Slopsquatting:NorthKoreanAPTsExploitLLMHallucinations

◆ DEEP DIVES

1. 01

   Slopsquatting: Your AI Coding Agent Is Now a Supply Chain Attack Vector

   The Mechanism Is Boring, Which Is Why It Works

   An LLM suggests import requests-auth-helper; the package does not exist yet, but a week later someone publishes it on npm or PyPI after watching suggestion logs or enumerating plausible names. The next agent run installs it, the payload executes at install time, and the developer never typed the name.

   The attacker does not need to guess what you will mistype. The model guesses for them.

   Call it hallucination-squatting at scale: one model, used by millions of developers, emits the same plausible-but-nonexistent name often enough that squatting it is a reliable yield. North Korean APT groups noticed before security teams did.

   Why Existing Controls Fail

   The failure mode compounds with MCP STDIO vulnerabilities disclosed this week: 150M+ affected downloads across 30+ disclosures and 10+ CVEs from one root cause in the Model Context Protocol transport layer. The framing layer parses untrusted bytes before any model code runs, so a hostile tool response reaches a local shell before anyone reads a prompt.

   The DAEMON Tools incident shows legitimate code signing certificates can be compromised. C2 ran over QUIC for 28 days undetected because most network monitoring treats QUIC as "UDP/443, probably Chrome," so the install looked signed and trusted while the payload executed anyway.

   The Fix Is Three Controls, None Default

   1. Lockfile verification in CI: reject any package not already in your manifest without explicit human approval, and gate AI-generated dependency additions specifically.
   2. Registry allowlist at the network layer: for fully agentic workflows (Devin-style), sandbox execution with registry allowlisting so the agent cannot reach arbitrary packages.
   3. Install-time sandboxing: so a malicious setup.py cannot read ~/.aws/credentials on first run. Socket.dev flags newly-published packages, and lockfile-lint enforces pre-approved manifests.

   ---

   Cross-Source Pattern

   Five independent sources flagged overlapping aspects of this threat this week, and the convergence tells the story: agent autonomy scales faster than agent auditing. The vector varies across slopsquatted packages, MCP STDIO RCE, and certificate-compromised installers, but the pattern holds: install-time code execution moved inside the agent loop, while lockfile gates and network allowlists stayed where they were a year ago.

   Action items

   • Add a pre-commit hook that fails on any new dependency not already in the lockfile — specifically targeting AI-generated additions
   • Disable auto-installation in AI coding agent configs (Copilot, Cursor, Claude Code) — set agents to read-only mode for dependency manifests
   • Deploy CI rule: reject any package whose name was added to lockfile in the last 7 days without a human-authored commit touching the manifest
   • Inventory all MCP-compatible tooling and assess STDIO transport usage; sandbox AI coding agents in containers with restricted network and filesystem access

   Sources:CSO First Look · TLDR InfoSec · Daniel Miessler · The Hacker News · Risky.Biz

2. 02

   PAN-OS Active Exploitation + Code Signing Trust Collapse — Two Fires, One Week

   PAN-OS CVE-2026-0300: The Firewall Is the Foothold

   Buffer overflow in the management plane, confirmed exploited in the wild, with scanning live before most teams finished standup. No misconfiguration required. Exposure is the bug. If the management interface is reachable from anything not under your own control, that is the fire.

   Patch ETA is mid-to-late May, which is two more weeks of exposure on the late end. The only mitigation is access restriction: VPN, IP allowlist, or offline.

   The perimeter device is only a perimeter while it is not the foothold.

   Post-compromise behavior follows a pattern. Persistence lands on the appliance itself, because rebooting a firewall does not feel like incident response. Check logs for unexpected admin sessions, new config commits, and outbound connections to anything that is not a known update endpoint.

   cPanel: 44,000+ Hosts, 64-Day Window

   CVE-2026-41940 (CVSS 9.8), a CRLF injection auth bypass in cPanel/WHM, was exploited for 64 days before disclosure. The tally: 7,135 hosts with ransomware, 15,448 hosts participating in attacks in a single day, and a Mirai variant deployed for DDoS. "Sorry" ransomware uses ChaCha20 (fast, no AES-NI dependency on older shared hosts) with RSA-2048 key wrapping. Textbook and unbreakable without the key.

   The real failure is inventory. The cPanel box someone spun up for a marketing site three years ago. The staging environment inherited from an acquisition. Without a complete cPanel inventory there is no claim of safety.

   DAEMON Tools: Signing Trust Is Not Safety

   A valid certificate chain and the real distribution source delivered malware for 28 days. Signing proves provenance, not intent. When the loader presents a valid chain to a trusted root, EDR code-integrity checks return true and telemetry gets downgraded to noise.

   Attack	Duration	Detection Gap
   PAN-OS CVE-2026-0300	Ongoing (no patch)	Management plane exposure
   cPanel CVE-2026-41940	64 days pre-disclosure	No tenant-level visibility
   DAEMON Tools	28 days	Valid signature bypassed EDR

   CISA's Response: 3-Day Patching

   CISA is floating compression of the remediation window from 14 days to 3. Three days is not a patch window. It is a release pipeline requirement. If production deploy currently takes a week, the math does not work. Release engineering needs emergency paths that are actually tested, not runbook entries that have never been exercised.

   Action items

   • Verify PAN-OS version across all Palo Alto devices and restrict management plane access to known IPs within 24 hours
   • Inventory all cPanel/WHM instances including shadow IT and acquisitions; patch or isolate by end of week
   • Audit code signing trust: pin allowlists to certificate thumbprints, not subject strings; instrument QUIC egress visibility
   • Measure your patch-to-production pipeline latency — can you ship a critical fix in under 72 hours including validation?

   Sources:CSO First Look · Daniel Miessler · The Hacker News · Risky.Biz · Techpresso

3. 03

   Multi-Token Prediction Ships Production-Ready — The Free 2-3x Inference Speedup

   What Actually Shipped

   Gemma 4's 78M-parameter MTP drafter landed in vLLM, SGLang, MLX, Ollama, and AI Edge on day zero. llama.cpp PR #22673 reports >2x throughput at ~75% acceptance with 3 draft tokens against Qwen3.6 27B. The mechanism is not new: a small model proposes k tokens, the big model verifies them in one forward pass, accepted prefixes advance the decode pointer.

   The Arithmetic

   1 + (3 × 0.75) = 3.25 tokens per verification cycle. At a 350:1 size ratio the drafter cost rounds to zero. The ceiling is acceptance rate on your traffic, not the benchmark's.

   This is a latency-SLA technique, not a throughput technique. If GPUs are already saturated, the drafter competes with your own requests for the same KV cache.

   What to Benchmark, In Order

   1. Acceptance rate on the actual prompt distribution. Code traffic and chat traffic do not share an acceptance curve.
   2. End-to-end latency at real batch sizes. Speculative decoding behaves differently under contention because verification competes for KV cache.
   3. Tail latency (p99). Mean improves while p99 degrades when rejections cluster.
   4. Throughput per GPU. The number finance cares about, quoted least often.

   Cross-Stack Context

   Shipping alongside this: a 60x cold-start reduction that serves weights from GPUs already holding them rather than pulling from cloud storage, and DeepMind's Decoupled DiLoCo at 88% goodput versus 27% standard with 240x less inter-datacenter bandwidth. The inference optimization surface is wide open this quarter.

   The honest version. 3x is a ceiling measured on favorable traffic with a warm cache. Production numbers will be lower. Deploy behind a flag you can roll back. At 78M parameters of overhead and no measured quality loss, the risk-reward is asymmetric.

   ProgramBench Reality Check

   Inference gets faster. ProgramBench still scores 0% on whole-repo generation (SQLite, FFmpeg, PHP compiler from spec). Models pass >50% of individual tests but cannot hold system coherence across hundreds of interacting components. The implication for agent architecture is to decompose into independently verifiable units. Single-shot whole-system generation is not a thing yet.

   Action items

   • Pull llama.cpp PR #22673 and benchmark MTP against your Qwen3/Gemma 4 models on actual workloads — measure acceptance rate, not just throughput
   • If running vLLM or SGLang in production, enable Gemma 4 MTP drafter on a canary deployment and measure tokens/sec delta against current config
   • Design agent architectures around verifiable sub-task decomposition — do not build whole-repo generation pipelines that assume single-shot correctness

   Sources:TLDR Dev · AINews · TLDR AI