TeamPCP hitting supply chains, AI agents leveling up
Welcome to the March 2026 edition of the Datadog Security Digest!
This month, AI takes over both the red and blue teams. We're seeing agentic browsers hijacked through calendar invites, prompt injection attacks with real-world impacts, and MCP servers weaponized in creative new ways. On the other side, defenders are fighting back with LLMs of their own—including our team at Datadog, who caught an AI-powered supply chain attack in real time using bewAIre. We've also got a self-replicating worm and a full-on CVSS 10.0 RCE. Let's go!
This newsletter was created by a real person, not a machine. Your curator this month is Daniel Maher.
TeamPCP hits supply chains hard
Throughout the month of March, an attacker group dubbed TeamPCP compromised several high-profile open source projects such as Trivy, KICS, and LiteLLM. We've written up an analysis of this campaign, the impact to the community, and the indicators of compromise. This one is the real deal, and our expectation is that these types of attacks are only going to become more common going forward.
Cloud security
AI-assisted cloud intrusion achieves admin access in 8 minutes
Alessandro Brucato and Michael Clark from Sysdig's Threat Research Team documented a real-world cloud intrusion where a threat actor escalated from exposed S3 bucket credentials to full AWS administrator privileges in a staggeringly short amount of time. The telltale signs of LLM assistance (off-kilter comments in generated code, hallucinated AWS account IDs, references to non-existent GitHub repos) paint a picture of where offensive cloud operations are heading.
AI security
PerplexedBrowser: How Attackers Can Hijack Comet to Takeover your 1Password Vault
Stav Cohen and Michael Bargury from Zenity Labs disclosed PerplexedBrowser (formerly PleaseFix), a family of critical vulnerabilities in agentic browsers, including Perplexity's Comet. One impressive variant enables zero-click compromise through indirect prompt injection embedded in routine content (such as calendar invitations), granting attackers access to the local file system and the ability to steal credentials from 1Password vaults—and all without exploiting the password manager itself! The moral of the story: when your browser is also an agent, the blast radius of a prompt injection gets a lot bigger.
Fooling AI agents: Indirect prompt injection observed in the wild
Unit 42 documents the first real-world observations of indirect prompt injection (IDPI) attacks targeting AI agents through weaponized web content. The research catalogs 22 distinct techniques for embedding malicious prompts in webpages—from visual concealment to dynamic execution—with case studies covering AI ad review bypasses, SEO poisoning, data destruction, and unauthorized transactions. What was just a few months ago a theoretical risk is now an empirically observed exploit vector.
Poison everywhere: When MCP tool outputs become the attack vector
Simcha Kosman from CyberArk Labs shows that MCP tool poisoning extends well beyond malicious tool descriptions. Switching things up, the research introduces attacks targeting tool outputs. By injecting invisible zero-width characters into responses and crafting fake error messages, the attacks trick the LLM into requesting sensitive data like SSH keys. These output-based attacks are particularly concerning because they largely evade the static analysis approaches that defenders have traditionally relied on.
Application security
Ni8mare: Unauthenticated RCE in n8n (CVE-2026-21858)
Dor Attias from Cyera Research Labs found a CVSS 10.0 unauthenticated RCE in the popular workflow automation platform n8n, affecting roughly 100,000 servers. The vulnerability exploits a content-type confusion where webhook handlers access an internal variable without validating the content type, enabling an attack chain from arbitrary file read to admin session forgery to full code execution. Thankfully n8n patched it, but it's an interesting deep dive nonetheless.
Chrome CSS zero-day exploited in the wild (CVE-2026-2441)
CVE-2026-2441 details a vulnerability in Chrome's CSS font feature handling that allowed access to sensitive DOM content. Briefly, Chrome loops over font feature values while modifying the set, leaving the iterator pointing at freed memory. Reported by independent researcher Shaheen Fazim on February 11 and patched just two days later, this was the first Chrome zero-day of 2026 and was actively exploited in the wild before the fix landed.
Supply chain security
bewAIre vs. hackerbot-claw: Catching an AI-powered supply chain attack in the wild
Christoph Hamsen, Kylian Serrania, and Christophe Tafani-Dereeper from Datadog document both sides of a real-world attack: hackerbot-claw, an autonomous agent claiming to run on Claude Opus 4.5, targeted open source repos in late February with two vectors—a PR-based shell injection using ${IFS} obfuscation to download a remote payload, and a prompt injection via GitHub issues aimed at the claude-code-action workflow. bewAIre, Datadog's LLM-powered PR review system, flagged the malicious pull request within seconds of submission. Defense-in-depth controls—branch protection rules, minimal token scopes, and an absence of critical secrets in the vulnerable workflows—kept the attack from landing. It's a rare full-loop post: the attackers were documented in real time by the defenders who stopped them.
Clinejection: Compromising Cline's production releases via prompt injection
Adnan Khan demonstrated a five-step attack chain that exploited a prompt injection vulnerability in Cline's AI-powered GitHub issue triage bot. By embedding a malicious instruction in a GitHub issue title, an attacker could trick the AI agent into executing arbitrary code on the default branch, compromising production releases. Soon afterwards, an unknown actor weaponized the flaw, publishing a trojanized Cline CLI to npm that (somewhat bafflingly) installed the OpenClaw AI agent on roughly 4,000 developer machines. It'll be interesting to see where this one goes...
SANDWORM_MODE: Self-replicating npm worm targets AI toolchains
Peter van der Zee and Philipp Burckhardt from Socket uncovered a self-replicating npm worm spread through at least 19 typosquatted packages. Beyond the expected tricks (time-gated execution, multi-channel exfiltration, git hook persistence), what sets this one apart is its AI toolchain poisoning module, which injects MCP server configurations with embedded prompt injections targeting AI coding assistants. The tl;dr? Supply chain attacks are evolving to target the tools that write our code.
Community events and talks
Videos for [un]prompted are out
[un]prompted, the AI security conference which took place in early March, has released a YouTube playlist with recordings of all the talks. Highlights include our own Arthi Nagarajan explaining how her team built an internal threat hunting agent at Datadog.
CypherCon 2026
Our resident MacOS security expert Olivia Gallucci will be at CypherCon on April 1–2 with a deep dive into Grand Central Dispatch, the asynchronous execution framework in macOS. Real bugs, demonstrable sandbox breakouts, fun with telemetry, and more!
AWS Summit Paris 2026
Parlez-vous sécurité de la chaîne logistique ? Join our own Daniel Maher at AWS Summit Paris on April 1 to learn more about how to secure your software supply chain using AWS CodeArtifact and Datadog Code Security.
fwd:cloudsec Europe 2026
One of the premier events for modern cloud security, fwd:cloudsec Europe is looking for proposals for their 2026 edition, to be held in London, UK in September. They want to hear from practitioners directly and are particularly interested in hearing things that wouldn't make the stage at another cloud or security conference. See you there!