THE update to the TeamPCP supply chain campaign report notes that the Checkmarx ast-github-action compromise was far broader than publicly reported, with all 91 published tags overwritten from v0.1-alpha to v2.3.32, according to primary evidence seen in the GitHub activity log between 19:09 and 19:16 UTC on 23 March 2026.
It also records that CISA has added CVE-2026-33634 to the Known Exploited Vulnerabilities (KEV) catalog, with a remediation deadline for federal agencies by 3 April 2026 and specific guidance for Trivy-related components. Additionally, PyPI quarantine was lifted for LiteLLM on 25 March, but malicious versions 1.82.7 and 1.82.8 were yanked and a pause on new LiteLLM releases was announced pending a security review, with the last known safe version being 1.82.6[.]rc.2.
The piece also introduces two community detection tools aimed at identifying affected environments and compromised LiteLLM versions, and it situates these findings within broader coverage of TeamPCP and related activity. Published 26 March 2026, by Kenneth Hartman.