John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
This was the week you could write as a list. TeamPCP hit another package. Iran hit another inbox. Healthcare had another breach. Authentication failed again.
But that’s not the real story. The real story is that all of those things happened through trust, not through walls. The package you installed from a known publisher. The auth flow that’s supposed to work. The AI tooling your team shipped last sprint. That’s where the week’s attacks lived.
TeamPCP kept expanding, picking off developer tooling at roughly a new target every few days. Trivy. LiteLLM. VS Code extensions. npm packages. Then the Telnyx Python SDK, versions 4.87.1 and 4.87.2, delivering ransomware through audio files used as payload carriers. Telnyx’s infrastructure wasn’t compromised, but anyone who installed those versions during the window needs to treat the host as owned.
AI infrastructure got its “this is real now” moment. Langflow had a critical RCE exploited within about 20 hours of disclosure. The NCSC put out guidance saying AI-generated code poses material risk right now, not theoretically. MCP injection is still being mapped out in public, with enterprise controls lagging far behind. The governance problem is real and most organizations haven’t started.
Authentication bypass wasn’t one incident. Device-code phishing kept hitting Microsoft 365 at scale. Cloudflare’s annual report said session and token abuse is the primary identity threat, not brute force. If you’re resetting passwords after phishing and calling it handled, you’re probably not done. The token lives on.
Iran went personal. The FBI confirmed Handala compromised Kash Patel’s personal email. It wasn’t a network breach, it was personal photos and documents. The goal wasn’t secrets. It was leverage. Senior leaders in any high-stakes sector are targets under this model, and personal accounts are the soft path in.
Healthcare had three separate breach disclosures in one week, NYC Health and Hospitals, Cerballiance, Coastal Carolina Health Care, all pointing back to third-party access pathways. This story doesn’t change. The frequency does.
BPFDoor is sitting in telecom backbone infrastructure, nearly invisible to standard tooling, and it didn’t get the attention it deserved this week because the louder stories were louder. It should be on your radar.
The bright spot: the FTC settled with data broker Kochava over sensitive geolocation data tied to clinics and shelters. Concrete limits, deletion obligations. One of the rare weeks where something actually improved.
And the one we missed: F5 BIG-IP APM went from DoS to actively exploited RCE and landed on CISA’s KEV list late in the week. If you have BIG-IP APM deployments, treat this as an emergency patch, not a queue item.
Full breakdown, five Monday-morning actions, and the strange story of Anthropic accidentally publishing draft content about their own “cybersecurity risk” model: