No More Routers In The US - Threat Wire

The episode covers a wave of supply‑chain compromises by the threat actor known as Team PCP, alongside a sweeping FCC decision to ban foreign‑made consumer routers and a scandal involving compliance startup Delve. Alli Diamond walks through each incident, highlighting how the group leveraged misconfigured GitHub Actions to inject credential‑stealing malware into tools like Trivy, a static code scanner, and later compromised the Light LLM library, harvesting SSH keys and persisting across Kubernetes clusters.

Key data points include the March 19‑24 2026 timeline of four distinct attacks, each occurring within days, and the FCC’s March 23 statement labeling foreign routers a national‑security risk after they were linked to Vault, Flax, and Salt Typhoon operations. The ban currently leaves no approved consumer routers on the market, exposing the United States’ reliance on offshore manufacturing. Meanwhile, Delve, an MIT‑origin compliance firm, was accused of generating fraudulent audit reports with a thin AI veneer, prompting client backlash and multiple exposé articles.

Notable examples feature the malicious commits pushed to Trivy’s GitHub Action repository, the back‑door payload embedded in Light LLM versions 1.82.7/1.82.8 on PyPI, and the FCC’s quote that foreign routers “enable espionage and intellectual‑property theft.” Delve’s marketing claim of “Agentic AI to speed up compliance” was debunked as a pre‑filled template system lacking real automation.

The implications are stark: organizations must audit CI/CD pipelines and third‑party dependencies aggressively, policymakers face an imminent consumer‑router shortage, and the compliance‑as‑a‑service market may see tighter scrutiny. Combined, these developments underscore a growing convergence of supply‑chain vulnerability, regulatory action, and trust erosion in security‑focused SaaS offerings.