This wasn’t a smash-and-grab. TeamPCP played the long game:

• Late Feb 2026 — They got into Trivy (a super-popular free security scanner) because somebody forgot to fully rotate an old password. Classic.
• April 22 — They pushed a poisoned Bitwarden CLI (@bitwarden/cli version 2026.4.0) onto npm. It was live for about 90 minutes (5:57 PM → 7:30 PM ET). Tiny window, huge blast.
• Same day — They tampered with Checkmarx KICS, a tool with 5 million+ downloads, sneaking bad versions under normal-looking tags like latest.
• April 28 — 96 GB of Checkmarx’s private files showed up on the LAPSUS$ extortion site. Yikes.

Full timeline breakdown lives at gblock.app and Endor Labs.

Here’s the bit that made senior engineers sit up straight.

Old-school malware grabs everything and sorts it later. This one had a shopping list. It specifically went looking for the hidden config files of authenticated AI coding tools:

• Claude Code
• Cursor
• Codex CLI
• Aider
• Kiro
• Gemini CLI

Why? Because your AI helper logs into expensive services on your behalf — and it stores that login key in plain sight on your machine. Steal the AI’s key and you inherit its powers (and its bill). Per State of Surveillance, this is the first big wave treating the AI’s saved login as the prize. Plus the usual loot: GitHub tokens, SSH keys, shell history, cloud passwords.

• Devs: “I pulled latest that afternoon. Cool. Cool cool cool.” (rotating every key they own as we speak)
• Security folks: the scary lesson isn’t one bad file — it’s that ONE poisoned brick flows into thousands of companies before anyone notices.
• Normal people reading this: “wait, my AI app stores its password… just sitting in a file on my laptop?” Yeah. Yeah it does. Welcome.
• The reused playbook (called “Shai-Hulud” by researchers) keeps coming back — SecurityWeek’s writeup calls it a pattern, not a one-off.

Every time one of these poisonings drops, thousands of small dev shops have NO idea if they pulled the bad version. There’s a 2-4 week panic window where everyone’s asking “am I affected?” and nobody has time to check. You become the person who checks.

You don’t need to be a hacker — you need a checklist and a calm voice. Free tools like Trivy itself (the clean version) and OWASP Dependency-Check literally scan for known-bad packages for free. You run the scan, you hand them a one-page “you’re clean / you’re cooked” report.

Example: A 24-year-old freelancer in Lagos watches the npm advisories feed, DMs small startups within hours of each new poisoning, and charges a flat $150 for a “did-this-hit-you” audit. 6 clients in a bad week.

Timeline: First paying check within a week of the next incident. Dries up about 3 weeks after each scare — so you ride the news cycle, not a steady salary.

Here’s a thing 90% of small teams know they SHOULD do and never actually do: change all their saved login keys after a scare. It’s boring, it’s fiddly, everyone procrastinates. That procrastination is your product.

You build (or honestly, just hand-write) a dead-simple step-by-step “rotate everything in 30 minutes” guide for GitHub, AWS, npm, and the big AI tools. Sell the guide. Upsell doing it for them over a screen-share. The free reference to build it from is GitHub’s own token docs and AWS’s rotation guide.

Example: A part-time IT student in Manila sells a “Panic Button Key-Rotation Kit” PDF on Gumroad for $12, then charges $60 to walk a founder through it live. Pure boredom arbitrage.

Timeline: Sales spike for ~10 days after every headline. Build 3-4 kits for different stacks so you’re never empty-handed.

This is the fresh one nobody’s selling yet. Millions of people just installed Claude Code, Cursor, Aider — and almost NONE of them know their login key sits in a plain file. You become the person who locks that file down.

The play: a tiny, friendly walkthrough on moving those AI keys into a proper locked vault and setting them to auto-expire, so a stolen file = a useless file. The real docs you’d build this on are public — Anthropic’s API key best-practices and any free secrets manager like Doppler or Infisical (open source).

Example: A bootcamp grad in São Paulo posts a 4-minute “your AI bot’s password is naked, here’s the fix” video, links a $9 setup checklist, and slides into indie-hacker Discords. First mover on a worry nobody’s named yet.

Timeline: Tiny niche today, big in 6 months as more people clock that AI keys are the new target. Plant the flag now while it’s empty.

Security news is loud, scattered, and written in nerd. Busy founders don’t have time to read 6 security blogs. So you become their 60-second filter. One job: “if a tool you use gets poisoned, you hear it from me first, in plain English.”

You watch a handful of free feeds — GitHub Advisories, The Hacker News, BleepingComputer — and the SECOND something relevant drops, you ping your list with “this affects you, here’s the 2-minute fix.” Not a newsletter about everything. A heads-up about their stuff only.

Example: A 22-year-old in Pune runs a free WhatsApp broadcast for 40 local startup founders, builds total trust, then charges $20/month for “tell me only what affects my exact tools.” Word-of-mouth does the rest.

Timeline: Free trust-building for the first month, paid by month two. Plateaus around 50-100 subscribers solo — that’s the ceiling before you’d need help.

Spicier one. These attacks work because thousands of projects blindly trust packages with weak owners — abandoned accounts, no two-factor login, one maintainer who hasn’t logged in since 2023. That weakness is findable in public data, totally legally.

You comb public package registries for popular bricks sitting on fragile foundations, write up “here’s a soft target before someone poisons it” reports, and sell them to companies that depend on those bricks — OR responsibly report to the maintainers for bug bounty payouts. Same skill, two paydays. Start with the public npm and OpenSSF Scorecard data.

Example: A self-taught researcher in Cairo runs OpenSSF Scorecard across a company’s dependency list, finds 3 packages with zero two-factor protection, and reports it for a $400 bounty. Repeatable across any target with a public package list.

Timeline: First finding in days if you’re sharp. The easy targets get cleaned up over ~2 months, so the low-hanging fruit has a real shelf life — move while it’s ripe.