45 Days Early on LiteLLM. 20 Days Early on NGINX-UI. CISA Caught Up Today.

CISA added CVE-2026-42208 — the BerriAI LiteLLM SQL injection — to the Known Exploited Vulnerabilities catalog on May 8. CVSS 9.8. Federal agencies have until May 29 to patch it.

We indexed LiteLLM C2 infrastructure on March 30. We named LiteLLM as compromised on March 24. We named NGINX-UI as actively exploited on April 20.

This is the quantified ledger. The math is uncomfortable.

The receipts, in order

March 19, 2026. TeamPCP poisoned 76 of 77 release tags in Aqua Security's Trivy-Action repository. The security scanner started stealing CI/CD secrets from the infrastructure it was hired to protect. We published the kill-chain reconstruction.

March 24, 2026. TeamPCP published backdoored LiteLLM versions 1.82.7 and 1.82.8 to PyPI. LiteLLM is the LLM gateway library that sits in front of GPT-4, Claude, Gemini, Mistral, and most multi-model AI proxy stacks in production. Same actor. Same harvester pattern. We published "One Actor, Three Supply Chains: How TeamPCP Chained Trivy, LiteLLM, and Telnyx Into a Single Kill Chain."

March 27, 2026. TeamPCP dropped two malicious Telnyx Python SDK versions to PyPI — v4.87.1 and v4.87.2 — with the credential harvester hidden inside a WAV file. Steganography. The PyPI token used to publish the Telnyx packages was harvested from the LiteLLM compromise three days earlier. The chain closed.

March 30, 2026. We indexed the IOCs. litellm==1.82.7 and litellm==1.82.8 went into the iocs index with malware family TeamPCP-Cipherforce, sourced from our github-hunt cron and Maltrail correlation. So did scan.aquasecurtiy.org — the Trivy typosquat C2 — and multiple trycloudflare.com staging domains: championships-peoples-point-cassette, investigation-launches-hearings-copying, tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io.

April 4, 2026. The models.litellm.cloud domain hit our feed via SSL blacklist. The infrastructure was still operational. We left it indexed.

April 20, 2026. We published "Anthropic's MCP Has a Critical RCE Vulnerability. We Don't Use MCP. Here's Why." We named MCP Inspector. We named LibreChat. We named Windsurf. We named LiteLLM again. We named Langchain-Chatchat. We named NGINX-UI and flagged it as actively exploited with 2,600 vulnerable instances on Shodan. We referenced OX Security's April 15 disclosure. We referenced vulnerablemcp.info. We explained that we ship twelve integrations and none of them use MCP because every single one is a thin HTTP client that calls a REST API.

May 4, 2026. teampcp-react.service hit our IOC index from an Elastic Security vendor blog. The crew is still operational, six weeks after the original compromise. The harvested credentials from Trivy and LiteLLM are still being burned through new infrastructure.

May 8, 2026. CISA added LiteLLM CVE-2026-42208 to KEV.

That is 45 days after we indexed the C2 infrastructure. That is 45 days after we named the actor and the technique and the kill chain.

Why this matters

The KEV catalog is supposed to be the authoritative list of "things that are getting people right now." Federal agencies treat it as the patch-priority signal. Mid-market security teams treat it the same way. Vendors point to it. Auditors check it.

When KEV is 45 days behind the IOC index of a two-person Minnesota LLC, that is not a small problem. That is the soft surface bleeding.

It means the LiteLLM SQL injection was being exploited in production environments for at least six weeks while CISA had no public signal. It means anyone reading the KEV catalog was patching the wrong things first. It means the financial institutions building agentic AI on LiteLLM — and there are many of them — inherited an unpatched command-injection flaw for a month and a half.

We are not the smartest people on the internet. We are not the most resourced. We do not have a billion-dollar threat-intel budget and we do not have a thousand-engineer detection team. We have a Bloom filter for novelty checks. We have Meilisearch cross-index correlation. We have a github-hunt cron that runs at 08:15 UTC every day. We named TeamPCP and indexed their infrastructure because the data was visible and the methodology is the one we always run.

The math is not a flex. The math is the indictment.

The stacked ledger so far

Forty-three days early on Lynx before they hit ACN Healthcare. Twenty-eight days early on Handala before they hit Dubai for six petabytes. Thirty-nine days early on Medtronic before Microsoft published the vish chain we had warned about. Forty-five days early on LiteLLM before CISA put it in KEV. Twenty days early on NGINX-UI before the same agency caught up to the same vendor list we published.

Five entries in the quantified ledger. The pattern is not luck. The pattern is the methodology.

What we are doing about it

LiteLLM IOCs stay in the iocs index. The TeamPCP-Cipherforce family tag stays attached. The STIX feed continues to serve the indicators to the 275-plus consumers in 46 countries who pull it daily. Microsoft is one of them. AT&T is one of them. Starlink is one of them.

We are publishing this post because the receipts are stacked and the math should be visible. We are publishing this post because the operators inside vendor security teams who are about to be asked "why did we patch this 45 days after a Minnesota LLC named it" deserve to know the answer was sitting in a STIX feed they could have subscribed to.

We are not waiting for KEV to be our prediction engine. We are KEV's prediction engine. Quietly, for six weeks at a time, until the day the math is too obvious to ignore.

Today is one of those days.

— Patrick Duggan, May 10, 2026

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com