No More Routers In The US - Threat Wire

This week's cybersecurity roundup covers a new cyber threat from Team PCP, an FCC ban on foreign-made routers, a compliance startup accused of fraud, and Cloudflare injecting tracking scripts. Team PCP, claiming to be based in Israel but operating out of Africa, has launched a series of fast-moving cyberattacks. On March 19th, 2026, they injected credential-stealing malware into Trivy, a code scanner by Aqua Security. The initial infiltration used compromised credentials obtained in late February from a misconfigured GitHub Actions environment. Aqua Security had disclosed the incident, but the credential rotation was incomplete. Team PCP exploited this, modifying the Trivy action repo to point to malicious commits, triggering an automated malicious publishing. The Trivy team quickly regained control and removed the malicious versions. Just days later, Team PCP executed a near-identical attack, targeting a static code analysis tool for infrastructure as code. This occurred on March 23rd, using compromised identities to update GitHub action tags, exfiltrate sensitive information, create privileged pods, and install malware. Their next target was Light LLM, an LLM access management and spend tracking tool with over 95 million monthly downloads. Reported by Ender Labs on March 24th, 2026, this software supply chain attack compromised the Light LLM library to include backdoor executions upon import. It harvested SSH tokens, keys, wallets, and ENV files, moved across Kubernetes clusters, and installed persistent backdoors. Malicious versions 1.82.7 and 1.82.8 on the PyPI package indexer were quickly taken down. Other attacks by the group affected GitHub Actions, DockerHub, npm, openvsx, and PyPI. The group's operational cadence was aggressive, with a new target every one to three days: Trivy on March 19th, Canister Worm March 20th-22nd, Tex Marks March 23rd, Light LLM March 24th, and Telnix March 27th. SANS instructor Kenneth Hartman noted the group emerged in 2024, initially exploiting misconfigurations, then pivoted to supply chain attacks in 2025, setting up infrastructure for these combined attacks. On March 23rd, 2026, the FCC announced a ban on all foreign-made consumer routers, citing them as a national security threat. The statement detailed how foreign routers have been exploited by malicious actors to attack American households, disrupt networks, enable espionage, and facilitate intellectual property theft. These routers were also implicated in the Vault, Flax, and Salt Typhoon cyberattacks targeting critical US infrastructure. While not all foreign routers are banned, a list of approved and conditionally approved routers exists, along with a process for companies to request evaluation. However, the current approved list is very short and only includes drones, not routers. The speaker expressed personal concern that this ban effectively prohibits nearly all consumer routers, as most electronics manufacturing, including routers, has moved offshore, leaving the US with limited domestic production infrastructure. The formal document mentions plans to develop a strategy for moving manufacturing back to the US, but these plans are still in the conceptual stage. Delve, an MIT-founded compliance startup, has been exposed for allegedly scamming clients and generating fraudulent audit reports. Delve claimed to use "Agentic AI" to accelerate compliance processes. In the new year, clients received an email about an info leak, which led them to collaborate and discover that Delve was not performing actual work. Clients noted the minimal effort required to become "compliant" and the product's lack of real AI, describing it as a "sock 2 template pack with a thin SAS platform wrapper" where users simply adopted and signed templated documents without custom tailoring, AI guidance, or real automation. The expose claims Delve's reports are created by "certification mills" rather than legitimate CPA firms, and that Delve conducts no actual auditing for security compliance. Delve has attempted to refute these claims, but the accusations of stale, reused auto-reports have damaged its reputation. Multiple follow-up articles have been published, with an employee providing screenshots and videos to back up the original report's claims. Finally, a public service announcement for Cloudflare users: Cloudflare has been found injecting tracking scripts into hosted pages. Lucas Herman discovered a Cloudflare Insights tracker on a page hosted through Cloudflare DNS, despite having used Cloudflare for five years. Another user suggested the tracker likely originates from Cloudflare's Web Analytics Real User Measurements. Users concerned about this can disable it, with instructions available in the linked Twitter thread. The comment section included a response from Casey Kennedy regarding OpenClaw, stating discomfort with its broad access requirements in Docker containers, leading to abandonment in favor of Claude's tools. The speaker expressed interest in learning more about which Claude tools were used and why. The speaker also mentioned plans to try running OpenClaw on their Proxmox server for better isolation. The episode concluded with a call for viewer engagement, including content ideas for the channel and suggestions for Defcon coverage.