In this episode of Bad Dependencies, Mackenzie and security researcher Charlie Erickson break down a fast-moving software supply chain attack led by Team PCP.Starting with the compromise of Trivy, the attackers leveraged stolen credentials to spread into ecosystems like NPM and LiteLLM, impacting widely used developer tools and AI infrastructure. The conversation explores how the attack evolved, including worm-like behavior, credential harvesting, and ransomware tactics.Charlie shares real-time insights into the attackers’ methods, motivations, and the ongoing nature of the incident, along with practical advice on mitigation such as credential rotation, dependency pinning, and securing CI/CD pipelines.