SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast) SANS Stormcast Wednesday, March 25th, 2026: IP KVM Usage; TeampPCP, Trivy, liteLLM and More
Mar 25, 2026
A deep dive into detecting IP KVM devices and the quirks of device strings to watch for. A breakdown of the Team PCP supply chain compromise that hijacked a popular security scanner and how CI/CD secrets were exposed. Discussion of propagation to other tools, credential exposure via an LLM proxy, a Kubernetes wiper aimed at Iran, and practical mitigations like pinning and secrets management.
AI Snips
Chapters
Transcript
Episode notes
Detect IP KVMs Via USB Strings And EDID
- Detect IP KVMs by inspecting USB device strings and monitor EDID data to find identifiable names like Cypete Nano KVM or PyKVM.
- Johannes Ulrich tested Cypete Nano KVM which reports its name and PyKVM that exposes model strings in HDMI EDID making detection possible.
Attackers Replace Releases To Evade Version Checks
- Team PCP used exposed CI/CD credentials to push malicious artifacts into Aqua Security's Trivy Visual Studio Code extension.
- The attackers replaced existing Trivy releases (not new versions) so users pinned to tags could receive the malicious binary.
Supply Chain Compromise Can Cascade Through Dependent Projects
- The Trivy compromise cascaded into other projects when attackers stole credentials and pushed malicious code, turning a single compromise into a multi-level supply chain incident.
- LightLLM was later found infected, exposing LLM credentials because it centralizes model API keys.