TeamPCP Compromised Trivy and Turned CI/CD Pipelines Into Credential Theft Channels
A supply-chain attack against Aqua Security’s Trivy ecosystem let attackers publish malicious artifacts and hijack GitHub Action tags, turning a widely used security scanner into a credential stealer. Reporting indicates the intrusion began with abuse of a misconfigured GitHub Actions workflow and theft of privileged credentials, followed by incomplete containment that left residual access in place. Attackers then poisoned aquasecurity/trivy-action by force-updating 75 of 76 tags, compromised setup-trivy, and published a backdoored Trivy v0.69.4 release; later activity also pushed malicious Docker Hub images 0.69.5 and 0.69.6. The malware harvested GitHub tokens, cloud credentials, SSH keys, Kubernetes secrets, Docker configs, and other CI/CD data from runners and developer environments, encrypted the loot, and exfiltrated it to attacker-controlled infrastructure or fallback GitHub repositories such as tpcp-docs.
Researchers and vendor advisories linked the campaign to TeamPCP and described it as an expanding, multi-stage operation that also included a brief OpenVSX compromise of the Trivy VS Code extension, defacement of 44 repositories in Aqua Security’s internal aquasec-com GitHub organization, and follow-on compromises affecting Checkmarx tooling and the LiteLLM PyPI package. Aqua removed malicious artifacts, revoked tokens, restored safe references, and said commercial products were not affected, while GitHub and public advisories identified safe versions including Trivy 0.69.2/0.69.3, trivy-action 0.35.0, and setup-trivy 0.2.6. U.S. CISA added CVE-2026-33634 to the KEV catalog, and incident responders warned organizations that ran affected versions to assume full pipeline compromise, rotate all accessible secrets, audit workflow logs and GitHub activity, and pin GitHub Actions to immutable commit SHAs.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
27 events from the most recent confirmed update back to the earliest known activity.
Axios npm package compromise attributed to North Korea-linked actor
By 2026-04-06, reporting described a separate compromise of the widely used Axios npm package in which malicious releases delivered a cross-platform RAT through a fake dependency. The incident was attributed by Google and Microsoft to a North Korea-linked threat actor.
CERT-EU confirms European Commission cloud breach from Trivy compromise
By 2026-04-03, CERT-EU confirmed that the European Commission’s Europa AWS hosting environment was breached through the Trivy supply-chain compromise tracked as CVE-2026-33634. The intrusion reportedly began with stolen AWS API keys on March 19, was detected on March 24, and led to exfiltration of 340 GB of data affecting 71 clients.
Cisco reportedly suffers downstream compromise linked to Trivy attack
By 2026-04-01, reporting said Cisco's build and development environment had been breached through a malicious GitHub Action associated with the Trivy campaign, leading to theft of credentials and cloning of hundreds of repositories. Cisco said it was aware of the issue and later stated it had not found evidence of impact to customers, products, or services.
Mercor confirms incident tied to LiteLLM supply-chain compromise
On 2026-03-31, Mercor confirmed it was affected by the LiteLLM compromise and said it had contained and remediated the incident while continuing forensic investigation. Subsequent reports tied the case to extortion claims and alleged theft of large volumes of company data.
ownCloud discloses build infrastructure impact from Trivy compromise
By 2026-03-31, ownCloud disclosed that its build infrastructure had been affected through CVE-2026-33634 linked to the Trivy supply-chain compromise. The company said customer data and source code were not impacted.
Databricks investigates alleged compromise tied to TeamPCP campaign
By 2026-03-30, Databricks said it was investigating an alleged compromise potentially linked to TeamPCP-harvested credentials from the broader supply-chain campaign. Later reporting indicated Databricks had not found evidence of internal impact and requested more information.
Attackers use stolen Telnyx credentials to publish malicious PyPI packages
On 2026-03-27, TeamPCP reportedly used valid Telnyx publishing credentials to upload malicious releases to PyPI. The packages executed code on import and concealed a second-stage payload in a WAV file, extending the campaign into automated build and production environments.
Kudelski details two Trivy malware variants and downstream AWS reconnaissance
On 2026-03-27, Kudelski Security published forensic analysis of the Trivy compromise describing separate GitHub Action and binary variants, including a persistent backdoor installed via a systemd user service in non-CI environments. The report said affected clients experienced theft of AWS and CI/CD credentials followed by attacker reconnaissance across 29 AWS regions, and concluded that data in 24 scanned S3 buckets should be treated as potentially compromised.
CISA adds CVE-2026-33634 to the KEV catalog
On 2026-03-27, CISA added CVE-2026-33634 to its Known Exploited Vulnerabilities catalog and set an April 9, 2026 remediation deadline for U.S. federal civilian agencies. The KEV entry confirmed active exploitation and reinforced guidance to remove affected artifacts and rotate secrets.
CVE-2026-33634 is published for the Trivy supply-chain compromise
On 2026-03-26, the Trivy ecosystem compromise was formalized as CVE-2026-33634, describing embedded malicious code distributed through compromised Trivy artifacts and GitHub Actions. Public advisories emphasized that exploitation could expose tokens, SSH keys, cloud credentials, and other CI/CD secrets.
Mandiant warns Trivy fallout has already hit over 1,000 SaaS environments
By 2026-03-24, Mandiant said the Trivy supply-chain attack had already impacted more than 1,000 SaaS environments and warned of aggressive downstream extortion and follow-on compromises. Aqua acknowledged that incomplete containment after the earlier incident likely allowed the attacker to retain or regain access.
LiteLLM malicious releases are removed and incident response begins
Later on 2026-03-24, the malicious LiteLLM versions were removed from PyPI, BerriAI froze releases, and external incident response support was engaged. Users were told to treat any environment running the affected versions as fully compromised and rotate credentials.
LiteLLM malicious versions 1.82.7 and 1.82.8 are published to PyPI
On 2026-03-24, attackers used stolen publishing credentials to release backdoored LiteLLM versions 1.82.7 and 1.82.8 on PyPI. Version 1.82.8 included a malicious .pth file that executed automatically on Python interpreter startup, enabling credential theft, persistence, and Kubernetes lateral movement.
Researchers report all Checkmarx ast-github-action tags were overwritten
Follow-up analysis published on 2026-03-26 found the Checkmarx ast-github-action compromise was broader than first reported, with all 91 published tags overwritten on March 23. Defenders were advised to review any use during the exposure window and move to safe version v2.3.33.
Checkmarx KICS GitHub Action and OpenVSX plugins are compromised
On 2026-03-23, TeamPCP expanded the campaign to Checkmarx, poisoning KICS-related GitHub Action tags and publishing malicious ast-results and cx-dev-assist plugin versions to OpenVSX. Checkmarx later said the VS Code Marketplace was unaffected and released clean replacement versions after revoking affected tags and securing access.
Aqua's internal aquasec-com GitHub organization is defaced
On 2026-03-22, attackers used a stolen long-lived service account token, likely Argon-DevOps-Mgt, to rename and deface all 44 repositories in Aqua Security's internal aquasec-com GitHub organization within minutes. The incident raised concern that proprietary code, CI/CD configurations, and internal documentation were exposed.
Compromised Trivy Docker Hub images 0.69.5 and 0.69.6 are pushed
On 2026-03-22, additional malicious Trivy Docker Hub image tags 0.69.5 and 0.69.6 were published without matching GitHub releases or tags. Analysis linked them to the same TeamPCP infostealer infrastructure, expanding exposure beyond GitHub Actions and the v0.69.4 release.
Aqua publishes GitHub advisory for March Trivy ecosystem compromise
On 2026-03-21, and reflected in later reporting, Aqua issued GitHub advisory GHSA-69fq-xp46-6x23 covering the March Trivy compromise. The notice documented affected binaries, Docker images, and GitHub Actions, identified safe versions, and attributed the renewed access to incomplete credential rotation after the late-February attack.
Aqua publishes remediation guidance and safe Trivy versions
On 2026-03-20, Aqua removed malicious artifacts where possible, restored safe references, and advised users to move to known-safe versions such as Trivy 0.69.2/0.69.3, trivy-action 0.35.0, and setup-trivy 0.2.6. The company also recommended pinning GitHub Actions by full commit SHA and auditing workflows for compromise.
Trivy tag-poisoning compromise is detected and publicly confirmed
The malicious tag rewrites were detected around 19:15 UTC on 2026-03-19 and publicly confirmed on 2026-03-20. Aqua and researchers warned that any workflows using affected tags should be treated as fully compromised and that secrets needed immediate rotation.
StepSecurity releases Trivy compromise scanner for GitHub Actions
On 2026-03-19, StepSecurity published trivy-compromise-scanner, a CLI tool that audits GitHub Actions workflow logs for evidence of the aquasecurity/trivy supply-chain compromise during the March 19–20 exposure window. The tool supports repository- and organization-wide scans, checks compromised action references and SHAs, and outputs findings in JSON, CSV, and summary table formats.
Attackers publish malicious Trivy v0.69.4 and poison GitHub Action tags
On 2026-03-19, attackers with retained write access compromised Aqua Security's Trivy ecosystem again, publishing a malicious Trivy v0.69.4 release and force-updating most aquasecurity/trivy-action tags plus setup-trivy tags to malicious commits. The payload acted as an infostealer targeting CI/CD runners and developer environments.
Researchers reconstruct broader hackerbot-claw campaign against OSS repos
By 2026-03-03, StepSecurity and others reported that hackerbot-claw had opened more than a dozen pull requests across multiple repositories, achieved code execution in several targets, and stole tokens from projects including awesome-go and Aqua Security's Trivy. The reporting tied the Trivy OpenVSX incident to this broader CI/CD exploitation wave.
Aqua discloses active attack on Trivy-related assets
By 2026-02-28/2026-03-01, Aqua published and later revised GitHub Security Advisory GHSA-8mr6-gf9x-j8qg and stated it was under active attack affecting Trivy-related assets. Reporting later indicated the initial credential changes on March 1 did not fully evict the attacker.
Aqua removes malicious OpenVSX versions and revokes publisher token
On 2026-02-28, a former Aqua employee associated with the OpenVSX publisher account revoked the publishing token and removed the affected Trivy extension versions from OpenVSX. This limited the exposure window to roughly one day.
Malicious Trivy VS Code extension versions published to OpenVSX
On February 27–28, 2026, suspicious OpenVSX versions 1.8.12 and 1.8.13 of Aqua's Trivy VS Code extension were published under the aquasecurityofficial.trivy-vulnerability-scanner namespace. The injected code silently launched local AI coding assistant CLIs with non-interactive flags and attempted broad system inspection and possible exfiltration.
Hackerbot-claw begins GitHub Actions exploitation campaign
Activity attributed to the autonomous GitHub account hackerbot-claw began around 2026-02-20/21, targeting misconfigured GitHub Actions workflows in open-source repositories. The campaign used unsafe patterns such as pull_request_target with untrusted code to gain code execution and steal credentials.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
50 references tracked. Mallory keeps watching after this page renders.
Trivy Supply Chain Attack Triggers Self-Propagating CI/CD Compromise
iansresearch.com
Open sourceBiggest Supply-Chain Attacks in History, Back to Back to Back ...
vulnu.com
Open sourceCVE-2026-33634 and the Trivy supply chain compromise - how mutable tags turned a security scanner into a credential stealer
penligent.ai
Open sourceTeamPCP expands: Supply chain compromise spreads from Trivy to Checkmarx GitHub Actions | Sysdig
sysdig.com
Open sourceLiteLLM Python Package With 95 Million Downloads Compromised by TeamPCP Hackers
cybersecuritynews.com
Open sourceAqua Security's Trivy Scanner Compromised in Supply Chain Attack
cybersecuritynews.com
Open sourceTeamPCP Hits Trivy, Checkmarx, and LiteLLM in Credential Theft Campaign - DataBreaches.Net
databreaches.net
Open sourceTeamPCP Hits Trivy, Checkmarx, and LiteLLM in Credential Theft Campaign - DataBreaches.Net
databreaches.net
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
TeamPCP Supply-Chain Attacks Poisoned Trivy, KICS, LiteLLM, Telnyx, and Bitwarden
A broad software supply-chain campaign attributed to **TeamPCP** compromised trusted developer and security tools, beginning with a poisoned **Trivy GitHub Action** after attackers allegedly stole a personal access token via a misconfigured `pull_request_target` workflow. Researchers said malicious commits were pushed to most Trivy action tags, allowing the attackers to steal CI/CD secrets, cloud credentials, SSH keys, Kubernetes configuration, and other sensitive data from downstream users. The campaign then spread through stolen credentials to additional projects, including **Checkmarx KICS**, **LiteLLM** versions `1.82.7` and `1.82.8` on PyPI, the **Telnyx SDK**, and later **Bitwarden CLI**, with malware exfiltrating data to attacker-controlled infrastructure such as `checkmarx[.]zone` and `models[.]litellm[.]cloud`. Reporting also tied the operation to hundreds of compromised systems and large-scale theft of `.env` files and secrets from cloud, AI, payment, database, and messaging environments. The fallout expanded beyond package poisoning into downstream intrusions and data leaks. **Checkmarx** confirmed that data later leaked by **LAPSUS$** came from its private GitHub repository and said the initial access was likely enabled by credentials exposed in the Trivy-related compromise; researchers also linked the broader campaign to **Bitwarden** through shared malware and command-and-control patterns. Malicious KICS Docker images, GitHub Actions, and editor extensions were reported to steal credentials and scan results, while Bitwarden’s CI/CD workflow was allegedly abused to expose an npm token and publish a tainted `@bitwarden/cli` release. Security researchers and vendors warned that the campaign shows how attackers are increasingly targeting open-source maintainers and security tooling as high-leverage entry points, with reported ties to extortion and ransomware groups including **LAPSUS$** and **Vect** raising the risk that stolen access will be resold or used for follow-on attacks.
Jun 10, 2026
Malicious Aqua Trivy VS Code Extension Published to OpenVSX After GitHub Token Compromise
Threat actors inserted unauthorized code into the *Aqua Trivy* VS Code extension distributed via the **OpenVSX** registry, with the tampered builds appearing as versions **1.8.12** and **1.8.13** under the `aquasecurityofficial.trivy-vulnerability-scanner` namespace. Reporting indicates the malicious code was not present in the public GitHub repository (versions up to **1.8.11** matched), and the injected logic was designed to weaponize locally installed AI coding assistants—invoking tools such as **Claude, Codex, Gemini, GitHub Copilot CLI, and Kiro CLI** with permissive options—to perform host reconnaissance and collect data while running detached in the background and suppressing output to avoid user visibility. Researchers tied the extension tampering to a broader automated campaign targeting **GitHub Actions** workflows, where insecure CI/CD configurations and overprivileged tokens can enable repository takeover and downstream supply-chain abuse. Socket.dev flagged the suspicious OpenVSX extension behavior, while StepSecurity documented that the wider bot-driven GitHub Actions activity led to theft of a **personal access token (PAT)** and subsequent takeover of Aqua’s Trivy GitHub repository—providing the access needed to publish the modified extension. Separate reporting on the **hackerbot-claw** campaign described autonomous exploitation of misconfigured `pull_request_target` workflows to achieve runner RCE and exfiltrate write-capable `GITHUB_TOKEN`s, reinforcing the same core risk: CI/CD token exposure and workflow misconfigurations can rapidly translate into codebase control and malicious artifact distribution.
Mar 20, 2026
TeamPCP Supply Chain Breaches Expand Into Ransomware-Linked OSS Campaign
TeamPCP has expanded a multi-ecosystem software supply chain campaign that compromised open-source security and developer tools including **Trivy**, **Checkmarx KICS**, **LiteLLM**, **Telnyx**, GitHub Actions, OpenVSX extensions, Docker images, and packages published through **PyPI** and **npm**. Reporting indicates the attackers used stolen developer and publishing credentials to push malicious releases through trusted channels, harvest environment variables, shell histories, cloud credentials, and GitHub tokens, and move laterally across CI/CD environments. In the Telnyx incident, valid credentials were reportedly used to publish malicious PyPI releases, with a second-stage payload hidden in a WAV file and code triggered on import. The campaign is now being linked to follow-on ransomware activity through an alleged partnership between TeamPCP and the **Vect** ransomware group, which has been advertised on BreachForums as an emerging ransomware-as-a-service operation. Researchers say the supply chain compromises may serve as initial access for extortion campaigns against downstream organizations, with TeamPCP reportedly recruiting negotiators after the Trivy breach and previously exfiltrating roughly **300 GB** of compressed credentials; the LiteLLM compromise alone was tied to hundreds of thousands of stolen credentials. The incidents underscore how compromised open-source tooling and CI/CD infrastructure can give attackers privileged enterprise access and create a path from package poisoning to ransomware deployment.
Jun 25, 2026