The Attacks That Defined a New Tempo
Five major open-source ecosystems were compromised in 30 days, not by one actor but by at least four, operating independently across three continents.
TeamPCP hit Trivy, Checkmarx KICS, LiteLLM, and Telnyx in a cascading supply chain operation that turned trusted security tools into credential harvesters.
North Korea's UNC1069 backdoored the Axios npm package—used by 100 million developers weekly—with a cross-platform remote access trojan.
Lapsus$ exfiltrated 2.66 gigabytes of AstraZeneca data using stolen credentials and released it publicly.
ShinyHunters breached the European Commission's AWS infrastructure and forced systems offline.
Cisco confirmed source code theft from 300 internal repositories, and Databricks launched an investigation.
The Vect ransomware group distributed affiliate keys to roughly 300,000 BreachForums members, and the first confirmed deployment using those credentials has already occurred.
CISA confirmed active exploitation of a critical remote code execution flaw in Langflow, while vulnerabilities in LangChain, LangGraph, and ChatGPT exposed cloud tokens and AI conversation history.
A security researcher breached McKinsey's internal AI chatbot in under two hours through SQL injection, a technique from the 1990s, accessing 46 million chat messages and 700,000 confidential files.
Nike disclosed a 1.4-terabyte breach attributed to the WorldLeaks ransomware group.
This is not a spike. Software supply chain attacks more than doubled in 2025. Global losses reached $60 billion and are projected to hit $80 billion in 2026. Over 70% of enterprise cloud environments experienced at least one supply chain or third-party incident last year. The security architecture that most enterprises spent the past decade building was not designed for any of it.
The Assumption That Broke
The cybersecurity industry spent more than two decades and well over $200 billion building around one foundational assumption: threats come from untrusted entities trying to get in. Every major security category of the past fifteen years, from Zero Trust Network Access and SASE to next-generation firewalls and endpoint detection, was built to answer one question: Should this entity be allowed to access this resource?
This was the right question for its era. The workforce went remote, SaaS proliferated, and the industry wrapped security around the user: verify identity, inspect traffic, control access, monitor behavior. User-Centric Zero Trust won the decade, and it worked.
But what happens when the threat is already inside, not because it bypassed your defenses, but because it arrived as trusted code running on a trusted host? There is no boundary to cross. No user to authenticate. The malicious code runs as a first-class citizen in your infrastructure, indistinguishable from every other workload your platform team deployed this week. That is the attack model that Q1 2026 made operational at scale.
How the New Attack Model Works
Consider LiteLLM, the AI gateway proxy used by 36% of enterprise cloud environments at the time of compromise.
On March 24, TeamPCP published a malicious version to PyPI, the Python package registry. The poisoned package planted a .pth file, a Python path configuration hook that executes automatically on every Python process startup regardless of whether LiteLLM is imported.
Within three hours, roughly 40,000 environments had pulled the compromised version, and the payload harvested environment variables, Kubernetes configurations, and cloud tokens, then sent them to attacker-controlled infrastructure.
It was not a vulnerability that required exploitation—it was a trusted package, installed through a trusted channel, running with the same permissions as everything else in the environment. Now ask: where in the traditional security stack would this have been stopped?
No user authenticated to pull the package—a CI/CD pipeline did. Your ZTNA, SASE proxy, and endpoint detection tools are built for user-initiated traffic and had no visibility into an automated pipeline pulling a compromised dependency.
The compromised pod routed outbound through a node NAT gateway, never crossing the transit firewall. The exfiltration happened on a path that centralized chokepoint enforcement was never designed to see.
The only question that mattered in the window between compromise and detection was this: Can this workload reach that destination? That is a question about workload egress governance. For most enterprises, the honest answer is that nobody governs that path.
144 to 1: The Scale of the Blind Spot
In the average enterprise cloud environment, machine identities outnumber human identities by a factor of 144 to 1. That ratio grew 56% in the last twelve months. In the most advanced cloud native environments, Sysdig reports the ratio reaches 40,000 to 1. Every employee has a managed identity with single sign-on, multi-factor authentication, conditional access policies, and behavioral analytics. 25 years of tooling maturity protect the human side of the identity surface. The machine side tells a different story:
42% of machine identities have privileged or sensitive access; 97% carry excessive privileges; 71% fall outside recommended rotation timelines.
60% of containers live for sixty seconds or less, spinning up, executing, and terminating before most identity governance platforms complete a single evaluation cycle.
There is no MFA for a Kubernetes pod. There is no behavioral baseline for a Lambda function that exists for three seconds. Half of all organizations have already experienced a breach linked to a compromised machine identity. 18 million API keys and tokens were found exposed in 2025 alone. The gap is widening at 44% per year.
Why Posture Alone Is Not Enough
In 2025, Google acquired Wiz for $32 billion, the largest cybersecurity acquisition in history. Cloud-Native Application Protection Platforms scan environments for misconfigurations, exposed secrets, vulnerable packages, and identity risks. This is posture management, and it is genuinely valuable. CNAPP tools find problems before attackers do. That matters.
What CNAPP was not designed to do — and this is an architectural distinction, not a criticism — is stop a compromised workload from reaching an attacker’s endpoint in the window before the scanner catches up. Wiz would have eventually flagged LiteLLM 1.82.8 in your environment, after the CVE was catalogued, after the next scan cycle, after the finding was triaged. It would not have stopped the .pth file from exfiltrating credentials in that three-hour window. In both the LiteLLM and Axios compromises, the damage was done before any scanner could have intervened.
Posture tells you what is wrong. Enforcement stops what is happening. These are different capabilities, operating at different points in the kill chain. The industry built the best answer to "do you have a problem?" It has not yet built a widely deployed answer to "can the compromised workload reach its destination right now?"
"We Have Egress Filtering"
Every security leader gives this response, and it deserves a precise answer. The question is not whether you have egress filtering. The question is what percentage of your workload traffic that filtering actually governs.
PrivateLink endpoints, VPC peering to island VPCs, and load balancers with public IPs all create outbound data paths that bypass the transit inspection point entirely. These are not misconfigurations — they are standard cloud networking constructs that create egress channels no centralized firewall governs.
Kubernetes pod egress routes outbound through node NAT gateways, not through your transit firewall. Serverless functions execute in provider-managed environments and exit through provider-managed NAT, never crossing your network. East-west traffic between VPCs often travels via direct peering without touching a centralized inspection point at all. 96% of lateral movement goes undetected by traditional SIEM tools, not because detection failed, but because the traffic was architecturally invisible.
If enforcement lives at a chokepoint, it governs only the traffic that crosses that chokepoint. Workload-level enforcement governs every path from every pod, every function, every VPC, and every region, applied once and propagated universally, with no gaps.
What One Enterprise Proved
A Fortune Global 500 company with $46 billion in revenue, 580,000 employees, and operations across 30 countries was running LiteLLM in their AI development environment when the TeamPCP compromise occurred. Their security administrator added the four known command-and-control IP addresses to the Global IP Blocklist in the Aviatrix Distributed Cloud Firewall. One policy update propagated to every gateway across their entire cloud footprint at once. Within minutes, DENY logs appeared as compromised pods attempted to reach the C2 endpoints, and every attempt was blocked. Zero credentials were exfiltrated.
The administrator did not need to know what those IP addresses were connected to at the time. They received threat intelligence, applied one policy, and the architecture did the rest. The block worked because enforcement lived at the workload, not at a chokepoint the compromised pods never would have crossed. Every DENY entry became a forensic record, logging which pod, which IP, and which time, so the security team could scope their credential rotation with precision.
This is what workload-centric Zero Trust looks like in operation.
The Question Every CISO Should Be Asking
The attack model has changed. The adversary is trusted code, running inside your infrastructure, communicating outbound through paths your security stack was never designed to govern. Five ecosystems compromised in thirty days. Multiple nation-states. A ransomware affiliate program with 300,000 members.
The security industry built a $200 billion architecture to protect users. That architecture is necessary. But for every human identity it governs, there are 144 machine identities it does not, ephemeral, privileged, and communicating through paths that bypass every user-centric control in the stack. CNAPP will find the vulnerability. Your transit firewall will filter egress for the traffic it can see.
There is one question that now defines security posture: Does our enforcement govern every path a workload can take to any destination?
If that answer requires qualifications, whether for pods, for serverless functions, for east-west traffic, or for regions where policy has not yet propagated, the answer is functionally no.
Zero Trust was the right idea. The industry built it for the wrong surface first. The Detection Era answered the question of the last fifteen years: can we find the attacker before the damage is done? The Containment Era answers the question of the next fifteen: when detection misses, what can the attacker reach? Containment does not replace detection. It is the precondition that makes detection effective — by bounding the blast radius first, then identifying and eliminating the threat within a governed space. It is time to build Zero Trust for the surface that is actually under attack.
Curious about what hidden attack paths exist between your cloud workloads? Take our free Workload Attack Path Assessment.
Learn more about Aviatrix Zero Trust for Workloads.
References
Bitdefender, “Lapsus$ claims AstraZeneca breach exposes code and credentials,” March 26, 2026, https://www.bitdefender.com/en-us/blog/hotforsecurity/lapsus-astrazeneca-breach.
Bleeping Computer, “Cisco source code stolen in Trivy-linked dev environment breach,” March 31, 2026, https://www.bleepingcomputer.com/news/security/cisco-source-code-stolen-in-trivy-linked-dev-environment-breach/.
CSA Singapore, “Advisory on Axios Supply Chain Attack via Compromised npm Account,” April 1, 2026, https://www.csa.gov.sg/alerts-and-advisories/advisories/ad-2026-002/.
CSO Online, “OpenAI patches twin leaks as Codex slips and ChatGPT spills,” March 31, 2026, https://www.csoonline.com/article/4152393/openai-patches-twin-leaks-as-codex-slips-and-chatgpt-spills.html.
CSO Online, “71% of CISOs hit with third-party security incident this year,” September 9, 2025, https://www.csoonline.com/article/4051668/71-of-cisos-hit-with-third-party-security-incident-this-year.html.
CSO Online, “Why non-human identities are your biggest security blind spot in 2026,” February 2, 2026, https://www.csoonline.com/article/4125156/why-non-human-identities-are-your-biggest-security-blind-spot-in-2026.html.
CVE, “CVE-2026-33017,” updated March 20, 2026. http://cve.org/CVERecord?id=CVE-2026-33017.
Cybercrime Magazine, “Software Supply Chain Risk: The Growing Threat Landscape,” March 2, 2026. https://cybersecurityventures.com/software-supply-chain-risk-the-growing-threat-landscape/.
Dark Reading, “WorldLeaks Extortion Group Claims It Stole 1.4TB of Nike Data,” January 27, 2026, https://www.darkreading.com/cyberattacks-data-breaches/worldeaks-extortion-group-stole-1-4tb-nike-data.
The Hacker News, “LangChain, LangGraph Flaws Expose Files, Secrets, Databases in Widely Used AI Frameworks,” March 27, 2026, https://thehackernews.com/2026/03/langchain-langgraph-flaws-expose-files.html.
Mandiant, “North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package in Supply Chain Attack,” March 31, 2026, https://cloud.google.com/blog/topics/threat-intelligence/north-korea-threat-actor-targets-axios-npm-package/.
Obsidian Security, “What Are Machine Identities? Security Risks & Management Guide,” updated February 16, 2026, https://www.obsidiansecurity.com/blog/what-are-machine-identities-security-risks-management.
The Register, “AI vs AI: Agent hacked McKinsey's chatbot and gained full read-write access in just two hours,” March 9, 2026, https://www.theregister.com/2026/03/09/mckinsey_ai_chatbot_hacked/.
The Security Ledger, “SpyCloud’s 2026 Identity Exposure Report Reveals Explosion of Non-Human Identity Theft,” March 19, 2026, https://securityledger.com/2026/03/spyclouds-2026-identity-exposure-report-reveals-explosion-of-non-human-identity-theft/.
SecurityWeek, “European Commission Reports Cyber Intrusion and Data Theft,” March 30, 2026, https://www.securityweek.com/european-commission-reports-cyber-intrusion-and-data-theft/.
SC Media, “Non-human identities vastly outpace human accounts by 144:1,” July 23, 2025, https://www.scworld.com/news/nhis-outpace-human-accounts-by-1441.
Sysdig, “Sysdig Usage Report Reveals that Machine Identities Outnumber Humans 40,000 to 1, Presenting a Major Challenge to Enterprise Security,” March 12, 2026, https://www.sysdig.com/press-releases/2025-usage-report.
Technology Magazine, “How Rise in Machine Identities Creates Risks for Enterprises,” June 9, 2025, https://technologymagazine.com/articles/how-rise-in-machine-identities-creates-risks-for-enterprises.
TrendMicro, “Your AI Gateway Was a Backdoor: Inside the LiteLLM Supply Chain Compromise,” March 26, 2026, https://www.trendmicro.com/en_us/research/26/c/inside-litellm-supply-chain-compromise.html.
