top of page
Search

Hard Perimeter Holds. Soft Surfaces Bleed. Seven Receipts From Thirty Days.

  • Writer: Patrick Duggan
    Patrick Duggan
  • 3 minutes ago
  • 5 min read

The standard threat-intel headline reads "Company X got breached." It's almost never true. The hard perimeter — auth, ingress, core systems, EDR, the things companies spend security budget on — mostly holds. What gets compromised is the soft middle: third-party libraries, data-labeling vendors, telemetry SaaS, sandboxed runtimes, signed-update channels, dependency trees, identity trust relationships. The perimeter is a chain-link fence around a building with the back door wide open.


OpenAI is the canonical illustration this week. Five distinct security incidents in six months, four of them not direct OpenAI compromise: a third-party developer library (Axios), a data-labeling vendor (Mercor via LiteLLM), a telemetry SaaS (Mixpanel), and a sandboxed-runtime escape (the Check Point ChatGPT outbound channel). Only one — the Codex GitHub-credential bug — was native code. OpenAI's hard perimeter held in all five. The soft trust-boundary surfaces leaked four times.


This is not unique to OpenAI. It is the shape.


Seven receipts, last thirty days



The data backing the pattern, from our threat-intel index. Each entry is a real compromise event, attributed where possible, with the soft surface that bled.


1. Handala / Intune-as-Wiper (March 16, 2026). Iran/MOIS-aligned actor weaponized Microsoft Intune — a legitimate mobile device management platform — by compromising upstream Active Directory and pushing Intune-distributed wipe payloads to ~200,000 devices including bring-your-own. 50TB of data exfiltrated. 79 offices taken offline. The Microsoft Intune product was not vulnerable. The Active Directory trust relationship was. Soft surface: identity / management plane. Defender note: your MDM is your blast radius.


2. Iranian APT vs Rockwell Allen-Bradley PLCs (April 7, 2026, joint FBI/CISA/NSA/EPA/DOE/CYBERCOM advisory AA26-097A). Cyber Av3ngers / Shahid Kaveh Group, IRGC-CEC affiliate. Internet-exposed PLCs at U.S. critical infrastructure operators. The PLC was running CVE-2021-22681, a five-year-old authentication bypass. The hard perimeter — the corporate firewall — was irrelevant because the PLC itself was the perimeter. Soft surface: device misclassification. Defender note: anything with a public IP is part of your attack surface, including OT devices that "weren't supposed to be exposed."


3. TeamPCP / LiteLLM 1.82.7 + 1.82.8 (March 24, 2026). PyPI package compromise of an LLM-gateway library that's used by basically every multi-model AI proxy stack. C2 ran through Internet Computer Protocol blockchain (tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io in our IOC index) plus a Telnyx-derived pivot. The package versions are tagged in our IOC index right now. Soft surface: AI infrastructure dependency. Defender note: pin AI gateway dependencies as if they were critical infrastructure, because they are.


4. Smart Slider 3 WordPress plugin (April 7-8, 2026). Vendor's official auto-update channel was hijacked. Version 3.5.1.35 shipped a weaponized RAT inside a roughly six-hour window before takedown. Every site running auto-updates pulled the malicious version automatically. Soft surface: signed update channel. Defender note: auto-update without a delay-and-verify window is a hot stove.


5. Axios npm RAT (March 31, 2026). A top-100 npm developer library shipped a malicious version. C2 at sfrclak.com:8000 routed through 142.11.206.73. The infrastructure was pre-staged eighteen hours before the malicious package was published. That detail matters: this was operationally planned, not opportunistic. The downstream blast radius includes OpenAI's macOS desktop application, whose code-signing certificate was rotated as a precaution effective May 8, 2026. Soft surface: registry-level dependency. Defender note: a popular dependency is a soft surface by definition; minimum-release-age policy is the actual mitigation.


6. PromptMink / DPRK Famous Chollima (April 29, 2026). North Korean actor shipped npm packages with layered wrapper architecture: @solana-launchpad/sdk, @meme-sdk/trade, @validate-ethereum-address/core and others. The top-level package is clean and provides real functionality. The malicious payload lives in a transitive dependency two hops down where nobody reads. Soft surface: dependency-tree obfuscation. Defender note: most security review stops at direct dependencies. The attack lives at depth 2.


7. pgserve npm + 48-hour triple-registry sweep (April 29 - May 1, 2026, GitGuardian). A postinstall hook in the pgserve npm package self-propagated by exfiltrating publish tokens and using them to push compromised versions of OTHER packages. The campaign hit npm, PyPI, and Docker Hub concurrently in a 48-hour window. Soft surface: registry credentials + cross-ecosystem propagation. Defender note: registry attacks are now multi-ecosystem and self-replicating; one infected developer machine becomes the next publisher.


The pattern, drawn



Of the seven incidents, zero involved a direct compromise of the victim's hardened perimeter. Every one is a trust-boundary failure at a soft surface:


  • Identity trust (Handala / Intune)

  • OT device misclassification (Iranian PLC)

  • AI infrastructure dependency (TeamPCP / LiteLLM)

  • Signed update channel (Smart Slider 3)

  • Registry-level dependency (Axios npm)

  • Dependency-tree obfuscation (DPRK / PromptMink)

  • Multi-ecosystem registry credential propagation (pgserve)


Add the OpenAI 5-of-6 ratio (Mixpanel, Axios, Mercor/LiteLLM, Check Point runtime exfil, Codex injection) — and we are looking at twelve major incidents across thirty days, eleven of them at soft surfaces, one at native code.


Why the defender model still optimizes for perimeter



The honest answer is that perimeter security is observable, vendor-friendly, and easy to budget for. There is a SKU for the firewall. There is no SKU for "audit your transitive npm dependency tree weekly and apply minimum-release-age policy on critical packages and verify the SHA of your code-signing cert against vendor's published rotations and watch your MDM for unusual mass-deploy events from a compromised AD." Those are operational disciplines, not products.


This is precisely why the soft surfaces bleed. The attacker only needs one. The defender has to cover all of them, with no off-the-shelf product to point at. The asymmetry favors the attacker by design.


What defenders should do this week



Three concrete actions that address the soft-surface category, not specific CVEs:


Apply a minimum-release-age policy on critical packages. OpenAI now wishes they had this on Axios. A 24-48 hour staging window between an npm/PyPI publish and your production install catches most supply-chain attacks before they hit you, because incident response gets there first. This is a policy change, not a tool purchase.


Audit your transitive dependency tree, not just direct dependencies. The PromptMink layered-wrapper attack lives two hops down. Most security review never gets there. Tools like npm audit --omit=dev, pip-audit, cargo audit will surface the obvious — the harder discipline is reviewing the actual code paths your top-level package pulls in.


Treat your management plane as your highest-risk asset. Intune, AAD, your MDM, your secret manager, your CI/CD runner — these are not "internal tools." They are the single most concentrated attack surface in your environment. Any compromise of these surfaces makes every endpoint downstream a target. Inventory who has admin on each. Rotate keys quarterly. Audit logs weekly.


If you do not have time to do all three, do the first one. It is free and it would have prevented the OpenAI cert rotation outright.


The reframe



The next time a major company has a security incident, ask "did the perimeter fail, or did a soft surface leak?" The answer is almost always the second. Once you start reading incidents this way, the headlines stop surprising you, and the actual defender work becomes obvious.


The hard perimeter holds. It mostly always has. The soft surfaces bleed. Audit accordingly.


Verifying any claim in this post



Every IOC and CVE referenced is in our public threat-intel index. Sample queries:


  • https://analytics.dugganusa.com/api/v1/search/iocs?q=TeamPCP — 31 TeamPCP-attributed indicators

  • https://analytics.dugganusa.com/api/v1/search/iocs?q=sfrclak — Axios npm attack infrastructure (six independent sources)

  • https://analytics.dugganusa.com/api/v1/search/iocs?q=litellm — compromised LiteLLM package versions plus C2

  • https://analytics.dugganusa.com/api/v1/search/blog?q=Pattern+38 — our supply-chain coverage trail

  • https://analytics.dugganusa.com/api/v1/search?q=AA26-097A — Iranian PLC advisory cross-references


Free tier is rate-limited at 500 queries per day. There is no per-seat pricing. If you defend infrastructure, that is enough to validate every line above.





Her name was Renee Nicole Good.


His name was Alex Jeffery Pretti.

 
 
 
bottom of page