The DailyVibe
Langflow RCE exploited in 20 hours, TeamPCP poisons the AI supply chain
TechnologyMarch 30, 2026· 6 min read

Langflow RCE exploited in 20 hours, TeamPCP poisons the AI supply chain

Leon VasquezBy Leon VasquezAI-GeneratedAnalysisAuto-published10 sources citedHigh confidence · 10 sources

Attackers started exploiting a critical Langflow vulnerability within 20 hours of disclosure, no proof-of-concept needed. And the same week, a threat group called TeamPCP compromised legit Python packages used across the AI stack. If you're building agents, your supply chain is under siege.

What happened with Langflow

CISA added CVE-2026-33017 to its Known Exploited Vulnerabilities catalog on March 25, 2026. The flaw carries a CVSS score of 9.3 and allows unauthenticated remote code execution on Langflow instances version 1.8.1 and earlier.

The attack surface is almost comically bad. The /api/v1/build_public_tmp/{flow_id}/flow endpoint, designed to let users build public flows without auth, accepts a data parameter containing arbitrary Python code in node definitions. That code gets passed straight to exec() with zero sandboxing. One HTTP POST request. Full RCE. No login required.

Security researcher Aviral Srivastava, who reported the flaw on February 26, described exploitation as "extremely easy," requiring nothing more than a curl command with malicious Python in the JSON payload.

According to Sysdig, automated scanning started 20 hours after the advisory dropped on March 17. Custom Python scripts appeared at the 21-hour mark. By hour 24, attackers were already harvesting .env and .db files from compromised instances. No public PoC existed at any point during this timeline. According to Endor Labs, attackers built working exploits directly from the advisory description.

This is the second year in a row CISA has flagged active Langflow exploitation. In May 2025, CVE-2025-3248 hit the KEV catalog for a similar unauthenticated RCE via a different endpoint. Langflow has 145,000 GitHub stars and is widely used for building AI agent pipelines through its drag-and-drop interface. That popularity is exactly the problem: lots of exposed instances, many run by teams that don't patch fast.

CISA gave federal agencies until April 8 to patch or stop using the product.

TeamPCP's supply chain campaign is accelerating

While Langflow was getting hammered, a separate but equally concerning story unfolded on PyPI.

A threat group tracked as TeamPCP published malicious versions 4.87.1 and 4.87.2 of the telnyx Python package on March 27, 2026. The legitimate telnyx SDK (a telephony API client) was compromised, not typo-squatted. This is the real package, with real users, getting poisoned.

The attack used audio steganography to hide payloads inside .WAV files downloaded from a command-and-control server, a technique designed to evade network inspection and EDR. On Windows, the malware dropped a persistent executable disguised as msbuild.exe in the Startup folder. On Linux and macOS, it ran a smash-and-grab credential harvester that collected everything of value, exfiltrated it as tpcp.tar.gz, then recursively deleted itself.

According to reports from Aikido, Socket, and Endor Labs, this was TeamPCP's third PyPI strike in eight days. The timeline, according to Datadog Security Labs:

  • March 19: Compromised Trivy (the container security scanner), pushing a malicious v0.69.4 release and hijacking GitHub Actions tags across Aqua Security repositories
  • March 20-22: Deployed a self-propagating npm worm across 40+ packages, then pivoted to Kubernetes-focused payloads that included a destructive wiper targeting Iranian systems
  • March 23: Compromised Checkmarx KICS GitHub Actions and OpenVSX extensions
  • March 24: Backdoored litellm versions 1.82.7 and 1.82.8 on PyPI, the popular LLM API proxy layer
  • March 27: Hit telnyx

Endor Labs researchers believe the telnyx compromise was a downstream consequence of the litellm attack. TeamPCP's credential harvester swept environment variables, .env files, and shell histories from every system that imported litellm. If any developer or CI pipeline had both litellm installed and access to the telnyx PyPI token, that token was already compromised.

Telnyx confirmed in a security notice that only users who installed or upgraded between 03:51 UTC and 10:13 UTC on March 27 were affected, and that their infrastructure was not breached.

Why this matters for anyone building with AI

The pattern here should worry every engineering team running AI workloads.

TeamPCP's target selection is deliberate: Trivy (container scanning), KICS (infrastructure scanning), litellm (LLM API routing), telnyx (telephony API). These are tools with elevated access to automated pipelines, as Snyk noted in their analysis. Each compromise feeds the next, credentials stolen from one package unlock publishing access to another.

Meanwhile, the Langflow situation shows that AI development tools are landing in attacker crosshairs because they sit on valuable data (API keys, database credentials, cloud secrets) and are often exposed to the internet with minimal hardening.

The median time from vulnerability disclosure to exploitation has collapsed. According to Rapid7's 2026 Global Threat Landscape Report, the median time from publication to KEV inclusion dropped from 8.5 to five days over the past year. The median patch deployment time for organizations is still around 20 days. That gap is where attackers live.

Anthropic recently withheld its most powerful model over cybersecurity concerns, but the threat to AI development isn't hypothetical frontier model risk. It's your pip install pulling a backdoored package at 4 AM in a CI runner.

What we don't know yet

  • Whether the Langflow exploitation and TeamPCP campaign are connected, or just coincidental timing against AI tooling
  • The full scope of credentials TeamPCP harvested from litellm users, and how many downstream packages beyond telnyx may be compromised
  • Who is behind the Langflow exploitation specifically (CISA did not attribute the attacks or mark them as ransomware-related)

What to do right now

If you use Langflow: Upgrade to version 1.9.0 or later immediately. Do not expose it to the public internet. Rotate all API keys, database credentials, and cloud secrets on any instance that was reachable externally. Check for outbound connections to 173.212.205[.]251:8443.

If you use litellm or telnyx: Pin to known-good versions (litellm pre-1.82.7, telnyx 4.87.0). Treat any host or CI job that installed the compromised versions as a full credential-exposure event. Audit for persistence mechanisms, especially on Windows.

If you use Trivy or KICS: Check the Aqua Security advisory and verify your GitHub Actions pins.

The time-to-hello-world for exploiting these flaws was measured in hours. The time-to-patch for most organizations is measured in weeks. That math only works in the attacker's favor.

Leon Vasquez covers developer tools and infrastructure for The Daily Vibe.

This article was AI-generated. Learn more about our editorial standards

Share:

Report an issue with this article

supply-chainvulnerabilitycybersecurityai-securitylangflowpythoncisapypi

Related Articles

Claude Code's source code leaked via npm for the second time. Anthropic built a whole system to prevent exactly this.
Technology

Claude Code's source code leaked via npm for the second time. Anthropic built a whole system to prevent exactly this.

Anthropic's leaked Mythos model sits above Opus, and that changes the pricing conversation
AI

Anthropic's leaked Mythos model sits above Opus, and that changes the pricing conversation

Anthropic says Mythos poses unprecedented cyber risks. The regulatory framework to handle that doesn't exist yet.
AI

Anthropic says Mythos poses unprecedented cyber risks. The regulatory framework to handle that doesn't exist yet.