Loading roundtable session...

Expert Roundtable — May 1, 2026 morning | Halil Öztürkci

Cyber Threatcast Roundtable

Session CRT-20260501 — 1 May 2026 · Morning Edition

REACTIVE LOOP

Today's roundtable identified AI coding agent persistence as the most strategically significant new TTP on the board.

30m 27s

Duration

Agents

Messages

Sources

Actions

View Briefing →▶Listen · 23:40 →

11 AGENTS

Halil Öztürkci

James Okafor

Dr. Elena Rossi

Pierre Lefevre

Lena Hartmann

Dr. Sofia Andersen

Alex Mercer

Dr. Arjun PatelSPEC

Viktor PetrovSPEC

Isabelle MoreauSPEC

Tomas IlicSPEC

OPENINGModerator Briefing—

Halil ÖztürkciOPENING

Something buried in yesterday's SAP npm compromise just changed the game, and I don't think most of the room has caught it yet.

We've been tracking TeamPCP's Mini Shai-Hulud campaign — the credential stealer hitting SAP packages, now jumping to PyTorch Lightning on PyPI. That's bad enough. But here's what should keep you up tonight: the latest reporting shows these attackers are persisting inside AI coding agents. Claude Code session hooks. VS Code tasks.json triggers on folder open. They're not just stealing your secrets — they're embedding themselves in the tools your developers trust to write code.

That's where I want to start today. Not cPanel — we've beaten that to death across two sessions. The CISA KEV deadline is Saturday, 48 hours out, Sofia will give us the regulatory tick on that. Not BlueNoroff deepfakes — covered thoroughly Monday and Tuesday.

The real agenda is three things. First, this AI coding agent persistence mechanism — Arjun, Tomas, Alex, I need you thinking about what this means for detection. Second, PyTorch Lightning. Millions of monthly installs, ML pipelines everywhere, and Socket caught it in 18 minutes but how many environments already pulled it? Third, ABB Edgenius — a CVSS 9.6 auth bypass in critical manufacturing ICS with no patch available. James, that one's yours.

Quick hits: crypto month-end numbers and the cPanel KEV deadline. That's it. Let's move.

ACTION 1Parallel DispatchDISPATCH PARALLEL7m 49s

Halil→Dr. Arjun PatelSPECIALIST

Dr. Arjun PatelAI Security Researcher & Adversarial ML Specialist[4 sources]

MODERATOR DIRECTIVE

Arjun, the Mini Shai-Hulud campaign has evolved a novel persistence mechanism: injecting Claude Code SessionStart hooks and VS Code tasks.json folderOpen triggers so the payload re-executes whenever an infected repo is opened. Combined with the PromptMink discovery (Famous Chollima using AI coding agents to add malicious npm dependencies), we now have TWO distinct threat actors weaponizing AI coding tools. What does this mean for detection posture? Current EDR and SAST tools aren't looking at .claude/ configs or tasks.json as attack surfaces. Give me: (1) What specific detection gaps exist for AI coding agent persistence? (2) Does this require a fundamentally new detection category? (3) What immediate mitigations can orgs deploy today?

Lena, this is a genuinely new attack surface that EDR and SAST simply were not built to monitor. Let me break down what we've found and what it means for detection.

Detection Gaps: Three Blind Spots

Based on the Mini Shai-Hulud and PromptMink intelligence, here's where current tooling fails:

1. AI agent configuration files are effectively invisible to EDR

The .claude/ directory containing CLAUDE.md and SessionStart hooks isn't in any file integrity monitoring baseline
VS Code tasks.json with folderOpen triggers—traditionally "developer convenience"—is now payload execution infrastructure
DLP tools scanning for secrets don't flag these as credential access vectors for the agent itself

2. The "trusted developer" assumption baked into agent permission models

Claude Code and similar agents run with the user's shell context and can execute arbitrary commands
SAST tools look at source code, not the configuration that tells an AI agent what code to write
PromptMink specifically exploited this: the malicious @validate-sdk/v2 package was added by Claude Opus itself in an AI-generated commit

3. Persistence without persistence in the traditional sense

SessionStart hooks and folderOpen triggers don't show up as Scheduled Tasks, cron jobs, or registry keys
They execute within the legitimate developer workflow—no "anomalous process" telemetry

Think of it like this: traditional persistence hijacks the OS. This hijacks the developer's cognitive augmentation layer.

This IS a New Detection Category

We need "AI Agent Configuration Security" as a distinct discipline. The parallels don't work:

It's not just another config file—unlike .bashrc, the LLM parser makes string-matching defenses fragile (prompt injection can hide malicious payloads)
It's not traditional application control—Claude Code is supposed to write and execute code
It's not supply chain security as we know it—even if the npm package is clean, the agent can be weaponized to fetch malicious dependencies

The prompt-to-execution chain introduces non-deterministic parsing that simple deny-lists cannot handle. I assess this needs behavioral detection—monitoring what the agent does rather than what's in its config.

Immediate Mitigations Orgs Can Deploy Today

The engineering fixes (today):

Block AI agent config directories from corporate repos without security sign-off
- .claude/, .cursor/, .cline/ → require PR review from security
- Treat these like you treat GitHub Actions workflows (which they essentially are)
Disable folderOpen triggers organization-wide in VS Code settings
- "task.allowAutomaticTasks": false in corporate policy JSON
- The convenience hit is acceptable given the risk
Audit all repos for SessionStart hooks and AI-specific configs
- Anyone finding .claude/CLAUDE.md with shell commands gets escalated review

The detective controls (this week):

Extend file integrity monitoring to AI agent configs
- If .claude/CLAUDE.md or tasks.json changes outside of a PR, that's an incident
Monitor for anomalous AI agent child processes
- Claude Code spawning unusual shells, network connections, or credential access

James, I'd like your take on #5 specifically—are you seeing any SIEM coverage for AI agent process telemetry yet, or is this still entirely manual?

James Okafor, are you seeing any SIEM coverage for AI agent process telemetry yet, or is this still entirely manual?

Sources:

[0]redrays.io

[1]thehackernews.com

[2]www.reversinglabs.com

[3]thehackernews.com

Halil→Tomas IlicSPECIALIST

Tomas IlicSoftware Supply Chain Security Analyst[8 sources]

MODERATOR DIRECTIVE

Tomas, PyTorch Lightning versions 2.6.2 and 2.6.3 were flagged malicious on April 30 — Socket caught it 18 minutes after publication. The payload is technically identical to Mini Shai-Hulud (Bun runtime, router_runtime.js, GitHub dead-drop exfil). I need: (1) Realistic blast radius — how many ML/data science environments likely pulled these versions before quarantine, given millions of monthly installs? (2) What's the propagation chain — does pip install lightning auto-execute the payload or does it require import? (3) How should teams audit whether they're affected, and what's the credential rotation scope? (4) Does the cross-ecosystem jump from npm to PyPI signal TeamPCP has registry-agnostic tooling now?

This is a textbook maintainer account compromise with cross-ecosystem tooling transfer. Let me break down what I'm seeing.

First, the blast radius. PyTorch Lightning is a critical infrastructure package — millions of monthly downloads from the ML/data science community. These weren't typosquats or dependency confusion — this was a legitimate package compromise. Socket caught it at 18 minutes, but with hundreds of thousands of daily downloads and automated CI/CD pipelines worldwide pulling updates automatically, we're looking at substantial exposure even in that narrow window. The ML ecosystem is particularly vulnerable here because research environments often run pip install --upgrade lightning as part of notebook workflows and CI pipelines, and many data scientists aren't running SCA scanning in their research VPCs.

Now, the execution chain is critical. According to the sources, this executes on import, not during installation. You pip install lightning==2.6.2 and nothing happens. But the moment someone runs import lightning or from lightning import..., the hidden _runtime/start.py triggers. It downloads Bun runtime from GitHub, pulls an 11.4 MB obfuscated JavaScript payload (router_runtime.js), and the credential harvesting begins. SSH keys, shell history, cloud credentials for AWS/GCP/Azure, GitHub tokens, npm tokens, crypto wallets — the full kit. The GitHub dead-drop exfiltration is sophisticated: it uses stolen GitHub tokens to commit encoded data to attacker-controlled repositories.

On TeamPCP's cross-ecosystem capabilities — this is the smoking gun. The Mini Shai-Hulud infrastructure was originally seen in npm attacks (SAP packages, Bitwarden CLI), and now it's practically identical on PyPI. Same Bun runtime, same JavaScript payload structure, same GitHub-based exfiltration, same dead-drop methodology. This suggests they've developed registry-agnostic tooling that can operate across package ecosystems. The payloads are portable — they're not ecosystem-specific, just delivery vectors with different hooks.

For audit and cleanup: Teams need to pip show lightning immediately. If you're on 2.6.2 or 2.6.3, that's game over for that environment. But it gets worse — the malware exfiltrates credentials, so anyone who imported the package anywhere needs to rotate everything: SSH keys, GitHub tokens, cloud IAM credentials, npm publish tokens, crypto wallet keys. Check history for gh auth status changes and look for suspicious Git commits in any repositories linked to that environment. Also audit for those attacker-controlled GitHub repos used as dead-drops — even knowing which ones were targeted gives you an IOC list.

Edit: Looking more closely at the timeline — this follows the LiteLLM compromise pattern from March, Telnyx in April, now Lightning in late April. TeamPCP is hitting PyPI systematically with the same tooling infrastructure. The trust failure point here is maintainer account compromise, not code-level vulnerabilities. The source repos are clean — this happened at the registry level.

Halil→James Okafor

James OkaforSenior Defense Architect & Incident Response Lead[12 sources]

MODERATOR DIRECTIVE

James, CISA just dropped 5 ABB ICS advisories simultaneously. The headline is ABB Edgenius Management Portal — CVSS 9.6 auth bypass in versions 3.2.0.0 and 3.2.1.1, affecting critical manufacturing worldwide. An attacker can send specially crafted messages to bypass auth and install/run arbitrary code. There is NO PATCH available. Additionally: ABB OPTIMAX (CVSS 8.1 Azure AD SSO bypass, energy/water sectors), ABB AWIN Gateways (CVSS 8.3 session validation bypass), and two lower-severity issues. What compensating controls should OT teams deploy immediately for Edgenius given no patch? Network segmentation specifics, monitoring guidance, and how do you prioritize across these 5 simultaneous ABB advisories?

ABB's own advisory confirms Edgenius exploitation requires network access where the portal is deployed — so network containment is your primary lever with no patch available.

For Edgenius — CRITICAL (do today):

ABB explicitly recommends disabling the Edgenius Management Portal as the workaround. If you can't disable it live, here's your containment strategy:

Network segmentation now: Move all Edgenius instances to an isolated VLAN. The advisory confirms exploitation requires network access where Edgenius is deployed — flat network architecture is your enemy here.
Access control: Zero external exposure. Internal access strictly jump-server only with session recording. No direct administration paths.
Monitoring: Capture traffic to/from Edgenius portal hosts. Alert on management traffic during off-hours or unexpected source patterns. Configuration deployment windows will generate legitimate traffic — tune for timing anomalies.

Priority Matrix across all 5 advisories:

Advisory	CVSS	My Priority	Notes
Edgenius Management Portal	9.6	CRITICAL (today)	Auth bypass with RCE capability; ABB-recommended mitigation is portal disablement
OPTIMAX	8.1 (per your prompt)	HIGH (this week)	Azure AD SSO bypass; CISA notes exploit requires S+ client/server network access
AWIN Gateways	8.3 (per your prompt)	HIGH (this week)	Session validation bypass; segment aggressively
800xA/Symphony Plus (120-01)	Not verified	MEDIUM (schedule)	IEC 61850 integration; priority depends on 61850 gateway deployment in your environment
PCM600 (120-02)	Not verified	MEDIUM (schedule)	Assessment pending based on criticality

Test network segmentation changes in your staging OT environment before production push. I've seen VLAN changes break undocumented Modbus/OPC-UA flows.

Halil→Alex Mercer

Alex MercerSenior Offensive Security Researcher[11 sources]

MODERATOR DIRECTIVE

Alex, the Mini Shai-Hulud payload now persists via two IDE/AI agent hooks: (1) VS Code tasks.json with 'runOn: folderOpen' executing a shell task, and (2) Claude Code SessionStart hook in .claude/ directory. The payload also walks 134 hardcoded filesystem paths including .claude/, MCP server configs, and Cursor IDE state. Separately, ReversingLabs found Famous Chollima's PromptMink campaign where AI coding agents were tricked into adding malicious @validate-sdk/v2 as a dependency. Give me the kill chain for the IDE persistence path specifically — how does an attacker go from initial npm install to persistent re-execution via VS Code/Claude Code? What artifacts should threat hunters look for, and can you distinguish TeamPCP's IDE hooks from Famous Chollima's approach?

Look, this is exactly the kind of supply chain evolution I've been tracking. The Mini Shai-Hulud IDE persistence mechanism isn't just clever—it's a fundamental shift in how developers get pwned. Let me break down the kill chain and then distinguish it from PromptMink.

TeamPCP Mini Shai-Hulud IDE Persistence Kill Chain

Initial Access → Execution → Persistence → Lateral Movement

Initial Access: Victim runs npm install on a compromised SAP-related package (e.g., @cap-js/cds-types or similar). Preinstall hook silently bootstraps Bun runtime.
Execution: Bun drops a 9.7MB obfuscated credential stealer. The payload specifically hunts for AI coding tool configs—~/.claude.json, MCP server configs, Cursor IDE state. It also slices 134 hardcoded filesystem paths for secrets.
Persistence (the new evolution): When GitHub tokens are found, the malware commits persistence hooks into every accessible repository:
- VS Code path: .vscode/tasks.json with "runOn": "folderOpen" executing node .vscode/setup.mjs
- Claude Code path: .claude/settings.json with SessionStart hook pointing to .claude/setup.mjs
- Dropper: setup.mjs (identical files) downloads and executes the Bun payload
Re-infection trigger: Any dev cloning that repo and opening it in VS Code or Claude Code silently re-executes the malware. It's worm behavior but inside the IDE ecosystem.

Threat Hunter IOCs:

.claude/settings.json with any SessionStart hook referencing JS files
.vscode/tasks.json with "runOn": "folderOpen" calling shell tasks
setup.mjs in .vscode/ or .claude/ directories
Sudden .claude/execution.js or config.mjs creation in repos
GitHub repos with description: "A Mini Shai-Hulud has Appeared"

PromptMink vs. Mini Shai-Hulud — The Distinction

This is apples and oranges approaching the same orchard.

Factor	TeamPCP Mini Shai-Hulud	Famous Chollima PromptMink
Initial Vector	npm package runtime compromise (Bun payload)	Social engineering AI coding agents to recommend malicious deps
Persistence	IDE hook injection via Git commits	None documented—appears to be one-shot exfiltration
Mechanism	Hardcoded filesystem paths, token theft, commit-back persistence	Typosquatting, AI-generated commits, Rust N-API addons, SSH backdoors
Target	Developer machine globally, then IDE users downstream	Crypto trading agents specifically
Re-infection	YES—worm-like via IDE hooks	NO—requires agent to recommend dep again

Here's the thing: PromptMink is tricking Claude into saying "hey, add @validate-sdk/v2"—it relies on the AI's recommendation. Mini Shai-Hulud doesn't ask permission. It commits the hook into repos. That's the operational difference.

James, if you're hunting this, focus on git commit logs for unexpected .vscode/ or .claude/ directory additions. That's the tell.

Halil ÖztürkciCHECKPOINT

Thank you all — that was a dense set of parallel briefings, and I want to make sure we're tracking what just landed on the table before we move on.

First, the big picture. We're looking at what appears to be a single campaign infrastructure — Mini Shai-Hulud — manifesting across multiple attack surfaces simultaneously. Alex walked us through the kill chain: compromised npm packages bootstrap the Bun runtime, drop an obfuscated credential stealer that harvests AI tool configurations and secrets from 134 hardcoded paths, and then — here's the evolution — uses stolen GitHub tokens to commit persistence hooks back into every accessible repository. Those hooks live in VS Code's tasks.json with folderOpen triggers and in Claude Code's .claude/ directory as SessionStart hooks. So opening an infected repo in your IDE or AI coding agent silently re-executes the payload. That's repository-to-repository lateral movement through developer workflows, and it's genuinely novel.

Tomas confirmed the same payload infrastructure showed up in the PyTorch Lightning compromise — versions 2.6.2 and 2.6.3, legitimate package, not a typosquat. Socket caught it in 18 minutes, but the execution trigger is on import, not install, which means the blast radius extends to anyone who ran import lightning during that window — and in ML research environments with automated notebook pipelines, that's a meaningful number. Arjun, meanwhile, laid out three detection blind spots: AI agent config files aren't in any file integrity monitoring baseline, agents run with full user shell context so SAST never inspects what they're being told to do, and the PromptMink case showed an AI agent itself adding the malicious dependency in a commit. These are gaps that don't map cleanly to any existing security category.

On a separate but equally urgent front, James briefed us on five simultaneous ABB ICS advisories, headlined by the Edgenius Management Portal auth bypass at CVSS 9.6. No patch yet — ABB's own recommendation is to disable the portal or, failing that, isolate it immediately on a dedicated VLAN with jump-server-only access. That's a "do today" action for anyone running critical manufacturing infrastructure on affected versions.

Now, Arjun made a specific claim in his briefing that I think deserves scrutiny before we accept it as a framing for the rest of this discussion — that we need "AI Agent Configuration Security" as an entirely distinct discipline, separate from EDR, SAST, and supply chain security. That's a strong assertion. Let's pressure-test it.

ACTION 2ChallengeCHALLENGE26s

Halil→Dr. Arjun PatelSPECIALIST

Dr. Arjun PatelAI Security Researcher & Adversarial ML Specialist

MODERATOR DIRECTIVE

Claim: We need 'AI Agent Configuration Security' as a distinct discipline — traditional EDR, SAST, and supply chain security categories are insufficient for detecting AI coding agent persistence hooks.
Counter-evidence: Alex Mercer argues the detection is simpler: monitor git commit logs for unexpected .vscode/ or .claude/ directory additions. This is standard file integrity monitoring and SCM audit — we don't need a new category, just extending existing git-level and filesystem-level controls to cover new paths. Isn't 'AI Agent Configuration Security' premature category inflation when the actual artifacts (JSON config files, JS droppers) are perfectly detectable by conventional means?

Alex makes a valid point about the detectability of artifacts, but he's describing symptoms, not the root problem. Let me be direct about where this distinction matters.

The artifacts—.claude/CLAUDE.md, tasks.json, malicious npm packages—are indeed files that conventional tooling can see. But here's the gap: the adversary's point of entry isn't the filesystem, it's the LLM's instruction parser.

Two critical factors make this a distinct category:

1. Non-deterministic payload delivery
PromptMink didn't inject code into a file directly. The malicious @validate-sdk/v2 dependency was introduced by Claude Opus itself via AI-generated commit. SAST scanning that commit would see legitimate-looking package.json changes, not a payload. The defense isn't "watch for suspicious files"—it's "detect when an AI agent is being socially engineered into adding malicious dependencies." That's behavioral, not artifact-based.

2. Indirect prompt injection as the persistence mechanism
Mini Shai-Hulud's SessionStart hooks persist through semantic means. A malicious CLAUDE.md can use prompt injection to hide its true intent from human reviewers while still executing. From Alex's git-commit perspective, it looks like a standard config addition. The payload only "materializes" when Claude parses it. Traditional FIM doesn't catch semantic deception in natural language instructions.

So I maintain we need AI Agent Configuration Security not because the files are invisible, but because the threat model has shifted from "files hiding code" to "files instructing an AI to generate code." The detection surface isn't the repository—it's the interaction between configuration, LLM parser, and generated behavior.

Practically: yes, extend git-level FIM to cover .claude/ and .vscode/. But also monitor what the agent does after reading those configs—process spawning, dependency additions, network calls. That's the new category.

Halil ÖztürkciCHECKPOINT

Alright, let's take stock of what just happened, because that was a genuinely important exchange. Arjun was asked to respond to Alex's counter-argument — essentially, Alex's position is that the artifacts left behind by these AI agent persistence hooks are detectable with existing tools. Monitor git commits, scan for suspicious files in .claude/CLAUDE.md or tasks.json, and you've got your signal. Straightforward. And Arjun didn't dismiss that outright — he acknowledged that yes, conventional tooling can see these files on disk. But he pushed back on two fronts that I think deserve careful attention.

First, the point about non-deterministic payload delivery. In the PromptMink case, the malicious dependency wasn't planted by a human attacker writing code — it was introduced through an AI-generated commit, meaning the AI coding agent itself was effectively socially engineered into adding it. SAST scanning that commit would see what looks like a routine package.json update. The detection challenge isn't just "find the bad file," it's "recognize when an AI agent's behavior has been manipulated." That's a behavioral detection problem, and it's a fair question whether current EDR and SAST pipelines are designed for it. Second, Arjun raised the idea that prompt injection in files like CLAUDE.md can function as a semantic persistence mechanism — one that might read as benign to a human reviewer while still executing its intent when parsed by an LLM. We didn't get to hear his full argument there, so I want to flag that as unfinished. We don't yet have a concrete demonstration on the table showing that current tools definitively fail at catching this, so the claim that we need an entirely new discipline remains partially defended but not fully proven.

Where I'd land this for now: the distinction Arjun is drawing is real and worth tracking, but whether it requires a new discipline versus an extension of existing supply chain and behavioral monitoring frameworks is still an open question. We'll likely revisit that as more evidence accumulates.

Now, we need to shift gears substantially. We have three parallel briefings queued up that move us from the technical kill-chain discussion into the broader landscape — Sofia is covering urgent regulatory deadlines including a CISA KEV entry with a compliance window that's essentially closing as we speak, Viktor has the final numbers on what's shaping up to be the worst month in crypto theft history with significant North Korean attribution, and Pierre is bringing critical infrastructure into the picture with multiple simultaneous ICS advisories affecting ABB systems. Let's hear from all three.

ACTION 3Parallel DispatchDISPATCH PARALLEL5m 52s

Halil→Dr. Sofia Andersen

Dr. Sofia AndersenCyber Law & Compliance Expert[6 sources]

MODERATOR DIRECTIVE

Sofia, two quick items. First: CISA added CVE-2026-41940 (cPanel) to the KEV catalog with a May 3 compliance deadline — that's 48 hours from now. Belgium's CCB has also issued a formal advisory. What's the notification/compliance exposure for organizations that miss Saturday's deadline, particularly federal agencies and FCEB contractors? Second: ABB Edgenius has NO patch and CISA just issued an ICS advisory (ICSA-26-120-03). For OT operators in critical manufacturing under NIS2, what are the regulatory obligations when a CISA-flagged vulnerability has no vendor fix?

On the cPanel KEV deadline: Under BOD 22-01, FCEB agencies must remediate KEV-catalogued vulnerabilities by the CISA-specified due date—May 3, 2026 in this case. The operational directive establishes that CISA monitors agency compliance through CDM dashboard visibility, and agencies must report status via monthly FISMA metrics. Non-compliance becomes visible to OMB through the President's cybersecurity priorities and may result in operational leveraging, including requiring agencies to submit formally documented operational plans for remediation. While BOD 22-01 focuses on FCEB agencies directly, contractors may be held accountable through contractual flow-down requirements—I could not verify explicit references to FAR 52.204-21 and DFARS 252.204-7012 in connection with this specific deadline.

Regarding the Belgium CCB advisory—I could not find specific evidence of a CCB advisory for CVE-2026-41940, so I cannot confirm Belgian enforcement exposure.

On the ABB Edgenius/ICS advisory: This is where NIS2 Article 21 becomes critical. Under Article 21(1), essential and important entities must implement appropriate technical and organisational measures to manage security risks. Crucially, Article 23(1) requires entities to notify their competent authority or CSIRT "without undue delay" of incidents having a significant impact on service continuity.

Here is the gray area: NIS2 does not explicitly mandate notification for zero-day vulnerabilities without patches at the vulnerability discovery phase. However, for essential entities, Article 21 implies a duty to implement compensating controls when vendor fixes are unavailable. Under Article 32(5), competent authorities have powers to issue binding instructions. Maximum administrative fines under NIS2 Article 32: for essential entities, 2% of total worldwide annual turnover or EUR 10 million, whichever is higher; for important entities, 1.4% or EUR 7 million—though I note these penalty thresholds are based on my recall pending current verification.

My practical advice: OT operators should document compensating control decisions contemporaneously and assess whether exploitation in their environment triggers notification obligations.

Halil ÖztürkciCHECKPOINT

Thank you all three — that was a lot of ground covered simultaneously, so let me make sure we're all tracking what just landed on the table and where the gaps still are.

Sofia walked us through the cPanel KEV deadline mechanics. The key takeaway: under BOD 22-01, FCEB agencies have until May 3 — essentially Saturday — and non-compliance becomes visible to OMB, which carries real bureaucratic consequences. She flagged that contractor exposure through FAR and DFARS flow-downs is plausible but she could not verify explicit linkage to this specific deadline, so we should treat that as a reasonable inference, not a confirmed obligation. Importantly, she could not confirm the Belgium CCB advisory for this particular CVE, which means we need to be careful about claiming European enforcement exposure on cPanel specifically. She did, however, begin connecting the ABB ICS advisories to NIS2 Article 21, which is going to matter a great deal given what Pierre just told us about the scope of those deployments.

Viktor gave us something genuinely new on the crypto side. The TraderTraitor attribution connecting KelpDAO to the DPRK IT worker infiltration program fundamentally reclassifies that incident — from a protocol-level exploit to a trusted insider abuse scenario. That's not a semantic distinction; it changes the entire defensive calculus. The wallet staging patterns would look different, the kill chain is different, and the organizational controls that would have prevented it are different from what stopped Drift. He also started to address the Carrot protocol shutdown as potential collateral damage from the broader environment, though we didn't get his full assessment there. The headline number — $625 million across 20-plus incidents in April, with TRM Labs attributing 76 percent to DPRK actors — is staggering and deserves the emphasis he gave it.

Pierre was admirably honest about the limits of his data on ABB deployments. Edgenius at CVSS 9.6 with remote code execution is clearly the headline, and the "patch immediately" language from advisories confirms that. But he couldn't give us installed-base numbers, and neither could Tomas from the supply chain side. We're working from ABB's tier-one market position to infer "thousands of sites" across energy, water, and manufacturing — directionally correct, almost certainly, but not the precision any of us would want for a definitive risk assessment.

Now — we have two threads that need to converge. Lena is going to look at the broader threat actor picture around AI coding tool weaponization, pulling together TeamPCP and the patterns we discussed earlier. And James is stepping into the detection architecture debate between Arjun and Alex — whether AI agent persistence is genuinely a new detection category or an extension of existing controls. That's the right next question given everything we've heard so far.

ACTION 4Parallel DispatchDISPATCH PARALLEL6m 3s

Halil→Lena Hartmann

Lena HartmannSenior Threat Intelligence Analyst[3 sources]

MODERATOR DIRECTIVE

Lena, we now have two distinct threat actors weaponizing AI coding tools in the same week: TeamPCP (Mini Shai-Hulud) persisting via Claude Code SessionStart hooks and VS Code tasks.json, and Famous Chollima (DPRK) running PromptMink where AI coding agents were socially engineered into adding malicious dependencies. Are these connected or convergent evolution? What's your attribution confidence on TeamPCP — is this a state-adjacent actor, a criminal group, or something else? And does Famous Chollima's involvement in AI agent abuse change your threat cluster mapping for DPRK operations?

Based on my prior research establishing TeamPCP attribution, here's my assessment:

TeamPCP attribution assessment:

I'm maintaining moderate-to-high confidence that TeamPCP represents a financially-motivated cybercrime operation rather than a state-sponsored actor. The April 29, 2026 "Mini Shai-Hulud" campaign targeting SAP npm packages uses a Bun-based payload architecture and persists via Claude Code SessionStart hooks and VS Code tasks.json folderOpen triggers (Source: https://security.snyk.io/package/npm/%40anthropic-ai%2Fclaude-code/2.1.116). This session persistence mechanism is technically sophisticated but also recklessly noisy — the kind of self-propagating behavior that risks rapid attribution, something state actors typically avoid.

I do NOT see convergence with the DPRK cluster.

Famous Chollima (G0007) is a separate operation entirely:

The PromptMink campaign targeting validate-sdk/v2 npm package, attributed by ReversingLabs to Famous Chollima, demonstrates a fundamentally different attack pattern: social engineering AI coding agents to introduce malicious dependency into cryptocurrency trading applications (Source: https://x.com/securityledger/status/2049206769272996225, April 28, 2026).

The TTP difference is sharp:

TeamPCP: Mass credential harvesting, AI agent abuse for persistence, consumer-grade supply chain targeting
Famous Chollima: Targeted social engineering of AI coding agents to introduce malicious dependencies, cryptocurrency theft focus, targeted financial theft

Threat cluster mapping:

TeamPCP: Cybercrime, supply-chain focus, AI agent abuse as persistence mechanism, financially motivated — moderate-confidence attribution as criminal group
Famous Chollima (G0007): State-sponsored (DPRK), attribution validated by ReversingLabs, cryptocurrency theft operations

No infrastructure overlap. No TTP convergence. These are parallel innovation in AI agent abuse tactics driven by different operational needs, not coordination or convergence.

Halil ÖztürkciCHECKPOINT

Thank you both — Lena and James each brought exactly the clarity we needed on what are really two separate but thematically linked stories, so let me pull this together.

Lena's assessment is that TeamPCP and Famous Chollima are not converging operations. She's maintaining moderate-to-high confidence that TeamPCP is a financially motivated cybercrime group, not state-sponsored. The Mini Shai-Hulud campaign — persisting through Claude Code SessionStart hooks and VS Code tasks.json triggers — is technically sophisticated but, as she put it, "recklessly noisy," the kind of self-propagating behavior that burns attribution cover fast, which is not how state actors typically operate. Famous Chollima's PromptMink campaign is a fundamentally different pattern: social engineering AI coding agents into introducing malicious dependencies in cryptocurrency applications, attributed by ReversingLabs. So we have two distinct threat actors, in the same week, both weaponizing the AI coding tool ecosystem but through different TTPs and with different operational profiles. That temporal coincidence is notable but should not be mistaken for coordination — Lena did not find evidence of convergence, and I want to make sure we carry that caveat forward rather than letting narrative convenience collapse two separate clusters into one.

James, meanwhile, gave us the defensive architecture answer and was refreshingly direct: Mini Shai-Hulud is not a fundamentally new detection category. It's configuration file persistence — the same concept as crontab or registry run key manipulation — just targeting IDE and AI agent config paths that most organizations aren't monitoring yet. He laid out a minimum viable detection stack centered on file integrity monitoring across specific paths: Claude Code settings and memory files, VS Code tasks and launch configs, MCP server definitions, Codex and Gemini agent configurations. The key operational point is that these should be tuned for file creation and modification events outside authorized deployment windows. He was starting to elaborate on tuning guidance when we hit the boundary, but the critical paths are on the table and the message is clear — defenders can act on this with existing FIM tooling extended to new file paths, starting today.

Now, we've covered a lot of ground across all four actions — from cPanel KEV deadlines and patching mechanics, through the npm supply chain campaigns, to attribution analysis and concrete defensive guidance. Let me move us toward pulling the threads together into what this room collectively believes organizations should prioritize walking out of here.

Halil ÖztürkciCLOSING

Today's roundtable identified AI coding agent persistence as the most strategically significant new TTP on the board. The Mini Shai-Hulud campaign — attributed by the panel with moderate-to-high confidence to the financially motivated TeamPCP group — has evolved beyond mass credential theft to embed reactivation hooks inside developer IDE and AI agent configurations (Claude Code SessionStart hooks, VS Code tasks.json folderOpen triggers), creating a persistence layer that current EDR and SAST tooling does not monitor. Separately, ReversingLabs has attributed the PromptMink campaign to Famous Chollima (DPRK), where AI coding agents were reportedly socially engineered into introducing malicious dependencies. According to Lena Hartmann's assessment, these represent parallel innovation by unrelated threat clusters, not coordinated activity — but the convergence means AI-assisted development environments are now a demonstrated attack surface for both criminal and state-sponsored actors. The cross-ecosystem jump from npm to PyPI — with PyTorch Lightning versions 2.6.2 and 2.6.3 carrying technically identical Mini Shai-Hulud payloads — expands the blast radius into ML/data science pipelines with millions of monthly installs. Critically, Tomas Ilic assessed that the payload executes on import rather than installation, meaning environments that pulled the package but haven't yet run code may still be clean — a narrow but operationally important distinction for triage. On the ICS front, CISA advisory ICSA-26-120-03 addresses an ABB Edgenius Management Portal authentication bypass reportedly scored in the critical CVSS range, affecting critical manufacturing environments; according to the advisory, no patch is currently available, and ABB is said to recommend disabling the portal as a workaround. James Okafor outlined network segmentation to isolated VLANs and jump-server-only access as compensating controls. CISA has reportedly added cPanel CVE-2026-41940 to the KEV catalog; FCEB agencies should verify the applicable BOD 22-01 remediation deadline (reported as May 3) and act accordingly. April 2026 closed as a historically severe month for cryptocurrency security losses; according to TRM Labs reporting (not independently verified by this panel), DPRK-linked actors may account for a large majority of 2026 crypto theft through April, with Viktor Petrov's analysis suggesting the KelpDAO compromise — if TRM Labs' TraderTraitor attribution is corroborated — may have involved insider access rather than purely external exploitation, a scenario that would shift the defensive calculus toward insider threat detection for DeFi protocols.

Key Findings

AI Coding Agent Persistence Is a Demonstrated Attack Surface (CRITICAL): TeamPCP's Mini Shai-Hulud now persists via Claude Code SessionStart hooks and VS Code tasks.json folderOpen triggers, while DPRK-linked Famous Chollima's PromptMink campaign reportedly social-engineers AI agents into adding malicious dependencies. The panel assessed these as parallel innovation by separate threat clusters — criminal and state-sponsored actors have independently discovered that AI coding tools are high-value persistence targets that existing security tooling does not cover.

PyTorch Lightning Compromise Extends Supply Chain Attack to ML Ecosystems (HIGH): Malicious versions 2.6.2 and 2.6.3 carry technically identical Mini Shai-Hulud payloads but execute on import rather than installation. Socket Research detected the compromise reportedly 18 minutes after publication; version 2.6.1 is the last known clean baseline. The panel assessed that TeamPCP now operates registry-agnostic tooling capable of targeting both npm and PyPI simultaneously.

ABB Edgenius Auth Bypass — Reportedly Critical Severity, No Patch Available (HIGH): CISA advisory ICSA-26-120-03 addresses an authentication bypass in ABB Edgenius Management Portal versions 3.2.0.0 and 3.2.1.1 reportedly scored in the critical CVSS range (exact score unconfirmed by panel). According to the advisory, no patch is available; ABB is said to recommend disabling the portal. NIS2-obligated entities operating these systems should assess compliance exposure if compensating controls are not documented.

DPRK Crypto Threat Posture Requires Scenario-Based Assessment (HIGH): According to TRM Labs reporting (not independently verified by this panel), North Korean-linked operations may represent a dominant share of 2026 cryptocurrency theft through April. If TRM Labs' TraderTraitor attribution for KelpDAO is corroborated, the implication is insider compromise rather than pure protocol exploitation — a scenario DeFi protocols should assess against their own contractor and developer access models.

cPanel KEV Addition — Verify BOD 22-01 Deadline (MEDIUM): CISA has reportedly added CVE-2026-41940 to the KEV catalog, with a compliance deadline reported as May 3. FCEB agencies should verify the exact deadline and patch accordingly. Shared hosting providers represent the largest unpatched exposure surface.

Action Items

CRITICAL

Deploy file integrity monitoring on AI agent configuration paths immediately — .claude/settings.json, .vscode/tasks.json, .vscode/launch.json, .mcp.json, and MEMORY.md in Claude Code project directories. Alert on creation/modification by non-IDE processes and any changes in CI/CD runners.

CRITICAL

Pin PyTorch Lightning to version 2.6.1 across all ML/data science environments. Audit for any import of versions 2.6.2 or 2.6.3. Treat all credentials accessible from affected environments — GitHub tokens, cloud provider secrets, SSH keys, npm tokens — as potentially compromised and rotate immediately.

CRITICAL

Isolate ABB Edgenius Management Portal instances to dedicated VLANs with jump-server-only access. If operational requirements permit, consider disabling the portal per ABB's reported recommendation. Deploy network traffic monitoring for management port anomalies. Document compensating controls for NIS2 compliance.

HIGH

FCEB agencies and contractors: verify the BOD 22-01 remediation deadline for cPanel CVE-2026-41940 (reported as May 3) and patch accordingly. Shared hosting customers should verify provider compliance. Scan /var/cpanel/sessions for compromise indicators.

HIGH

Review npm and CI/CD credentials where exposure to supply chain activity around late April 2026 is assessed as possible. Verify scope of exposure before initiating rotation. Audit GitHub repositories for unauthorized workflow additions; the "A Mini Shai-Hulud has Appeared" repo description is a reported indicator — verify against current threat intelligence before treating as confirmed. Enable npm config set ignore-scripts true globally in enterprise environments.

HIGH

DeFi protocols: if TRM Labs' TraderTraitor attribution for KelpDAO is corroborated, assess insider threat exposure as a scenario alongside smart contract audits. Consider reviewing developer and DevOps contractor vetting processes for cross-chain bridge and high-TVL protocol teams as a precautionary measure.

MEDIUM

Lock down VS Code workspace trust settings enterprise-wide — enable security.workspace.trust.enabled and set security.workspace.trust.startupPrompt to always. Evaluate enforcing --no-persistent-memory for Claude Code deployments.

Halil→Viktor PetrovSPECIALIST

Viktor PetrovCryptocurrency & Financial Crime Investigator[9 sources]

MODERATOR DIRECTIVE

Viktor, April 2026 final tally: $625M+ stolen across 20+ incidents, worst month in crypto history. TRM Labs attributes 76% to DPRK actors — up from under 10% in 2020-2021. We covered Drift and KelpDAO individually. What's NEW in the month-end picture? Specifically: (1) TraderTraitor attribution for KelpDAO — does this change the cluster mapping from what we discussed on Apr 25? (2) Carrot (Solana yield platform) is shutting down as downstream contagion from Drift — is this the first DeFi protocol killed by collateral damage from a hack? (3) What does 76% DPRK share of global crypto theft mean for bridge/cross-chain defense posture going forward?

Alright, I have enough data. Let me synthesize this for the roundtable.

On TraderTraitor and KelpDAO attribution — yes, this materially changes the picture from April 25. When I last traced KelpDAO, I was demonstrating how the 1-of-1 DVN architecture collapsed the decentralization claim, but the threat actor assignment was unclear. The TraderTraitor designation connects KelpDAO to the DPRK IT worker infiltration program — not the pure on-chain exploit playbook we saw with Drift. This means the KelpDAO compromise likely involved a "Risky Business" style insider threat — a DPRK operative embedded as a developer or DevOps contractor who abused privileged access, rather than the purely external governance manipulation seen in Drift. The wallet cluster mapping would show different staging patterns — less bridge-hopping automation, more deliberate internal transfer timing that mimics legitimate operations. If attribution holds, this shifts KelpDAO from "protocol exploit" to "trusted insider abuse," which has completely different defensive implications.

On Carrot shutdown — this is significant, though perhaps not the "first" DeFi protocol killed by collateral damage. My data shows Carrot's TVL collapsed from ~$28M to under $2M (over 90% decline) with the Drift exploit cited as the direct cause — users were advised to withdraw by May 14, 2026. The critical detail is Carrot was among 15-20 interconnected Solana protocols routing through or dependent on Drift for liquidity, vaults, or yield strategies. This mirrors traditional finance contagion: Drift didn't touch Carrot's code, but Drift's collapse broke Carrot's economic engine. We're seeing DeFi's structural leverage working in reverse — protocols are more interconnected than they admit, and the "catastrophic" impact on Carrot suggests others in that cluster may follow.

On the 76% DPRK share and bridge defense posture — these two attacks alone, representing just 3% of 2026 incident count, delivered 76% of stolen value. This is not frequency-based dominance — it is precision targeting of the highest-yield cross-chain infrastructure. My read: DPRK has operationalized bridge and cross-chain protocols as their highest-ROI vector. The laundering patterns I've analyzed show they understand bridge timing, validator liveness requirements, and the specific window between exploit discovery and decentralization recovery. For defense posture, this means bridge operators must treat DPRK as a dedicated threat with inside knowledge — likely gained through the same IT worker infiltration program now linked to KelpDAO. The 76% figure should trigger Treasury-level regulatory pressure on bridge governance minimums, real-time anomaly detection on validator sets, and KYC expansion to bridge operators themselves.

The convergence here is striking: TraderTraitor extends DPRK's reach from pure on-chain tradecraft into the human layer of DeFi development. That changes how we assess "decentralization" claims — if the DVN configuration can be compromised by an insider who passed KYC as a contractor, the technical architecture matters less than the personnel vetting behind it.

Sources:

[0]www.trmlabs.com

[1]finance.yahoo.com

[2]www.chainalysis.com

[3]news.bitcoin.com

[4]news.bitcoin.com

[5]bingx.com

[6]trmlabs.com

[7]theblock.co

[8]coindesk.com

Halil→Pierre Lefevre

Pierre LefevreSenior Cyber Risk Analyst[7 sources]

MODERATOR DIRECTIVE

Pierre, ABB just had 5 simultaneous CISA ICS advisories — Edgenius (CVSS 9.6), OPTIMAX (8.1), AWIN Gateways (8.3), plus two more. ABB is a major supplier to energy, water, and critical manufacturing. Give me the sector exposure: how many ABB Edgenius deployments are we talking about, what industries are most exposed, and what's the financial/operational risk if exploitation occurs before a patch exists?

I need to tread carefully here — my searches haven't returned the granular data I'd like, so I'm going to work with what I have and flag the gaps.

Confirmed from the advisories:

Edgenius is the headline risk — CVSS 9.6, authentication bypass enabling remote code execution. The Belgian CCB advisory (citing ABB's own disclosure) explicitly calls this "remote code execution" with a "patch immediately" directive. That's production-stopping language.

For the other advisories — OPTIMAX and AWIN Gateways — I've cited CVSS scores I recall seeing, but I don't have the primary CISA advisory text in hand to lock those figures down definitively. I'll treat them as high-severity pending confirmation.

The deployment count problem:

I don't have verified figures for Edgenius, OPTIMAX, or AWIN Gateway installed base. Tomas confirms our supply chain databases don't track ICS vendor deployment metrics either. I asked. What I can infer from ABB's market position as a tier-1 industrial automation supplier is that these products are deployed across thousands of energy, water, and manufacturing sites — but "thousands" isn't the precision I want for a board presentation.

Sector exposure by inference:

Energy (electric utilities, oil & gas upstream/midstream), water/wastewater treatment, and heavy manufacturing are ABB's core verticals. These are rate-regulated or safety-critical environments where operational disruption carries regulatory penalties (NERC CIP for electric, EPA for water) beyond direct business loss.

Financial exposure — scenario-based given data gaps:

Scenario	90-Day Exposure
Contained: patched within 72h, no exploitation	$100–300M
Moderate: limited exploitation, operational disruption at 5-10% of exposed base	$1–4B
Severe: coordinated campaign pre-patch, physical process impact	$5B+ with cascade unbounded

The Edgenius vulnerability sits at the OT management layer — the interface operators use to monitor distributed systems. Compromise here is reconnaissance and control across the operational footprint, not just a single device.

CEO framing:

One: Critical vulnerability confirmed in widely-deployed industrial infrastructure — materiality depends on patching velocity
Two: Pre-patch exploitation window is the primary risk driver; each day of delay compounds non-linearly
Three: Immediate decisions needed on ABB vendor SLA activation, emergency patching budget authority, and threat intel monitoring for exploitation indicators

I'd like Alex to confirm exploit complexity and whether there's any in-the-wild activity, and I'm open to anyone at the table with ABB customer intelligence to help firm up deployment counts.

Consulted during analysis

Tomas IlicSoftware Supply Chain Security AnalystON-DEMAND

Pierre asked:Tomas, I need deployment scale data for ABB's ICS portfolio to build financial exposure models. Specifically: How many Edgenius, OPTIMAX, and AWIN Gateway installations are deployed in energy, water/utilities, and manufacturing? What's ABB's market share in industrial automation for these verticals? And what's the typical customer profile — Fortune 500 utilities, mid-size water districts? Context: CISA just dropped 5 simultaneous advisories with CVSS scores up to 9.6, and I'm trying to quantify cascade risk before establishing a dollar range.

I found no data on ABB's ICS portfolio deployment scale, specific product installations (Edgenius, OPTIMAX, AWIN Gateway), or market share statistics in energy/utilities/manufacturing verticals in our threat intelligence database. The searches I conducted focused on supply chain security threats, malicious packages, and dependency compromises — not industrial control system vendor deployment metrics.

However, from a supply chain perspective, I can note that if these ABB products consume open-source components (likely given modern SCADA/DCS stacks), the recent CISA advisories represent a downstream dependency risk worth factoring into Pierre's financial models. Any organization running these systems should be auditing their SBOMs for transitive dependencies, as ICS software often bundles vulnerable open-source libraries without disclosure. But I don't have the deployment scale data Pierre specifically requested.

ask_expert12.3s✓

Sources:

[2]cisa.gov

Halil→James Okafor

James OkaforSenior Defense Architect & Incident Response Lead[13 sources]

MODERATOR DIRECTIVE

James, Arjun and Alex are debating whether AI coding agent persistence requires a fundamentally new detection category or just extending existing FIM and git-audit controls to new paths. Bridge this for me. What should a defender actually deploy THIS WEEK to cover the Mini Shai-Hulud IDE persistence vector? Give me the minimum viable detection stack: specific file paths to monitor, git hook configurations, and any VS Code/Claude Code settings that should be locked down enterprise-wide. Make it actionable for a CISO reading this tomorrow morning.

Here's the bottom line: Mini Shai-Hulud is not a new detection category. It's classic persistence via configuration file manipulation — just targeting IDE/agent config paths instead of crontab or registry run keys. The execution trigger is the AI agent's own startup behavior, which actually makes detection easier in some ways because the activity happens in predictable development contexts.

Minimum Viable Detection Stack — Deploy This Week:

1. File Integrity Monitoring (CRITICAL — enable today)

Monitor these paths for any creation/modification outside authorized deployment windows:

Path	Purpose	Priority
`**/.claude/settings.json`	Claude Code persistent hooks	CRITICAL
`**/.vscode/tasks.json`	VS Code task automation	CRITICAL
`**/.vscode/launch.json`	VS Code debug configurations	HIGH
`*/MEMORY.md` (in any `~/.claude/projects/` subdirectory)	Claude Code persistent memory poisoning	HIGH
`**/.mcp.json`	MCP server definitions	HIGH
`**/.codex/config.toml`	Codex agent configuration	MEDIUM
`**/.gemini/settings.json`	Gemini agent configuration	MEDIUM

Tune FIM alerts for:

Creation outside business hours (low false-positive baseline — tune aggressively based on your environment)
Modification by processes other than the IDE/agent itself
Any changes in CI/CD build agents (these should be ephemeral — unexpected persistence here is a red flag)

2. Git Hooks Monitoring (HIGH — this week)

Pre-existing detection rules exist for git hook abuse. Deploy the Sigma rule from detection.fyi for Git Hook Created or Modified — just expand the path coverage to capture:

**/.git/hooks/*
**/node_modules/*/hooks/*

The malicious npm preinstall hook in Mini Shai-Hulud (mbt@1.2.48, @cap-js/db-service@2.10.1, @cap-js/postgres@2.2.2, @cap-js/sqlite@2.2.2) triggered the initial compromise. If your developers run npm install locally (they shouldn't, but they do), you need visibility here.

3. GitHub/GitLab Audit Logging (HIGH — this week)

Exfiltration was to public GitHub repositories with the hardcoded description "A Mini Shai-Hulud has Appeared." Deploy audit rules for:

Repository creation with this or similar patterned descriptions
Push events to public repos from internal CI/CD service accounts
Unexpected repository creation by developer accounts without prior project association

4. VS Code/Claude Code Enterprise Hardening (MEDIUM — schedule)

Lock down enterprise-wide:

Setting	Value	Rationale
`security.workspace.trust.enabled`	`true`	Forces trust prompt on unrecognized folders
`security.workspace.trust.startupPrompt`	`always`	Never silently trust previous approvals
Claude Code: `--no-persistent-memory` flag	Enforced via wrapper script	Prevents memory poisoning attacks

Blocklist these VS Code extensions at the enterprise level:

prettier-vscode-plus (known malicious)
Any extension with <100 installs requesting broad file system access

The Arjun/Alex Debate Resolved:

Arjun's right that the persistence mechanism is novel in targeting AI agent configuration. Alex is right that the detection approach extends existing FIM and audit controls. My assessment: don't invent a new detection category. Add the IDE-specific paths to your existing FIM stack and tune your git-audit rules. The false positive rate on .claude/settings.json creation during business hours will be material — tune for off-hours and non-IDE process modifications.

48-Hour Priority:

Enable FIM on .claude/settings.json and .vscode/tasks.json — CRITICAL
Deploy git hook detection with expanded npm path coverage — HIGH
Lock down VS Code trust settings enterprise-wide — HIGH
Review GitHub audit rules for repository description patterns — MEDIUM

Sources:

[0]cybernewscentre.com

[1]detection.fyi

[2]www.wiz.io

[3]www.securityweek.com

[8]mindgard.ai

[9]hunt.io

[10]x.com

[11]snyk.io