Carlini's unprompted talk is one source: https://www.youtube.com/watch?t=204&v=1sd26pWhfmg

We haven't blogged this yet, but a variety of teams found this in parallel.

The packages are quarantined by PyPi

Follow the overall incident: https://ramimac.me/teampcp/#phase-10

Aikido/Charlie with a very quick blog: https://www.aikido.dev/blog/telnyx-pypi-compromised-teampcp-...

ReversingLabs, JFrog also made parallel reports

I'm glad there's many teams with automated scans of pypi and npm running. It elevates the challenge of making a backdoor that can survive for any length of time.

Ramimac, has there been any action on having the c2 server's ip address being blacklisted?

The blast radius of TeamPCP just keeps on increasing...

It's a spam flood by the attacker to complicate information sharing[1]. They did the same thing in the Trivy discussion, with many of the same accounts.[2]

[1] https://ramimac.me/teampcp/#spam-flood-litellm [2] https://ramimac.me/teampcp/#discussion-flooded

This is tied to the TeamPCP activity over the last few weeks. I've been responding, and keeping an up to date timeline. I hope it might help folks catch up and contextualize this incident:

https://ramimac.me/trivy-teampcp/#phase-09

This is fantastic, thank you. Your reporting has been great. But also, damn, the playlist.

Thanks for putting this together. I've been seeing the name TeamPCP pop up all over, but hadn't seen everything in one place.

This is interesting. How do you keep this up to date so quickly?

Blood, sweat, and tears.

The investment compounds! I have enough context to quickly vet incoming information, then it's trivial to update a static site with a new blurb

> Upon issue creation another workflow spins up three independent coding agents to analyze the finding.

I'm curious

1) what the current statistics are for consensus

2) how the agents may/may not perform independently

3) what the agent profiles are and how they differ (model, harness, prompt/persona, all three?)

1. I dont have hard metrics at hand but with the latest Sonnet I'd say we reach consensus around 80% of the time, with Opus is almost always but we are not using it due to cost

2. The difference I see in agent behavior when they don't reach consensus is usually either

- when one of them didn't explore enough and lack context

- and/or when their risk assessment is off

The latest happen often, in other workflows based on agents we are now giving clear instruction on how to assess risk and where to draw a line to consider something a true positive.

3. validation is on Sonnet, we don't use persona based prompts but all the 3 validators get's the same task and context. The agent orchestrating them will take their output and make the final decision. We use an internal fork of the claude code github action for now.

Reach out if you'd like me to check - I did the same for the trigger.dev team in fact[1].

(personal site linked in bio, who links you onward to my linkedin)

[1] https://x.com/ramimacisabird/status/1994598075520749640?s=20

Probably, but you can check out a more robust list here: https://blog.cloudflare.com/tag/acquisitions/

* BastionZero

* Kivera

* Baselime

* PartyKit

* Area 1

* Vectrix

* Zaraz

* Linc

* S2 Systems Corporation

* Neumob

* Eager

* CryptoSeal

* StopTheHacker

Not everything seems to be tagged as acquisition. Dyte.io was acquired, and announced here: https://blog.cloudflare.com/introducing-cloudflare-realtime-...

Always a funny title, see previously: Announcing the New AWS Secret Region (2017) [1]

[1] https://news.ycombinator.com/item?id=15741108

It's not a coincidence - this attack is directly downstream of s1ngularity

Hi! Author here who added the VSCode stat :)

I thought it was useful to include because:

* it can inform triage, if you use the extension you're more likely to be impacted * because it was VSCode, Workplace Trust actually partially mitigated this in at least 38 cases

The vocoder extension does not contain any affected packages, it‘s just misleading