Rapid Exploitation and Clever Malware in the Supply Chain, Last Week In AppSec (2026-04-02)

Checkmarx reports two supply-chain related threats: a Langflow code-injection vulnerability (CVE-2026-33017) now listed in CISA's Known Exploited Vulnerabilities, and malicious telnyx Python package releases (4.87.1/4.87.2) that fetched .wav files containing hidden executable payloads which harvest and exfiltrate system information to 83.142.209.203; affected package versions were removed from public repositories but may persist in private registries.