Two developments sit entirely outside the original six-theme forecast.
AI infrastructure became a supply chain target in its own right. LiteLLM’s own security bulletin lays it out: a threat actor group tracked as TeamPCP compromised the CI/CD pipeline of the Trivy security scanner, which cascaded into maintainer credentials for LiteLLM itself, an AI gateway package used across a lot of agent frameworks and MCP servers. Two malicious package versions hit PyPI on March 24, 2026, and were pulled within roughly three hours. That’s fast, but not fast enough; the payload had already grabbed cloud credentials, SSH keys, and Kubernetes secrets[12].
Edge network appliances took a mass credential-harvesting hit. CISA’s June 2026 advisory on the campaign now called FortiBleed describes large-scale credential theft against internet-facing Fortinet firewalls, putting the confirmed number at roughly 74,000 devices[13].
Fortinet’s own PSIRT team, in its June 19 blog post responding to the campaign, did not publish its own device count, but was explicit about the mechanism: the activity involved threat actors reusing credentials from earlier incidents and brute-forcing devices with weak password hygiene and no MFA enabled, not a new vulnerability[15].
Independent researcher tracking, cited in third-party coverage of the campaign, put the device count higher than CISA’s figure, though that number does not come from Fortinet itself. CISA and the UK’s National Cyber Security Centre both issued guidance within days of disclosure.
