Risky Business #830 – LiteLLM & Security Scanner Supply Chains Compromised
Podcast: Risky Business
Host: Patrick Gray
Guests: Adam Boileau & James Wilson
Release Date: March 25, 2026
Duration: ~60 minutes
Overview
This episode dives deep into an exceptionally turbulent week in cybersecurity, focusing on a series of aggressive supply chain attacks by the threat group "Team PCP," which led to compromises in key projects like LiteLLM and prominent security scanners (Trivy, Checkmarx tools). Discussions extend to the fast-evolving risks and realities of AI-assisted attack tooling, cloud controls in enterprise IT, high-profile takedowns, privacy breaches, and a wild series of "skateboarding dog" stories—all delivered with the show's signature blend of banter and industry insight.
Main News Segment
Team PCP’s Supply Chain Rampage
[01:35–05:53]
Key Points:
- Team PCP compromised several high-profile supply chain targets, including security scanners Trivy and a Checkmarx IaC tool, by inserting credential-stealing malware into GitHub actions and Docker images.
- They evolved their tooling in real time, likely leveraging AI for rapid development and deployment ("building the plane as they fly it").
- Stole mountains of credentials, including those allowing them to compromise LiteLLM (90+ million downloads/month). For about an hour, anyone installing LiteLLM or downstream packages had their credentials exfiltrated.
- Added a destructive component: a simple "wiper" script deleting data on Iranian machines ("if in Farsi time zone... rm -rf").
- Monetization appears opportunistic (e.g., grabbing crypto wallets), not tied to a traditional ransomware or state-sponsored campaign.
Notable Quotes:
- "They're using a bunch of AI to build as they go... building the plane as they're kind of flying it." — Adam Boileau [01:55]
- “What they're doing with [the stolen credentials] seems to be at the whim of whatever takes their interest on any given day.” — James Wilson [03:23]
Novel Command and Control Tactics
[04:53–05:45]
Key Points:
- Team PCP’s novel use of Internet Computer Protocol (a blockchain tech) for bulletproof C2 infrastructure—potentially inspired by LLM suggestions.
- Using blockchains for C2 now provides affordable "bulletproof" hosting for adversaries.
Quote:
- “It is a deep cut that an AI model would absolutely suggest, right?” — Patrick Gray [05:45]
AI Agent Security – OpenClaw & Claude
[05:53–10:46]
Key Points:
- Discussion of AI agents like OpenClaw, and newly announced Anthropic’s Claude agent, which enables cloud LLMs to control local computers.
- Acknowledged utility for productivity, but grave concern about risks and the shifting norms of endpoint security.
- The tension between the need to use these tools (“definition of acceptable will change”) and their inherent unpredictability.
- Teaser for an upcoming podcast where James converses with Claude about exploit development.
Quotes:
- “Anthropic turns around and says, ‘Hold my beer, we're going to productize this for the masses.’” — James Wilson [06:57]
- “There's no way to make it okay. So it's just going to have to be okay enough.” — Adam Boileau [09:30]
Security of Supply Chain Tools & False Claims
[12:33–13:04]
- A pro-Iran hacktivist group claims a massive 375TB data breach at Lockheed Martin, including F-35 blueprints—hosts and guests dismiss as “doesn’t pass the sniff test” (flimsy evidence, likely overblown).
Intune Admin Controls After Striker Breach
[13:04–16:19]
Key Points:
- CISA is urging orgs to implement dual-key (dual admin) controls for sensitive operations in systems like Intune following the Striker breach, where rapid, easy “nine click” credential use let attackers wipe entire environments.
- Dual control is an extra hurdle, not a panacea, but critical for signal-rich detection.
Quotes:
- “Don’t think about turning things on like this as a complete mitigation... just one of many things to make it harder for attackers.” — James Wilson [14:05]
- “With LLMs these days, navigating through the Microsoft ecosystem… you just ask Claude to help you out and it'll probably find a way.” — Adam Boileau [15:29]
Raining iOS Exploit Kits: Karuna & DarkSword
[18:41–21:36]
Key Points:
- Second high-quality iOS exploit kit (DarkSword) surfaced on GitHub, following the earlier Karuna kit.
- Traceable lineage and modifications visible—a “dollar store" fate for once-premium exploits.
- Analogy: a “mint ‘80s BMW M3 is now a paddock basher”—high-grade tools ending up widely abused for low-level criminal activity.
Quotes:
- “It’s just a really sad end for something that was really beautiful once upon a time.” — Patrick Gray [19:12]
Apple’s Silent Security Updates Go Next-Level
[22:57–24:49]
Key Points:
- Apple now rolling out background (“Code Red”) updates to iPhones, iPads, and Macs—enabling security fixes (like for Safari/WebKit bugs) that can install with only a quick restart, a feature James Wilson helped architect.
- Has evolved from old Mac App Store update days into granular, rapid-response capability.
Russian Mobile Internet Blackouts & Ukraine War Update
[25:01–26:40]
- Mobile internet fully cut in St Petersburg; speculation whether this is drone defense or Kremlin paranoia.
- Ukrainian tactics shift to targeting Russian soldiers directly with new success.
Moxie Marlinspike, Meta, and AI Cryptography
[26:40–29:56]
Key Points:
- Moxie Marlinspike’s (Signal founder) new effort (“Confer”) applies chat privacy and crypto concepts to AI models on platforms like Meta.
- Hosts skeptical—“end-to-end” means little when one end is a corporate LLM in someone else’s infra; challenge is to ensure operators can't access user data.
Law Enforcement Tipster Platform Breach
[31:48–34:06]
Key Points:
- Crime Stoppers-style tip platform was compromised; 8 million sensitive, supposedly anonymous tips were stolen, some endangering lives.
- Likely due to “direct object reference” vulnerability; weak/no defenses detected 8 million requests.
- Modern de-anonymization trivial with 3+ data points, especially aided by AI.
Quote:
- “Being anonymous is not kind of possible anymore.” — James Wilson [34:06]
Botnet Disruptions & Krebs Rule
[34:06–36:46]
Key Points:
- US/Canada/Germany disrupt “Isuru, KimWolf, JackSkid & Mossad” botnets, following Brian Krebs’ multi-part exposés.
- Podcast rule: “If Brian Krebs starts investigating your botnet, it’s time to retire.”
Quote:
- “Krebs on your case—that's just end times. Move on.” — Adam Boileau [36:46]
US Bans Import of Un-FCC-Marked Home Routers
[36:46–39:59]
Key Points:
- US FCC bans import of new consumer-grade routers unless FCC certified.
- Effect seems more protectionist than security-boosting; “Trump world solution” after failed “cyber trust mark” ideas.
- Manufactured routers—even “American” ones—are foreign-made anyway.
Letters of Marque and Google’s Threat Disruption Unit
[40:06–42:02]
Key Points:
- White House officials pour cold water on idea of authorizing “hack-back” or private cyber-offensives via letters of marque.
- Google’s new Threat Disruption Unit focuses on legal takedowns, not offensive operations.
$2.5 Billion Nvidia GPU Smuggling—Supermicro Co-Founder Arrested
[42:02–45:00]
Key Points:
- Supermicro co-founder arrested for large-scale GPU smuggling to China by relabeling fake gear in SE Asia to mask shipments.
- Feds had surveillance on messaging, facilities, and literal participation (hairdryer, label removal) by the billionaire.
Quote:
- “This is a win for customer service. This is a billionaire who’s happy to get his hands dirty.” — Patrick Gray [42:49]
Quick Hits / “Skateboarding Dogs”
[45:00–47:37]
- Breathalyzer Interlock Company Attacked: Outage bricked devices, preventing use by DUI offenders; unintentional positive outcome?
- AI Music Streaming Scam: Perp fleeced $8M by uploading AI-generated music and faking listens on Spotify et al.
- Fake Intel-Laundering: Two Israelis used AI to produce and sell bogus intel to Iran, successfully scamming the regime, but now face espionage charges.
- Used AI image generation for “proof of life” photos.
- “Nothing is real. No one is who they say they are.” — James Wilson [47:01]
Sponsor Interview: Locking Down AI Use with Island Browser
[49:28–63:08]
Guest: Braden Rogers, Island
Key Points:
- Enterprises desperate to control shadow AI use as users seek out personal accounts and preferred models.
- Standard “block” mechanisms (proxy, SASE tools) fail due to SaaS tenancy ambiguity (personal vs. corporate). True controls require visibility at the browser level.
- Island Browser provides granularity: let execs access Gemini, for example, but block uploading corporate data to personal accounts.
- Example: A C-suite exec insisted on unsanctioned Gemini use—Island enforced access to Gemini while strictly blocking company data transfer.
- Tenancy is detected through credential observation, HTTP headers, and DOM parsing as needed.
- End state: Organizations will be multi-AI (Anthropic, Microsoft, Google, OpenAI, vertical-specific tools), so they need directory-like orchestration and user-intent awareness to route access, not just blanket blocks.
Quotes:
- “What they really want is an answer that's not a block page—they want to let [the exec] have access to Gemini, but company data doesn't go there. It's almost impossible physics.” — Braden Rogers [51:15]
- “At the end of the day, [managing AI use] is going to be about directory, provisioning, and context.” — Braden Rogers [61:27]
Memorable Moments & Banter
- Re: team PCP’s new tools: “It’s like a side quest... just to see if we can mess with Iranians.” — James Wilson [02:40]
- Re: AI agent risks: “This is what we all feared with Copilot—just bolt the LLM in to let it go nuts. But someone else did it.” — Adam Boileau [08:30]
- On Apple background updates: “Having you work with us is like hiring a North Korean defector. Apple doesn’t talk about their engineering.” — Patrick Gray [24:49]
- Fake Intel for Iran: “They managed to drain the IRGC’s crypto and got charged with espionage—ten bucks and a sun hat for their trouble!” — Patrick Gray [47:37]
Additional Resources & Community
- Risky Business Features and Risky Business Bulletin podcasts deliver more interviews and in-depth analysis (search in your podcatcher).
- This week's run sheet includes linked stories, especially on iOS exploit kits and supply chain attacks.
Summary Table of Key Segments and Timestamps
| Segment | Topic | Timestamps (MM:SS) | |---------|-------|-----------------------| | Team PCP supply chain attacks | Trivy, Checkmarx, LiteLLM compromised | 01:35–05:53 | | Blockchain C2 via Internet Computer Protocol | Novel threat TTP | 04:53–05:45 | | AI agent risk (OpenClaw, Claude) | Security & endpoints | 05:53–10:46 | | Lockheed breach claims / Intune attack | Supply chain/Fake news | 12:33–16:19 | | iOS exploit kits (Karuna, DarkSword) | Exploit commoditization | 18:41–21:36 | | Apple silent security updates | Secure, quick patches | 22:57–24:49 | | Russian mobile internet blackout | Geopolitics | 25:01–26:40 | | Moxie, Meta, AI crypto | Privacy in LLMs | 26:40–29:56 | | Law enforcement tip platform breach | Privacy, de-anonymization | 31:48–34:06 | | Botnet disruption/Krebs | Defensive wins | 34:06–36:46 | | US router import ban | Policy, protectionism | 36:46–39:59 | | Letters of marque, Google disruption unit | Policy | 40:06–42:02 | | Supermicro Nvidia smuggling | Espionage, hardware | 42:02–45:00 | | “Skateboarding dog” round-up | Light/humor news | 45:00–47:37 | | Sponsor: Island browser | Controlling AI shadow IT | 49:28–63:08 |
Conclusion
This week’s Risky Business offers a vivid snapshot of a threat landscape defined by rampant supply chain risk, AI-powered mayhem, and a world where security, privacy, and trust boundaries are rapidly shifting—often at the whims of users, attackers, and regulators. The episode delivers a blend of practical advice, technical curiosity, and sardonic observation: essential listening for keeping pace in today’s cyber domain.