TeamPCP Supply Chain Breaches Expand Into Ransomware-Linked OSS Campaign
TeamPCP has expanded a multi-ecosystem software supply chain campaign that compromised open-source security and developer tools including Trivy, Checkmarx KICS, LiteLLM, Telnyx, GitHub Actions, OpenVSX extensions, Docker images, and packages published through PyPI and npm. Reporting indicates the attackers used stolen developer and publishing credentials to push malicious releases through trusted channels, harvest environment variables, shell histories, cloud credentials, and GitHub tokens, and move laterally across CI/CD environments. In the Telnyx incident, valid credentials were reportedly used to publish malicious PyPI releases, with a second-stage payload hidden in a WAV file and code triggered on import.
The campaign is now being linked to follow-on ransomware activity through an alleged partnership between TeamPCP and the Vect ransomware group, which has been advertised on BreachForums as an emerging ransomware-as-a-service operation. Researchers say the supply chain compromises may serve as initial access for extortion campaigns against downstream organizations, with TeamPCP reportedly recruiting negotiators after the Trivy breach and previously exfiltrating roughly 300 GB of compressed credentials; the LiteLLM compromise alone was tied to hundreds of thousands of stolen credentials. The incidents underscore how compromised open-source tooling and CI/CD infrastructure can give attackers privileged enterprise access and create a path from package poisoning to ransomware deployment.
How this story unfolded
54 events from the most recent confirmed update back to the earliest known activity.
GitHub discloses TeamPCP breach affecting at least 3,800 repositories
On 2026-05-21, GitHub disclosed that TeamPCP gained access to at least 3,800 repositories after a developer installed a poisoned VS Code extension. GitHub said the affected repositories contained GitHub’s own code rather than customer code, adding a major newly disclosed victim and a concrete scale estimate for the campaign’s repository compromise.
Hunt.io details resilient TeamPCP Python toolkit and infrastructure pivots
On 2026-05-21, Hunt.io reported on a 13-file Python toolkit used by TeamPCP after a supply-chain compromise. The analysis said the toolkit could continue operating even after command-and-control takedowns by relying on FIRESCALE, GitHub, and victims' own accounts for exfiltration and operational continuity, adding new infrastructure and tradecraft details not covered in earlier reporting.
Akamai says Mini Shai-Hulud returns and goes public
On 2026-05-15, Akamai reported that a new Mini Shai-Hulud variant had escalated TeamPCP’s credential-theft and propagation activity with greater automation and harvesting across repositories, packages, and developer tooling. The report said the worm and supporting toolchain were now public, raising the risk that other threat actors could reuse the same supply-chain attack techniques.
TeamPCP and BreachForums launch $1,000 Shai-Hulud supply-chain attack contest
On 2026-05-14, reporting said TeamPCP and BreachForums launched a contest offering a $1,000 Monero prize for compromising open-source packages with the Shai-Hulud attack tool. The contest allegedly ranks participants by infected packages' download counts, marking a new crowdsourcing and recruitment effort aimed at expanding copycat software supply-chain attacks.
Trend Micro details TeamPCP elementary-data payload and workflow injection tradecraft
On 2026-05-13, Trend Micro published new technical analysis of TeamPCP activity involving the elementary-data Python package, describing host reconnaissance, credential and secret theft, AWS Secrets Manager and SSM abuse, staging into trin.tar.gz, and HTTPS exfiltration using a custom header. The report also said TeamPCP was increasingly using lower-friction initial access such as GitHub workflow command injection through unsanitized user-controlled expressions, and provided new hunting and mitigation guidance.
Mini Shai-Hulud compromises 170+ packages via GitHub Actions OIDC abuse
On 2026-05-11, a coordinated Mini Shai-Hulud supply-chain attack attributed to TeamPCP reportedly compromised more than 170 npm and PyPI packages, including packages tied to TanStack, Mistral AI, and OpenSearch. Expel said the malware abused GitHub Actions pull_request_target behavior and OIDC token extraction to mint valid publish tokens and ship malicious updates with apparently valid SLSA Build Level 3 provenance attestations, while stealing credentials and modifying VS Code and Claude Code settings for persistence.
Checkmarx discloses malicious Jenkins AST plugin and releases fixed version
On 2026-05-11, Checkmarx confirmed that a malicious modified version of its Jenkins AST plugin had been published to the Jenkins Marketplace. The company advised users to use version 2.0.13-829.vc72453fa_1c16 from December 17, 2025 or earlier and released clean version 2.0.13-848.v76e89de8a_053 on GitHub and the Jenkins Marketplace.
Wiz reports TeamPCP compromise of Checkmarx Jenkins AST Plugin
On 2026-05-09, Wiz listed an incident involving the Checkmarx Jenkins AST Plugin and attributed the compromise to TeamPCP. The supplied reference provides no further technical, impact, or remediation details beyond identifying the affected plugin and actor.
Report alleges 4 TB of data stolen from Mercor in LiteLLM-linked breach
A May 2026 report alleged that Mercor's breach tied to the March 24 LiteLLM compromise resulted in the theft of about 4 TB of data. The claimed haul included source code, user data, contractor information, and AI-related configuration artifacts such as MCP files, marking a significant escalation in the reported impact on Mercor.
TeamPCP-linked Mini Shai-Hulud worm hits npm, PyPI, and Packagist
Between 2026-04-29 and 2026-04-30, a self-propagating software supply-chain campaign dubbed Mini Shai-Hulud reportedly began with four official SAP npm packages and spread into PyTorch Lightning and Intercom-related packages across npm, PyPI, and Packagist. Reporting attributed the operation to TeamPCP with high confidence and said it stole developer and cloud credentials, targeted AI coding agent configuration files for persistence, and was linked to about 1,800 GitHub repositories created using stolen credentials.
Checkmarx says leaked data appears to come from its GitHub repository
On 2026-04-27, Checkmarx disclosed that data posted online after LAPSUS$ leak claims appeared to have originated from one of its GitHub repositories. The company said the access was likely tied to the broader TeamPCP-linked supply-chain activity that had already compromised its KICS-related tooling.
Researchers identify CanisterSprawl npm worm in TeamPCP-linked attack wave
By 2026-04-27, reporting identified an npm worm cluster dubbed CanisterSprawl associated with the late-April TeamPCP-linked supply-chain activity. The update added new technical detail about malware used in the Checkmarx KICS, Bitwarden CLI cascade, and xinference-related compromise wave.
Sophos links Checkmarx and Bitwarden compromises to shared infrastructure
On 2026-04-24, Sophos X-Ops reported that the April 22 Checkmarx KICS and Bitwarden CLI supply-chain compromises were part of a coordinated campaign using the same command-and-control domain, audit.checkmarx[.]cx (94.154.172[.]43). The analysis added new technical detail that the Bitwarden payload abused stolen GitHub tokens to inject malicious workflows and create public repositories as dead drops, while both payloads targeted developer credentials, cloud secrets, and AI assistant configuration files.
Bitwarden confirms malicious Bitwarden CLI npm release
On 2026-04-22, Bitwarden confirmed that attackers compromised its CI/CD pipeline and briefly published a malicious @bitwarden/cli@2026.4.0 package to npm. The company said the package was available between 5:57 PM and 7:30 PM ET, revoked compromised access, deprecated the release, began remediation, and reported no evidence that end-user vault data, production data, or production systems were affected.
Attackers publish poisoned xinference releases to PyPI
On 2026-04-21, attackers reportedly published malicious xinference releases to PyPI during the same wave that included the Checkmarx KICS Docker Hub compromise and Bitwarden CLI cascade. The report said TeamPCP denied involvement despite strong code and tradecraft similarities, leaving attribution unresolved between TeamPCP, a copycat, or a false-flag operation.
TeamPCP resumes supply-chain attacks via Checkmarx KICS Docker Hub compromise
Between 2026-04-21 and 2026-04-22, reporting said TeamPCP's 26-day pause in active compromises ended when attackers used valid publisher credentials to compromise Checkmarx's official KICS Docker Hub repository. The malicious images reportedly also seeded trojanized VS Code/Open VSX extensions and contributed to the downstream Bitwarden CLI npm compromise through poisoned CI/CD dependencies.
Vect leak site publishes first victim from TeamPCP-linked extortion campaign
On 2026-04-15, Vect reportedly published its first victim on its leak site, identifying a property-management technology company and claiming to have stolen about four million emails and 700 GB of data. The post marked a concrete shift from earlier TeamPCP-Vect partnership claims into active double-extortion operations tied to the Trivy supply-chain campaign.
CISA KEV deadline for CVE-2026-33634 passes without standalone TeamPCP advisory
On 2026-04-08, the CISA Known Exploited Vulnerabilities remediation deadline for CVE-2026-33634 arrived. Reporting said no standalone U.S. government advisory specific to TeamPCP had been issued by that date.
Google GTIG tracks TeamPCP as UNC6780 and names SANDCLOCK malware
By 2026-04-08, Google Threat Intelligence Group had formally designated TeamPCP as UNC6780 and identified its credential stealer as SANDCLOCK. This added a new attribution label and malware naming detail for the actor behind the Trivy, Checkmarx, LiteLLM, and Telnyx compromises.
Elastic publishes TeamPCP container attack detection guidance
By 2026-04-08, Elastic Security Labs had published new detection guidance focused on TeamPCP's container-related attack activity. The update added fresh defensive and technical detail for identifying the group's ongoing post-compromise behavior.
Cisco breach escalates to source code theft and mass repository cloning
By 2026-04-08, reporting said the Trivy-linked intrusion at Cisco had escalated beyond initial access, with attackers reportedly cloning more than 300 private repositories, stealing AWS keys, and taking source code from build systems and developer workstations. The update also noted unverified extortion claims tied to the stolen Cisco data.
VECERT details Sportradar breach tied to Trivy compromise
On 2026-04-03, reporting said Sportradar AG suffered a systemic compromise through the Trivy supply-chain vector. VECERT attributed the operation jointly to TeamPCP and Vect ransomware and said exposed data included personal information, client records, and production credentials.
CERT-EU says Europa breach may affect 29 other EU entities
On 2026-04-03, CERT-EU said the European Commission’s Trivy-linked Europa.eu AWS breach involved about 92 GB of compressed stolen data and could affect at least 29 other EU entities as well as dozens of internal Commission clients. The agency said nearly 52,000 files contained sent email messages, raising potential personal-data exposure risks.
CERT-EU confirms European Commission cloud breach from Trivy compromise
On 2026-04-03, CERT-EU confirmed that the European Commission’s Europa web hosting platform on AWS was breached as a result of the Trivy supply-chain compromise tracked as CVE-2026-33634. This added the European Commission as a newly disclosed government victim in the broader TeamPCP-linked campaign.
Mercor AI faces class action investigation after LiteLLM-linked breach
By 2026-04-03, reporting said Mercor AI was facing a class action investigation following its disclosure that it had been breached through the TeamPCP-linked LiteLLM supply-chain compromise. This marked a new legal and business-impact development beyond the earlier breach confirmation and scope estimates.
Mercor says LiteLLM attack affected thousands of companies
On 2026-04-02, Mercor said it was one of thousands of companies impacted by the LiteLLM supply-chain attack and that it had contained and remediated the incident while its forensic investigation continued. The same reporting cited researchers saying more than 1,000 SaaS environments were affected, marking a major escalation in the known downstream scope of the TeamPCP-linked campaign.
Axios npm compromise attributed to UNC1069, not TeamPCP
On 2026-04-01, reporting said the axios npm compromise was attributed to North Korean actor UNC1069 rather than TeamPCP. Analysts noted the stolen npm token may still have originated from the broader credential ecosystem seeded by TeamPCP, but the compromise itself was no longer assessed as a TeamPCP operation.
ownCloud discloses build infrastructure impact from Trivy compromise
On 2026-04-01, ownCloud disclosed that its build infrastructure was affected by the Trivy supply-chain compromise tracked as CVE-2026-33634. This added another publicly identified downstream victim tied to the broader TeamPCP-linked campaign.
BerriAI resumes LiteLLM publishing after forensic audit
On 2026-04-01, BerriAI said LiteLLM publishing had resumed after a Mandiant-led forensic audit found that only versions 1.82.7 and 1.82.8 were malicious. The statement marked a concrete remediation and recovery step following TeamPCP's March 24 compromise of LiteLLM.
Wiz documents TeamPCP post-compromise cloud enumeration
On 2026-04-01, incident response findings described TeamPCP validating stolen credentials with TruffleHog and then rapidly enumerating AWS and Azure environments. The activity focused on IAM, compute, storage, databases, and container infrastructure, adding new technical detail about the group’s post-compromise tradecraft.
Mercor AI confirms breach tied to LiteLLM compromise
On 2026-04-01, Mercor AI became the first officially confirmed downstream victim of TeamPCP's campaign, stating it was breached as a direct result of the March 24 LiteLLM compromise. This marked the first public victim disclosure linking real-world downstream impact to the supply-chain intrusion.
LAPSUS$ releases alleged AstraZeneca data after failed sale attempt
By 2026-03-31, reporting said LAPSUS$ had released alleged AstraZeneca data for free after failing to sell it, and Cybernews partially verified the dump. AstraZeneca had not publicly commented at the time, marking an escalation beyond the group's earlier breach claim.
Appian publishes advisory on TeamPCP / CanisterWorm supply-chain compromise
On 2026-03-31, Appian published a knowledge-base article addressing the TeamPCP / CanisterWorm supply-chain compromise. This represents an official vendor response and indicates Appian was assessing or disclosing potential impact from the broader campaign.
ownCloud says Trivy-linked breach affected build infrastructure
On 2026-03-31, ownCloud disclosed that its build infrastructure was affected by CVE-2026-33634 stemming from the Trivy supply-chain compromise. The company said customer data and source code were not impacted.
Databricks investigates alleged TeamPCP-linked compromise and finds no internal evidence
On 2026-03-31, Databricks said via its verified security account that it investigated allegations that TeamPCP-stolen credentials were used against its environment but found nothing in its internal systems. The company requested additional information, marking a public response to a potential downstream impact claim.
Cisco development environment reportedly accessed via Trivy-stolen credentials
On 2026-03-31, reporting said credentials stolen through the Trivy supply-chain compromise were used to access Cisco’s internal development environment via a malicious GitHub Action plugin. This added Cisco as a newly identified downstream victim in the broader TeamPCP-linked campaign.
TeamPCP linked to parallel CipherForce ransomware operation
By 2026-03-31, reporting indicated TeamPCP was operating its own CipherForce ransomware channel in addition to its partnership with the Vect ransomware ecosystem. This added a new attribution detail showing the group pursuing dual ransomware monetization paths rather than relying solely on affiliates.
Researchers describe TeamPCP's multi-ecosystem supply-chain campaign
By March 30, 2026, reporting characterized TeamPCP's activity as a coordinated campaign affecting Trivy, Checkmarx KICS, LiteLLM, and Telnyx across GitHub Actions, Docker Hub, PyPI, npm, and OpenVSX. The campaign was described as using stolen developer and CI/CD credentials to propagate across trusted software ecosystems.
ShinyHunters publishes data stolen from European Commission breach
On 2026-03-28, ShinyHunters reportedly published data stolen from the European Commission’s Europa AWS hosting platform after the Trivy-linked compromise. CERT-EU said the breach involved 340 GB of exfiltrated data, including about 52,000 email-related files affecting 71 clients.
Defenders publish detections and new analysis of TeamPCP techniques
On 2026-03-28, new defensive and technical reporting on TeamPCP emerged, including Palo Alto Networks behavioral detection rules for CI/CD attack patterns and additional analysis of the campaign’s Kubernetes wiper and credential fan-out. The update also noted no newly confirmed package compromises in the prior 48 hours, suggesting a temporary pause in expansion while monetization activity continued.
LAPSUS$ claims AstraZeneca breach using TeamPCP-linked credentials
On 2026-03-27, LAPSUS$ publicly claimed a 3GB breach of AstraZeneca allegedly obtained using credentials linked to TeamPCP's supply-chain campaign. AstraZeneca had not confirmed the claim at the time of publication.
Attackers publish malicious Telnyx packages to PyPI
On March 27, 2026, attackers used valid credentials to publish malicious Telnyx releases to PyPI. The packages reportedly executed code on import and hid a second-stage payload inside a WAV file.
Report identifies LiteLLM CEO's GitHub account as initial compromise vector
On 2026-03-27, updated reporting said the March 24 LiteLLM compromise began through the personal GitHub account of CEO Krish Dholakia. This added a new attribution detail about how attackers obtained access in the LiteLLM portion of the TeamPCP campaign.
Vect advertises partnership with TeamPCP for ransomware follow-on attacks
Posts attributed to the Vect ransomware group on BreachForums claimed a partnership with TeamPCP to turn recent supply-chain compromises into ransomware access operations. Vect was described as an emerging ransomware-as-a-service group seeking affiliates and offering affiliation keys and support.
TeamPCP begins recruiting negotiators after Trivy compromise
Reporting cited in the references says TeamPCP started recruiting negotiators after the Trivy compromise, indicating a shift from initial access and supply-chain intrusion toward monetization. This was presented as an early sign that the campaign could evolve into ransomware operations.
Vect and TeamPCP allegedly claim Sportradar breach and offer data for sale
On 2026-03-25, Vect Ransomware and TeamPCP allegedly claimed on a dark web forum that they had breached Sportradar AG via the Trivy supply-chain vector and exfiltrated corporate and client data. The post offered the data for sale for up to $50,000 and said it included PII, business records, and third-party credentials linked to FIBA and Bet365.
GitHub repository publishes TeamPCP IOCs and Defender XDR guidance
On 2026-03-25, a public GitHub repository documented TeamPCP's supply-chain campaign with concrete indicators of compromise, including affected versions, hashes, domains, IPs, persistence paths, and malware behavior across GitHub Actions, Docker Hub, OpenVSX, PyPI, and npm. The write-up also provided Microsoft Defender XDR detection guidance and described the npm malware cluster dubbed CanisterWorm, including its use of Internet Computer Protocol canisters for command-and-control.
TeamPCP compromises LiteLLM and steals credentials
On March 24, 2026, TeamPCP compromised LiteLLM as part of its supply-chain campaign. Later reporting linked this intrusion to the theft of large numbers of credentials, including the token believed to have enabled the subsequent Telnyx PyPI compromise.
TeamPCP compromises Checkmarx KICS GitHub Action and related artifacts
On 2026-03-23, attackers retagged 35 Checkmarx KICS GitHub Action releases to malicious commits, causing users pulling affected tags between 12:58 and 16:50 UTC to receive credential-stealing malware. The same reporting said compromised Checkmarx OpenVSX extensions also delivered second-stage malware and persistence, and attributed the activity to TeamPCP with high confidence based on shared tactics and the same RSA key seen in the earlier Trivy incident.
Malicious Trivy Docker Hub images published after Aqua GitHub compromise
On 2026-03-22, attackers published malicious Trivy container images 0.69.4, 0.69.5, and 0.69.6 to Docker Hub after compromising Aqua Security's GitHub environment, including force-pushed tags and repository defacements. Aqua Security revoked compromised credentials and removed the malicious images and affected GitHub content, establishing the core Trivy supply-chain compromise event.
Attackers steal European Commission AWS keys via compromised Trivy scanner
On 2026-03-19, attackers reportedly used the compromised Trivy scanner on the European Commission's Europa AWS hosting platform to steal AWS API keys. Later CERT-EU reporting said this intrusion led to large-scale data theft affecting 71 clients, establishing the initial breach event behind the Commission disclosure.
Renewed Trivy supply-chain compromise begins at Aqua Security
On 2026-03-19, Aqua Security said attackers used compromised credentials to renew the Trivy supply-chain compromise, publishing a malicious Trivy v0.69.4 release and retagging aquasecurity/trivy-action and aquasecurity/setup-trivy to credential-stealing malware. Aqua described it as a continuation of the late-February attack enabled by incomplete post-disclosure credential rotation, and later identified safe versions and rotation guidance for affected users.
Pwn Request attack on Trivy infrastructure precedes TeamPCP campaign
On 2026-02-27, a Pwn Request attack reportedly hit Trivy infrastructure, and incomplete remediation allegedly left conditions that enabled TeamPCP's later March 2026 supply-chain campaign. This establishes an earlier precursor event behind the subsequent Trivy-linked compromises.
TeamPCP exploits exposed Docker and Kubernetes environments
In late 2025, TeamPCP was reportedly exploiting exposed Docker and Kubernetes environments as part of its earlier cloud-native criminal activity. This predates the group's March 2026 software supply-chain campaign and shows its operations began with direct cloud and container intrusions before expanding into ecosystem-wide compromises.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
50 references tracked. Mallory keeps watching after this page renders.
Dashboard: Hunt.io
app.hunt.io
Open sourceDashboard: Hunt.io
app.hunt.io
Open sourceDashboard: Hunt.io
app.hunt.io
Open sourceDashboard: Hunt.io
app.hunt.io
Open sourceTwo different attackers poisoned popular open source tools
theregister.com
Open sourceSupply-Chain Attacks, TP-Link devices & a pair of socks - Ctrl-Alt-Intel
ctrlaltintel.com
Open sourceTeamPCP Supply Chain Attacks Draw ShinyHunters and Lapsus$ I - Threat Campaign Analysis
techjacksolutions.com
Open sourceDark Web Profile: TeamPCP
socradar.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
TeamPCP Supply-Chain Attack Compromised Trivy, KICS, LiteLLM, and Telnyx
Attackers linked to **TeamPCP** compromised the `Trivy` GitHub Action by abusing a personal access token reportedly stolen through a misconfigured `pull_request_target` workflow, then pushed malicious commits to **76 of 77** version tags and turned the trusted security tool into a credential stealer. Organizations whose CI/CD pipelines ran the poisoned action were exposed to theft of cloud credentials, SSH keys, Kubernetes configuration files, and other secrets, with reporting indicating the campaign affected **more than 10,000 organizations** and used attacker-controlled infrastructure including `checkmarx[.]zone` and `models[.]litellm[.]cloud` for exfiltration. The stolen CI/CD secrets were then used to expand the intrusion across other developer ecosystems, including malicious updates to **Checkmarx KICS**, **LiteLLM** versions `1.82.7` and `1.82.8` on PyPI, and the **Telnyx SDK**, creating a cascading software supply-chain compromise across multiple open-source projects. Researchers and industry reporting said the incident illustrates how attackers are increasingly targeting maintainers and developer tooling as a low-friction path into downstream environments, while the reported partnership between TeamPCP and the ransomware group **Vect** heightened concern that the stolen credentials could be used for follow-on extortion or destructive attacks.
May 11, 2026
TeamPCP Expands From Next.js and npm Compromises to Proxy and Ransomware Operations
Researchers linked **TeamPCP** to multiple interconnected intrusion campaigns spanning web application exploitation, software supply-chain abuse, and infrastructure hijacking. Reporting on the **Operation PCPcat** and **React2Shell** activity said attackers exploited vulnerable **Next.js** deployments and compromised roughly **59,000 servers**, using them to steal credentials and build follow-on access. Separate investigations into the **CanisterWorm** campaign found dozens of malicious **npm** packages carrying hidden `postinstall` scripts that stole npm tokens from `.npmrc`, `/etc/npmrc`, and environment variables, then republished trojanized updates through victims’ own publisher accounts. The malware also established Linux persistence with a masqueraded user-level `systemd` service named **`pgmon`** and fetched later-stage payloads through **Internet Computer** canister infrastructure, complicating takedown efforts. Additional reporting tied the broader operation to compromised CI/CD ecosystems, residential proxy building, and ransomware monetization. An investigation into the **Xygeni GitHub Action** compromise found the same custom **ShadowLink** backdoor protocol used in malware that exploited **TP-Link** and **ASUS** routers, including abuse of **`CVE-2024-21833`** to install **microsocks** and maintain SOCKS5 proxy persistence via cron, `rc.local`, and NVRAM changes; researchers said this strongly links the router campaign to the Xygeni intrusion, while overlap with TeamPCP remains partly circumstantial. By late March, defenders reported TeamPCP had slowed new package compromises and shifted toward monetization through harvested credentials and dual ransomware tracks, including its own **CipherForce** operation and activity aligned with the **Vect** ransomware ecosystem; related fallout included **ownCloud** disclosing build infrastructure exposure through **`CVE-2026-33634`** associated with the Trivy compromise.
May 25, 2026
TeamPCP Compromised Trivy and Turned CI/CD Pipelines Into Credential Theft Channels
A supply-chain attack against Aqua Security’s **Trivy** ecosystem let attackers publish malicious artifacts and hijack GitHub Action tags, turning a widely used security scanner into a credential stealer. Reporting indicates the intrusion began with abuse of a misconfigured GitHub Actions workflow and theft of privileged credentials, followed by incomplete containment that left residual access in place. Attackers then poisoned **`aquasecurity/trivy-action`** by force-updating 75 of 76 tags, compromised **`setup-trivy`**, and published a backdoored **Trivy `v0.69.4`** release; later activity also pushed malicious Docker Hub images **`0.69.5`** and **`0.69.6`**. The malware harvested GitHub tokens, cloud credentials, SSH keys, Kubernetes secrets, Docker configs, and other CI/CD data from runners and developer environments, encrypted the loot, and exfiltrated it to attacker-controlled infrastructure or fallback GitHub repositories such as **`tpcp-docs`**. Researchers and vendor advisories linked the campaign to **TeamPCP** and described it as an expanding, multi-stage operation that also included a brief OpenVSX compromise of the Trivy VS Code extension, defacement of **44** repositories in Aqua Security’s internal **`aquasec-com`** GitHub organization, and follow-on compromises affecting Checkmarx tooling and the **LiteLLM** PyPI package. Aqua removed malicious artifacts, revoked tokens, restored safe references, and said commercial products were not affected, while GitHub and public advisories identified safe versions including **Trivy `0.69.2`/`0.69.3`**, **`trivy-action` `0.35.0`**, and **`setup-trivy` `0.2.6`**. U.S. CISA added **`CVE-2026-33634`** to the KEV catalog, and incident responders warned organizations that ran affected versions to assume full pipeline compromise, rotate all accessible secrets, audit workflow logs and GitHub activity, and pin GitHub Actions to immutable commit SHAs.
May 6, 2026