TeamPCP Supply-Chain Attacks Poisoned Trivy, KICS, LiteLLM, Telnyx, and Bitwarden
A broad software supply-chain campaign attributed to TeamPCP compromised trusted developer and security tools, beginning with a poisoned Trivy GitHub Action after attackers allegedly stole a personal access token via a misconfigured pull_request_target workflow. Researchers said malicious commits were pushed to most Trivy action tags, allowing the attackers to steal CI/CD secrets, cloud credentials, SSH keys, Kubernetes configuration, and other sensitive data from downstream users. The campaign then spread through stolen credentials to additional projects, including Checkmarx KICS, LiteLLM versions 1.82.7 and 1.82.8 on PyPI, the Telnyx SDK, and later Bitwarden CLI, with malware exfiltrating data to attacker-controlled infrastructure such as checkmarx[.]zone and models[.]litellm[.]cloud. Reporting also tied the operation to hundreds of compromised systems and large-scale theft of .env files and secrets from cloud, AI, payment, database, and messaging environments.
The fallout expanded beyond package poisoning into downstream intrusions and data leaks. Checkmarx confirmed that data later leaked by LAPSUS$ came from its private GitHub repository and said the initial access was likely enabled by credentials exposed in the Trivy-related compromise; researchers also linked the broader campaign to Bitwarden through shared malware and command-and-control patterns. Malicious KICS Docker images, GitHub Actions, and editor extensions were reported to steal credentials and scan results, while Bitwarden’s CI/CD workflow was allegedly abused to expose an npm token and publish a tainted @bitwarden/cli release. Security researchers and vendors warned that the campaign shows how attackers are increasingly targeting open-source maintainers and security tooling as high-leverage entry points, with reported ties to extortion and ransomware groups including LAPSUS$ and Vect raising the risk that stolen access will be resold or used for follow-on attacks.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
16 events from the most recent confirmed update back to the earliest known activity.
GitHub confirms TeamPCP breach of internal source control
On May 20, 2026, GitHub confirmed that TeamPCP breached its internal source control after a poisoned VS Code extension was installed by an employee, leading to the theft of about 3,800 internal repositories. GitHub said it found no evidence that customer data was affected.
Ars reports Bitwarden affected and TeamPCP linked to Lapsu$
On April 29, 2026, reporting said the broader TeamPCP campaign also affected Bitwarden and suggested TeamPCP likely sold Checkmarx access to Lapsu$. The article linked the incidents through shared command-and-control infrastructure and malware characteristics associated with the Trivy breach.
Analysis ties Checkmarx KICS compromise to Bitwarden CLI poisoning
An April 28, 2026 analysis described how the compromised Checkmarx KICS scanner was allegedly used inside Bitwarden's CI/CD workflow to steal GitHub and Azure credentials, expose an npm token, and publish a malicious @bitwarden/cli version 2026.4.0. The report characterized the malware as worm-like, using stolen GitHub and npm credentials to propagate through workflows and packages.
Checkmarx links leaked GitHub data to TeamPCP-enabled access
On April 28, 2026, Checkmarx confirmed that data leaked by LAPSUS$ came from its private GitHub repository and said initial access was likely enabled by credentials exposed in the March 23 Trivy-related supply-chain attack. The company said the leaked dataset was about 96GB and that customer information was not believed to be included.
Checkmarx KICS Docker images and extensions poisoned
On April 22, 2026, attackers published malicious Docker images and VSCode/Open VSX extensions for the Checkmarx KICS scanner. Checkmarx said the artifacts were designed to steal credentials, keys, tokens, and configuration files.
The Register reports dual March open-source supply-chain attacks
On April 11, 2026, reporting connected the TeamPCP Trivy-centered campaign with a separate Axios npm compromise attributed by Google to North Korean-linked UNC1069. The Axios incident reportedly followed social engineering of maintainer Jason Saayman and malicious releases published for about three hours.
Researchers detail TeamPCP shell arsenal across March campaign
On April 2, 2026, researchers published technical analysis of TeamPCP's shell-based tooling used against Trivy, Checkmarx KICS, LiteLLM, and Telnyx. The report documented credential theft, Kubernetes-aware payload delivery, encrypted exfiltration, and GitHub fallback mechanisms.
Investigation reports 900+ compromised systems in ongoing operation
A security investigation described on April 1, 2026 reported an exposed server tied to an ongoing exploitation and data-collection operation with more than 900 confirmed compromised systems. The operation allegedly harvested tens of thousands of .env files and used AI-assisted tooling to optimize attacks.
Akamai reports TeamPCP campaign and Vect partnership claim
On March 27, 2026, Akamai published research tying the Trivy, Checkmarx KICS, and LiteLLM compromises into a single TeamPCP supply-chain campaign. The report also noted a claimed partnership between TeamPCP and the ransomware group Vect, raising concern about downstream monetization of stolen access.
CISA adds CVE-2026-33634 to the KEV catalog
A March 26, 2026 campaign update said CISA added CVE-2026-33634 to its Known Exploited Vulnerabilities catalog, confirming active exploitation and triggering remediation deadlines for federal agencies.
PyPI yanks malicious LiteLLM releases and BerriAI freezes releases
By March 26, 2026, PyPI had lifted quarantine on LiteLLM after yanking malicious versions 1.82.7 and 1.82.8, while BerriAI froze new releases and engaged Mandiant for forensic analysis. Guidance said all affected installations should be treated as compromised.
Malicious LiteLLM 1.82.7 and 1.82.8 released to PyPI
On March 24, 2026, attackers used credentials harvested from LiteLLM's CI/CD pipeline to publish malicious LiteLLM versions 1.82.7 and 1.82.8 to PyPI. The packages reused the same stealer seen in the Trivy incident and exfiltrated data to attacker-controlled infrastructure.
All 91 Checkmarx ast-github-action tags found overwritten
An update reported that all 91 published tags of Checkmarx's ast-github-action, from v0.1-alpha through v2.3.32, were overwritten with individually crafted malicious commits on March 23, 2026. The malicious composite action ran a credential-stealing setup.sh before invoking the legitimate action.
Attackers use stolen credentials to poison Checkmarx KICS
On March 23, 2026, the campaign expanded when attackers used credentials stolen through the Trivy compromise to publish malicious updates affecting Checkmarx KICS. Reporting later said the compromise included poisoned GitHub Action tags and malicious code in KICS-related distribution channels.
TeamPCP compromises Trivy GitHub Action tags
On March 19, 2026, attackers attributed to TeamPCP used a stolen personal access token obtained via a misconfigured pull_request_target workflow to push malicious commits to 76 of 77 Trivy GitHub Action version tags. The poisoned action exposed secrets and credentials from organizations whose CI/CD pipelines executed it.
TeamPCP's earliest traced shell tooling dates to December 2025
Analysis of TeamPCP's shell arsenal found the earliest traced shell artifact dated December 14, 2025, indicating the group had built propagation and proxy infrastructure months before the March 2026 campaign.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
15 references tracked. Mallory keeps watching after this page renders.
TeamPCP and Cyber Supply Chain Attacks - Flare | Identity First Threat Intelligence | Unmatched Visibility into Cybercrime
flare.io
Open sourceWhy a recent supply-chain attack singled out security firms Checkmarx and Bitwarden - Ars Technica
arstechnica.com
Open sourceBitwarden CLI 침해로 이어진 Checkmarx KICS 공급망 공격 - 보안 도구를 역이용한 공급망 공격
blog.alyac.co.kr
Open sourceCheckmarx confirms LAPSUS$ hackers leaked its stolen GitHub data
bleepingcomputer.com
Open sourceThe Telnyx SDK on PyPI Compromise and the 2026 TeamPCP Supply Chain Attacks | Akamai
akamai.com
Open sourceThe Telnyx SDK on PyPI Compromise and the 2026 TeamPCP Supply Chain Attacks | Akamai
akamai.com
Open sourceTeamPCP Supply Chain Campaign: Update 001 - Checkmarx Scope Wider Than Reported, CISA KEV Entry, and Detection Tools Available
isc.sans.edu
Open sourceTeamPCP Supply Chain Attack: Lessons for Your Security Programme
riskledger.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
TeamPCP Supply Chain Breaches Expand Into Ransomware-Linked OSS Campaign
TeamPCP has expanded a multi-ecosystem software supply chain campaign that compromised open-source security and developer tools including **Trivy**, **Checkmarx KICS**, **LiteLLM**, **Telnyx**, GitHub Actions, OpenVSX extensions, Docker images, and packages published through **PyPI** and **npm**. Reporting indicates the attackers used stolen developer and publishing credentials to push malicious releases through trusted channels, harvest environment variables, shell histories, cloud credentials, and GitHub tokens, and move laterally across CI/CD environments. In the Telnyx incident, valid credentials were reportedly used to publish malicious PyPI releases, with a second-stage payload hidden in a WAV file and code triggered on import. The campaign is now being linked to follow-on ransomware activity through an alleged partnership between TeamPCP and the **Vect** ransomware group, which has been advertised on BreachForums as an emerging ransomware-as-a-service operation. Researchers say the supply chain compromises may serve as initial access for extortion campaigns against downstream organizations, with TeamPCP reportedly recruiting negotiators after the Trivy breach and previously exfiltrating roughly **300 GB** of compressed credentials; the LiteLLM compromise alone was tied to hundreds of thousands of stolen credentials. The incidents underscore how compromised open-source tooling and CI/CD infrastructure can give attackers privileged enterprise access and create a path from package poisoning to ransomware deployment.
Jun 25, 2026
TeamPCP Compromised Trivy and Turned CI/CD Pipelines Into Credential Theft Channels
A supply-chain attack against Aqua Security’s **Trivy** ecosystem let attackers publish malicious artifacts and hijack GitHub Action tags, turning a widely used security scanner into a credential stealer. Reporting indicates the intrusion began with abuse of a misconfigured GitHub Actions workflow and theft of privileged credentials, followed by incomplete containment that left residual access in place. Attackers then poisoned **`aquasecurity/trivy-action`** by force-updating 75 of 76 tags, compromised **`setup-trivy`**, and published a backdoored **Trivy `v0.69.4`** release; later activity also pushed malicious Docker Hub images **`0.69.5`** and **`0.69.6`**. The malware harvested GitHub tokens, cloud credentials, SSH keys, Kubernetes secrets, Docker configs, and other CI/CD data from runners and developer environments, encrypted the loot, and exfiltrated it to attacker-controlled infrastructure or fallback GitHub repositories such as **`tpcp-docs`**. Researchers and vendor advisories linked the campaign to **TeamPCP** and described it as an expanding, multi-stage operation that also included a brief OpenVSX compromise of the Trivy VS Code extension, defacement of **44** repositories in Aqua Security’s internal **`aquasec-com`** GitHub organization, and follow-on compromises affecting Checkmarx tooling and the **LiteLLM** PyPI package. Aqua removed malicious artifacts, revoked tokens, restored safe references, and said commercial products were not affected, while GitHub and public advisories identified safe versions including **Trivy `0.69.2`/`0.69.3`**, **`trivy-action` `0.35.0`**, and **`setup-trivy` `0.2.6`**. U.S. CISA added **`CVE-2026-33634`** to the KEV catalog, and incident responders warned organizations that ran affected versions to assume full pipeline compromise, rotate all accessible secrets, audit workflow logs and GitHub activity, and pin GitHub Actions to immutable commit SHAs.
May 6, 2026
Supply Chain Attack Trojans Checkmarx Artifacts and Bitwarden CLI Package
A supply chain attack compromised multiple **Checkmarx** distribution channels, including **KICS Docker images**, the **Checkmarx VS Code extension**, and the `ast-github-action` GitHub Action, with the malicious artifacts built to collect, encrypt, and exfiltrate secrets from affected environments. Reporting linked the activity to **TeamPCP**, which publicly claimed responsibility, and described the campaign as distinct from an earlier March incident involving Checkmarx. The activity later expanded to the **Bitwarden CLI** ecosystem, where a malicious version of the npm package `@bitwarden/cli` was briefly published. The trojanized VS Code extensions were also reported to target **npm tokens**, raising the risk of follow-on supply chain compromise, while some malicious Docker images were removed by about **18:20 UTC** on April 22; however, the compromised extensions reportedly remained available on **OpenVSX** into April 23.
Jun 8, 2026