3+) and google-github-actions/run-gemini-cli to v0.1.22+. Audit all CI workflows running Gemini on pull_request or issues triggers. Rotate all secrets accessible from affected headless runners. Disable --yolo mode in all pipeline deployments.
GitHub Advisory Database — GHSA-wpqr-6v78-jr5g: Gemini CLI Trust Model Update
Novee Security — Google Gemini CLI CVSS 10.0 RCE: Critical Security Advisory
The Hacker News — Google Fixes CVSS 10 Gemini CLI CI RCE and Cursor Flaws
The Register — Google fixes CVSS 10.0 vulnerability in Gemini CLI
TeamPCP Mini Shai-Hulud: Coordinated Multi-Ecosystem Package Registry Attack
CRITICAL
What happened: Between April 29 and May 1, 2026, TeamPCP executed simultaneous credential-stealing supply chain attacks across npm, PyPI, and Packagist — hitting SAP’s Cloud Application Programming Model packages, PyTorch Lightning (versions 2.6.2 and 2.6.3), and Intercom within a 72-hour window. The attack uses preinstall hooks to bootstrap the Bun JavaScript runtime and execute an 11.6 MB obfuscated payload that sweeps for GitHub tokens, npm tokens, AWS/Azure/GCP credentials, and Kubernetes configs before exfiltrating them to over 1,800 attacker-created GitHub repositories. The malware skips execution on Russian-locale systems, consistent with state-adjacent threat actor behavior.
Affected packages (check immediately):
| Package | Compromised Versions | Ecosystem |
|---|---|---|
| @cap-js/sqlite | 2.2.2 | npm |
| @cap-js/postgres | 2.2.2 | npm |
| @cap-js/db-service | 2.10.1 | npm |
| mbt | 1.2.48 | npm |
| lightning (PyTorch Lightning) | 2.6.2, 2.6.3 | PyPI |
| intercom-client | 7.0.4, 7.0.5 | npm |
| intercom/intercom-php | 5.0.2 | Packagist |
Why it matters: This is TeamPCP’s most expansive operation to date, following prior compromises of Trivy, KICS, and LiteLLM (Feb–Mar 2026). The targeting of SAP CAP and PyTorch Lightning packages reflects deliberate selection of high-credential-density environments. The AI/ML toolchain is now an active target: PyTorch Lightning pipelines hold cloud storage credentials for model checkpoints and training data, meaning a single compromised install can yield access to the organization’s entire AI development infrastructure.
Wiz Research — Supply Chain Campaign Targets SAP npm Packages
Aikido Security — Mini Shai-Hulud Has Appeared: Bun-Based Secret Stealer
The Hacker News — PyTorch Lightning and Intercom-Client Hit in Supply Chain Attacks
The Hacker News — Poisoned Ruby Gems and Go Modules Exploit CI Pipelines
Socket Security — Malicious Ruby Gems and Go Modules Steal Secrets, Poison CI
NSTM-4: US Policy Response to Industrial-Scale AI Model Distillation
GOVERNANCE
What happened: On April 23, 2026, the White House OSTP issued Memorandum NSTM-4, “Adversarial Distillation of American AI Models” — the first US government policy instrument to formally classify systematic capability extraction from frontier AI systems as a national security threat. The memorandum was directly triggered by disclosures from Anthropic (three Chinese labs — DeepSeek, Moonshot AI, and MiniMax — generating over 16 million adversarial exchanges across 24,000 fraudulent accounts in a single seven-day period) and OpenAI. NSTM-4 proposes export controls, diplomatic countermeasures, and mandatory vendor attestation requirements. Companion legislation, H.R. 8283, would authorize Commerce Department Entity List sanctions against extraction actors.
Enterprise implications: Federal contractors and organizations in AI programs face new vendor attestation obligations under NSTM-4 near-term directives — requiring AI providers to document training data provenance and distillation controls. High-risk supply chain compliance provisions taking effect August 2026 establish cryptographic attestation requirements for AI system components. Beyond IP: models trained on extraction data may replicate frontier capabilities while discarding safety alignment, creating a supply chain risk where enterprises acquire capability without the safety properties they assumed were present.
Immediate actions: Request AI vendor attestation on model provenance and distillation controls. Audit API usage patterns on all AI services for behavioral signatures of systematic extraction. Flag vendor contracts lacking AI IP integrity provisions for amendment at next renewal.
Nextgov/FCW — White House Accuses China of ‘Industrial-Scale Campaigns’ to Steal US AI Models
Axios — U.S. accuses China of “industrial-scale” campaigns to steal AI secrets
Lawfare — U.S. Vows to Fight Distillation Attacks
Risky Business — Srsly Risky Biz: US Vows to Fight Distillation Attacks
AI as Critical Infrastructure: Systemic Attack Surface in Cloud Environments
WHITEPAPER
Strategic context: The Wiz 2026 State of AI in the Cloud report (April 29) documents that AI is present in 81%+ of observed cloud environments, MCP servers appear in 80% of environments, and AI-integrated IDE extensions are installed in at least 80% of organizations — yet 25% of respondents lacked visibility into which AI services were running in their own environment. This week’s attack wave against Gemini CLI, PyTorch Lightning, SAP npm packages, and the DPRK-engineered agentic malware confirms that threat actors have already identified the AI development toolchain as a high-value, structurally underdefended target.
The systemic risk: The same small set of package registries, model APIs, and agentic frameworks underpin AI development globally, creating a monoculture concentration risk analogous to — but potentially more severe than — the Log4Shell dependency risk. A single successful supply chain compromise against a widely-used AI framework does not merely affect one application; it propagates across every organization that has integrated that framework into its AI development pipeline. Organizations that have not yet inventoried their AI asset footprint cannot assess their exposure to this concentration risk.
CISO action: Commission an AI asset inventory covering model APIs in use, AI-integrated developer tools, agentic frameworks, MCP server deployments, and inference infrastructure. Apply the same critical infrastructure governance posture — asset management, identity governance, exposure management, incident response planning — to AI systems that is applied to core network and cloud infrastructure.
Wiz Research — Key Takeaways from the 2026 State of AI in the Cloud Report
SiliconANGLE — Wiz finds AI has moved from tool to infrastructure
Wiz Research — Cloud Threats Retrospective 2026: What AI Changed
Notable News & Signals
Linux “Copy Fail” CVE-2026-31431 — Kernel LPE Affecting All Major Distros
A CVSS 7.8 local privilege escalation affecting Linux kernels across all major distributions since 2017 has been disclosed. While not AI-specific, this affects AI inference servers, training nodes, and cloud workloads running Linux. Relevant to hardening AI infrastructure at the OS layer; apply vendor patches during next maintenance window.
cPanel/WHM CVE-2026-41940 — Actively Exploited Auth Bypass
A zero-day authentication bypass in cPanel and WHM is actively exploited in the wild, affecting web hosting infrastructure broadly. No direct AI angle, but relevant to organizations hosting AI-adjacent web services or customer-facing ML APIs on managed hosting platforms. Apply cPanel patches immediately if applicable.
EtherRAT — High-Sophistication Enterprise Admin Targeting via Blockchain C2
A new RAT campaign targeting enterprise administrators uses SEO poisoning for initial access and a blockchain-based command-and-control channel that is difficult to block at the network layer. High sophistication; primarily a general enterprise threat rather than AI-specific. Worth briefing IT security and SOC teams given C2 evasion novelty.
CISA Zero Trust OT Guide (Apr 29) — Complementary Guidance
CISA published new Zero Trust guidance for operational technology environments, covering segmentation, identity, and continuous validation for OT/ICS systems. Useful complement to existing CSA Zero Trust coverage for organizations with AI systems interfacing with operational infrastructure (edge AI, industrial ML). No new AI-specific material warranting a standalone note.
ENISA NCAF 2.0 (Apr 22) — EU National Cyber Assessment Framework Update
ENISA published version 2.0 of its National Cybersecurity Assessment Framework, primarily relevant to EU national authorities evaluating cyber maturity at a national level. Enterprise practitioners will find limited direct applicability; EU-based organizations may wish to track alignment with national regulatory assessments that reference NCAF.
BlackCat/ALPHV Ransomware Prosecutions — DoJ Sentencing
The Department of Justice sentenced two individuals connected to the BlackCat/ALPHV ransomware operation on May 1, 2026. Extensive law enforcement and legal news coverage; no new AI security angle for the AI Safety Initiative. Signals continued DoJ focus on ransomware ecosystem prosecution.
Topics Already Covered (No New CSA Action Required)
- BlackCat/ALPHV Ransomware Prosecutions: Covered extensively by law enforcement news; no AI security angle. DoJ sentencing of two cybersecurity professionals, May 1, 2026.
- Linux “Copy Fail” CVE-2026-31431: Significant infrastructure LPE (CVSS 7.8, all major distros since 2017), but not AI-specific and well-covered by vendor advisories. Relevant to AI inference server hardening but does not warrant a standalone CSA note.
- cPanel/WHM CVE-2026-41940: Actively exploited web hosting zero-day; no direct AI security angle for the AI Safety Initiative.
- EtherRAT Enterprise Admin Targeting: High-sophistication SEO poisoning + blockchain C2 campaign; primarily a general enterprise threat rather than an AI Safety Initiative focus area.
- CISA/US Government Zero Trust OT Guide: Useful complementary guidance to existing CSA Zero Trust coverage; no new AI-specific material warranting a standalone note.
- ENISA NCAF 2.0: National-level EU capability assessment framework update; primarily relevant to EU national authorities rather than enterprise practitioners.