[{"data":1,"prerenderedAt":253},["ShallowReactive",2],{"article-slug-teampcp-supply-chain-attack-compromises-trivy-litellm":3,"articles-index":-1},{"id":4,"slug":5,"headline":6,"title":7,"summary":8,"full_report":9,"twitter_post":10,"meta_description":11,"category":12,"severity":16,"entities":17,"cves":59,"sources":65,"events":102,"mitre_techniques":117,"mitre_mitigations":140,"d3fend_countermeasures":166,"iocs":182,"cyber_observables":190,"tags":221,"extract_datetime":227,"article_type":228,"impact_scope":229,"pub_date":80,"reading_time_minutes":239,"createdAt":227,"updatedAt":240,"updates":241},"a2583597-6a88-4c03-991d-495095d184da","teampcp-supply-chain-attack-compromises-trivy-litellm","TeamPCP's Sophisticated Supply Chain Attack on Trivy and LiteLLM Hits 1,000+ SaaS Environments","Massive Supply Chain Attack by TeamPCP Compromises Trivy Scanner, Spreads to LiteLLM and Checkmarx","A multi-stage supply chain attack by the threat group TeamPCP has caused a significant security crisis, beginning with the compromise of the popular open-source scanner Trivy and expanding to other developer tools, including Checkmarx KICS and LiteLLM. The attackers exploited a previously stolen GitHub token to poison official software releases and CI/CD pipelines, injecting credential-stealing malware. The campaign has already compromised over 1,000 SaaS environments, exfiltrating cloud credentials, SSH keys, and other secrets. The attack, tracked under CVE-2026-33634, highlights the systemic risk in modern software supply chains, with experts warning the full impact could affect up to 10,000 organizations.","## Executive Summary\n\nA sophisticated and widespread supply chain attack, attributed to the threat actor group **[TeamPCP](https://malpedia.caad.fkie.fraunhofer.de/actor/teampcp)**, has compromised multiple open-source projects, including Aqua Security's Trivy scanner, Checkmarx KICS, and the LiteLLM Python library. The attack, which began on March 19, 2026, leveraged a stolen GitHub Personal Access Token (PAT) to poison CI/CD pipelines through a technique known as tag poisoning. The attackers replaced legitimate software releases with malicious versions containing an infostealer payload designed to harvest credentials from development environments. The campaign, assigned **CVE-2026-33634**, has already impacted over 1,000 SaaS environments, with potential downstream effects for thousands more. The incident underscores the critical vulnerability of automated software delivery pipelines and the cascading impact of a single compromised credential.\n\n---\n\n## Threat Overview\n\nThe campaign was initiated by **TeamPCP**, a group known for aggressive tactics and collaboration with extortion groups like **[Lapsus$](https://attack.mitre.org/groups/G1004/)**. The attack's root cause was an incompletely remediated security incident from February 2026, where a bot stole a GitHub PAT. Despite a credential rotation on March 1, the attackers retained residual access.\n\nOn March 19, **TeamPCP** used this access to execute a multi-pronged attack:\n1.  **Tag Poisoning**: The attackers force-pushed 76 tags in the `aquasecurity/trivy-action` repository and 7 in `aquasecurity/setup-trivy`. This redirected CI/CD pipelines using these trusted version tags to malicious commits, causing them to execute attacker-controlled code.\n2.  **Malicious Binary Distribution**: A trojanized version of Trivy (`v0.69.4`) was published via official GitHub Releases and container registries.\n3.  **Expansion**: The attack pattern was replicated on March 23 against Checkmarx KICS and AST tools. On March 24, the campaign pivoted to the Python Package Index (PyPI), publishing malicious versions of LiteLLM (`1.82.7` and `1.82.8`).\n\nThe injected payload was a potent infostealer that harvested environment variables, SSH keys, cloud credentials (AWS, GCP, Azure), Kubernetes tokens, and cryptocurrency wallets from CI/CD runners. Stolen data was exfiltrated to the attacker-controlled domain `scan.aquasecurtiy[.]org`.\n\n## Technical Analysis\n\nThe attack demonstrates a deep understanding of modern development practices and CI/CD vulnerabilities. The core TTPs map to several MITRE ATT&CK techniques.\n\n### Attack Chain\n1.  **Initial Access ([T1078 - Valid Accounts](https://attack.mitre.org/techniques/T1078/))**: The attackers used a stolen GitHub PAT obtained in a prior incident.\n2.  **Execution & Persistence ([T1195.001 - Compromise Software Supply Chain](https://attack.mitre.org/techniques/T1195/001/))**: By poisoning Git tags and publishing malicious binaries, the attackers compromised the software build and release process. This is a classic example of compromising a trusted software supply chain.\n3.  **Defense Evasion ([T1562.007 - Impair Defenses: Disable or Modify Cloud Firewall](https://attack.mitre.org/techniques/T1562/007/))**: While not explicit, the payload's design to run within a trusted CI/CD runner inherently bypasses many traditional perimeter defenses.\n4.  **Credential Access ([T1552.006 - Cloud Credentials](https://attack.mitre.org/techniques/T1552/006/))**: The primary goal of the infostealer was to harvest cloud credentials, SSH keys, and other secrets stored in environment variables.\n5.  **Exfiltration ([T1048 - Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048/))**: Data was exfiltrated to `scan.aquasecurtiy[.]org` or, as a fallback, uploaded as a release file to a newly created public GitHub repository within the victim's own account.\n\n> The use of tag poisoning is particularly insidious. Many CI/CD pipelines are configured to pull specific version tags (e.g., `v1`) for stability. By force-pushing and overwriting these tags, the attackers ensured their malicious code was automatically pulled and executed by thousands of downstream systems without any change to the victim's pipeline configuration.\n\n## Impact Assessment\n\nThe business impact of this attack is severe and multi-faceted. **[Mandiant](https://www.mandiant.com)** reports over 1,000 SaaS environments are already confirmed compromised, with a potential for 10,000 victims. The impact includes:\n\n*   **Widespread Credential Compromise**: The theft of AWS, GCP, and Azure credentials from CI/CD environments provides attackers with high-privilege access to cloud infrastructure, potentially leading to data breaches, resource hijacking for crypto-mining, or further lateral movement.\n*   **Loss of Trust**: The compromise of a major security tool like Trivy erodes trust in the open-source ecosystem. Organizations that relied on Trivy to secure their software are now faced with the reality that the tool itself was the vector of compromise.\n*   **Operational Disruption**: Remediation is a massive undertaking. Security teams must assume all credentials and secrets exposed in CI/CD environments are compromised. This requires rotating thousands of keys, rebuilding CI/CD runners from a known-good state, and auditing all cloud resources for signs of unauthorized access.\n*   **Financial Loss**: Direct financial losses can occur from fraudulent use of cloud resources, extortion demands from **TeamPCP** and its affiliates, and the significant cost of incident response and remediation.\n\n## IOCs\n\n| Type   | Value                      | Description                                                                 |\n| :----- | :------------------------- | :-------------------------------------------------------------------------- |\n| domain | `scan.aquasecurtiy[.]org`    | C2 and data exfiltration domain. Note the misspelling of 'security'.        |\n| domain | `models.litellm[.]cloud`   | Infrastructure related to the LiteLLM compromise.                           |\n| other  | `tpcp-docs` GitHub repos   | Repositories used by the threat actor for hosting malicious code or tools.  |\n\n## Cyber Observables for Detection\n\n| Type                   | Value                                                              | Description                                                                                                       | Context                                                              |\n| :--------------------- | :----------------------------------------------------------------- | :---------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------------------- |\n| `url_pattern`          | `aquasecurity/trivy-action`                                        | Monitor CI/CD logs for pulls of this GitHub Action, especially if versions were not explicitly pinned to a commit hash. | GitHub Actions logs, CI/CD pipeline execution logs.                  |\n| `url_pattern`          | `aquasecurity/setup-trivy`                                         | Monitor CI/CD logs for pulls of this GitHub Action.                                                               | GitHub Actions logs, CI/CD pipeline execution logs.                  |\n| `file_name`            | `proxy_server.py`                                                  | For LiteLLM users, check for modifications to this file, especially in versions 1.82.7 and 1.82.8.               | File Integrity Monitoring (FIM), source code repository history.     |\n| `network_traffic_pattern` | Egress traffic from CI/CD runners to non-standard domains.         | Attackers exfiltrated data to `scan.aquasecurtiy[.]org`. Hunt for any unusual outbound connections from build agents. | VPC flow logs, firewall logs, network monitoring tools.              |\n| `command_line_pattern` | `git push --force`                                                 | Monitor for force pushes to protected branches or tags in critical repositories.                                  | Git server audit logs, GitHub Enterprise audit logs.                 |\n| `api_endpoint`         | `api.github.com/repos/{org}/{repo}/releases` with `POST` method. | Monitor for CI/CD processes creating new public repositories and uploading release assets, a fallback C2 method.  | GitHub audit logs, CloudTrail for API calls from build agents.       |\n\n## Detection & Response\n\nSecurity teams must act immediately. Assume compromise if your organization uses Trivy, Checkmarx, or LiteLLM in automated CI/CD pipelines.\n\n1.  **Inventory & Identification**: Identify all CI/CD pipelines that use the compromised tools (`trivy-action`, `setup-trivy`, LiteLLM versions `1.82.7`/`1.82.8`).\n2.  **Log Analysis**: Scour CI/CD execution logs, network flow logs, and cloud audit logs (CloudTrail, Azure Activity Logs, GCP Audit Logs) for connections to the IOC domain `scan.aquasecurtiy[.]org` or any other suspicious outbound traffic from build runners dating back to March 19, 2026.\n3.  **Credential Rotation**: Initiate an immediate and full rotation of all secrets, keys, and credentials accessible within your CI/CD environment. This includes cloud IAM roles, SSH keys, database passwords, and API tokens. Prioritize credentials with high privileges.\n4.  **Rebuild Infrastructure**: Do not trust existing CI/CD runners. Destroy and rebuild all runner infrastructure from a known-clean, verified image.\n5.  **Threat Hunting**: Proactively hunt for signs of lateral movement or persistence originating from the time of the potential compromise. Look for new IAM users/roles, unexpected EC2 instances, or changes to security group configurations.\n\nFor detection, **[D3-NTA: Network Traffic Analysis](https://d3fend.mitre.org/technique/d3f:NetworkTrafficAnalysis)** is critical. Egress traffic from CI/CD environments should be heavily restricted and monitored. Any connection to a new or uncategorized domain should be an immediate red flag.\n\n## Mitigation\n\nThis attack highlights critical gaps in modern software development security. Long-term mitigation requires a strategic shift.\n\n*   **Pin Dependencies to Hashes**: Do not rely on mutable tags (e.g., `v1`, `latest`). Pin all third-party dependencies, including GitHub Actions and container images, to their immutable commit SHA or image digest. This prevents tag poisoning.\n*   **Implement Stricter CI/CD Egress Controls**: CI/CD runners should operate in a least-privilege network environment. Deny all outbound network access by default and explicitly allowlist only the necessary domains (e.g., package registries, code repositories). This would have blocked the exfiltration to `scan.aquasecurtiy[.]org`.\n*   **Enforce Credential Best Practices**: Use short-lived credentials wherever possible (e.g., OIDC for cloud access in GitHub Actions). Avoid storing long-lived static credentials in environment variables. Use a dedicated secrets management solution.\n*   **Protect Code Repositories**: Enable branch and tag protection rules on critical repositories to prevent force pushes. Enforce **[D3-MFA: Multi-factor Authentication](https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication)** for all developers.\n*   **Vendor Software Vetting**: Before integrating a new open-source tool, perform security due diligence. Review its release process, security policies, and historical incidents. Consider using tools that can verify software provenance using frameworks like SLSA.","🚨 MASSIVE SUPPLY CHAIN ATTACK: Threat actor TeamPCP compromises popular Trivy scanner & LiteLLM library. Malicious updates injected into CI/CD pipelines to steal cloud credentials. Over 1,000 SaaS environments impacted. ⚠️ #SupplyChain #Trivy #CVE202633634","Detailed analysis of the sophisticated supply chain attack by TeamPCP on Trivy, LiteLLM, and Checkmarx, leading to widespread compromise of cloud environments via CVE-2026-33634.",[13,14,15],"Supply Chain Attack","Malware","Threat Actor","critical",[18,22,25,29,32,34,37,41,45,48,51,54,57],{"name":19,"type":20,"url":21},"TeamPCP","threat_actor","https://malpedia.caad.fkie.fraunhofer.de/actor/teampcp",{"name":23,"type":20,"url":24},"Lapsus$","https://attack.mitre.org/groups/G1004/",{"name":26,"type":27,"url":28},"Aqua Security","vendor","https://www.aquasec.com/",{"name":30,"type":31},"Trivy","product",{"name":33,"type":31},"LiteLLM",{"name":35,"type":27,"url":36},"Checkmarx","https://www.checkmarx.com/",{"name":38,"type":39,"url":40},"Mandiant","security_organization","https://www.mandiant.com/",{"name":42,"type":43,"url":44},"GitHub","company","https://github.com/",{"name":46,"type":43,"url":47},"Amazon Web Services","https://aws.amazon.com/",{"name":49,"type":31,"url":50},"Google Cloud Platform","https://cloud.google.com/",{"name":52,"type":31,"url":53},"Microsoft Azure","https://azure.microsoft.com/",{"name":55,"type":56},"PyPI","other",{"name":58,"type":43},"FutureSearch",[60],{"id":61,"cvss_score":62,"cvss_version":63,"kev":64,"severity":16},"CVE-2026-33634",9.4,"4.0",false,[66,72,77,83,88,92,97],{"url":67,"title":68,"date":69,"friendly_name":70,"website":71},"https://www.paloaltonetworks.com/blog/2026/03/trivy-supply-chain-attack/","When Security Scanners Become the Weapon: Breaking Down the Trivy Supply Chain Attack","2026-03-24","Palo Alto Networks","paloaltonetworks.com",{"url":73,"title":74,"date":69,"friendly_name":75,"website":76},"https://www.securityboulevard.com/2026/03/trivys-march-supply-chain-attack-shows-where-secret-exposure-hurts-most/","Trivy's March Supply Chain Attack Shows Where Secret Exposure Hurts Most","Security Boulevard","securityboulevard.com",{"url":78,"title":79,"date":80,"friendly_name":81,"website":82},"https://www.scmagazine.com/brief/cloud-security/widespread-cloud-environment-compromise-facilitated-by-trivy-supply-chain-hack","Widespread cloud environment compromise facilitated by Trivy supply chain hack","2026-03-25","SC Magazine","scmagazine.com",{"url":84,"title":85,"date":80,"friendly_name":86,"website":87},"https://www.helpnetsecurity.com/2026/03/25/litellm-supply-chain-attack-team-pcp/","LiteLLM PyPI packages compromised in expanding TeamPCP supply chain attacks","Help Net Security","helpnetsecurity.com",{"url":89,"title":90,"date":80,"friendly_name":26,"website":91},"https://www.aquasec.com/blog/update-ongoing-investigation-and-continued-remediation/","Update: Ongoing Investigation and Continued Remediation","aquasec.com",{"url":93,"title":94,"date":80,"friendly_name":95,"website":96},"https://www.kaspersky.com/blog/trivy-checkmarx-litellm-supply-chain-attack/49943/","Trojanization of Trivy, Checkmarx, and LiteLLM solutions","Kaspersky","kaspersky.com",{"url":98,"title":99,"date":69,"friendly_name":100,"website":101},"https://www.cyberscoop.com/trivy-supply-chain-attack-mandiant-aqua-security/","Experts warn of a 'loud and aggressive' extortion wave following Trivy hack","CyberScoop","cyberscoop.com",[103,106,109,112,115],{"datetime":104,"summary":105},"2026-02","A bot named 'hackerbot-claw' steals a GitHub Personal Access Token (PAT) from Aqua Security.",{"datetime":107,"summary":108},"2026-03-01","Aqua Security rotates credentials, but the remediation is incomplete, leaving attackers with residual access.",{"datetime":110,"summary":111},"2026-03-19T17:43:00Z","TeamPCP uses the stolen PAT to poison Git tags for trivy-action and setup-trivy, initiating the supply chain attack.",{"datetime":113,"summary":114},"2026-03-23","The attack expands to target Checkmarx KICS and AST tools.",{"datetime":69,"summary":116},"The campaign pivots to PyPI, publishing malicious versions of the LiteLLM library.",[118,122,125,128,132,136],{"id":119,"name":120,"tactic":121},"T1195.001","Compromise Software Supply Chain","Initial Access",{"id":123,"name":124,"tactic":121},"T1078","Valid Accounts",{"id":126,"name":127,"tactic":121},"T1554","Compromise Infrastructure",{"id":129,"name":130,"tactic":131},"T1552.006","Cloud Credentials","Credential Access",{"id":133,"name":134,"tactic":135},"T1048","Exfiltration Over Alternative Protocol","Exfiltration",{"id":137,"name":138,"tactic":139},"T1613","Container and Resource Discovery","Discovery",[141,146,150,154,158,162],{"id":142,"name":143,"description":144,"domain":145},"M1045","Code Signing","Verifying the signatures of software dependencies can help detect tampering, although this attack also compromised the release process itself.","enterprise",{"id":147,"name":148,"description":149,"domain":145},"M1051","Update Software","While updating is crucial, this incident shows that updates must be verified. Pinning dependencies to immutable hashes is a more robust approach than using mutable tags.",{"id":151,"name":152,"description":153,"domain":145},"M1047","Audit","Implement comprehensive auditing of CI/CD pipelines, GitHub actions, and network egress from build environments to detect anomalous behavior.",{"id":155,"name":156,"description":157,"domain":145},"M1037","Filter Network Traffic","Apply strict egress filtering on CI/CD runners to block connections to unauthorized domains, which would have prevented data exfiltration.",{"id":159,"name":160,"description":161,"domain":145},"M1018","User Account Management","Regularly audit and rotate high-privilege credentials like PATs. Use short-lived, dynamically-generated tokens instead of static PATs where possible.",{"id":163,"name":164,"description":165,"domain":145},"M1032","Multi-factor Authentication","Enforce MFA on all developer and service accounts to prevent takeover via single-factor credential theft.",[167,172,177],{"technique_id":168,"technique_name":169,"url":170,"recommendation":171,"mitre_mitigation_id":155},"D3-OTF","Outbound Traffic Filtering","https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering","In the context of the Trivy supply chain attack, implementing strict outbound traffic filtering on all CI/CD runners is the most critical defense. The attackers' primary method of data exfiltration relied on the build agent's ability to connect to an external, attacker-controlled domain (`scan.aquasecurtiy[.]org`). A default-deny egress policy should be enforced on the network level for all build environments. Create an explicit allowlist of required domains, such as `*.github.com`, `pypi.org`, and other necessary package registries. Any attempt by a build process to connect to a domain not on this list should be blocked and trigger a high-severity alert. This single control would have rendered the infostealer's primary exfiltration channel useless, significantly mitigating the impact of the compromise. For environments in AWS, this can be implemented using NACLs and Security Groups combined with a NAT Gateway and a proxy that filters based on a domain allowlist.",{"technique_id":173,"technique_name":174,"url":175,"recommendation":176,"mitre_mitigation_id":147},"D3-SU","Software Update","https://d3fend.mitre.org/technique/d3f:SoftwareUpdate","This attack weaponized the software update process itself through tag poisoning. To counter this, organizations must evolve their update strategy. Instead of relying on mutable version tags like `v1` or `latest` in CI/CD configurations, all dependencies (GitHub Actions, Docker images, software packages) must be pinned to immutable identifiers. For GitHub Actions, this means using the full commit SHA. For Docker images, use the image digest (SHA256 hash). This ensures that the build process always pulls the exact, verified version of the dependency, making it immune to tag poisoning where the underlying code pointed to by the tag is changed. This practice should be enforced via policy-as-code (e.g., OPA Gatekeeper) to scan CI/CD configurations and block any builds that use mutable tags.",{"technique_id":178,"technique_name":179,"url":180,"recommendation":181,"mitre_mitigation_id":151},"D3-DAM","Domain Account Monitoring","https://d3fend.mitre.org/technique/d3f:DomainAccountMonitoring","The attack was initiated with a compromised GitHub PAT. Organizations must treat service accounts and PATs as high-value assets and monitor their usage for anomalies. For GitHub, this involves ingesting audit logs into a SIEM and creating alerts for suspicious activities. Key events to monitor include: a PAT being used from an unexpected IP address or geographic location; a PAT being used to perform sensitive actions like force-pushing to a protected branch or changing repository settings; or a PAT showing an unusual frequency of API calls. The fallback C2 method involved creating a new public repository, which is a highly anomalous action for an automated build process and should trigger an immediate alert. By baselining normal PAT activity, security teams can detect deviations that indicate a compromise.",[183,187],{"type":184,"value":185,"description":186},"domain","scan.aquasecurtiy[.]org","C2 and data exfiltration domain",{"type":184,"value":188,"description":189},"models.litellm[.]cloud","Infrastructure related to the LiteLLM compromise",[191,197,200,205,210,216],{"type":192,"value":193,"description":194,"context":195,"confidence":196},"url_pattern","aquasecurity/trivy-action","Monitor CI/CD logs for pulls of this GitHub Action, especially if versions were not explicitly pinned to a commit hash.","GitHub Actions logs, CI/CD pipeline execution logs.","high",{"type":192,"value":198,"description":199,"context":195,"confidence":196},"aquasecurity/setup-trivy","Monitor CI/CD logs for pulls of this GitHub Action.",{"type":201,"value":202,"description":203,"context":204,"confidence":196},"file_name","proxy_server.py","For LiteLLM users, check for modifications to this file, especially in versions 1.82.7 and 1.82.8.","File Integrity Monitoring (FIM), source code repository history.",{"type":206,"value":207,"description":208,"context":209,"confidence":196},"network_traffic_pattern","Egress traffic from CI/CD runners to non-standard domains.","Attackers exfiltrated data to scan.aquasecurtiy[.]org. Hunt for any unusual outbound connections from build agents.","VPC flow logs, firewall logs, network monitoring tools.",{"type":211,"value":212,"description":213,"context":214,"confidence":215},"command_line_pattern","git push --force","Monitor for force pushes to protected branches or tags in critical repositories.","Git server audit logs, GitHub Enterprise audit logs.","medium",{"type":217,"value":218,"description":219,"context":220,"confidence":215},"api_endpoint","api.github.com/repos/{org}/{repo}/releases","Monitor for CI/CD processes creating new public repositories and uploading release assets, a fallback C2 method.","GitHub audit logs, CloudTrail for API calls from build agents.",[222,223,224,225,55,226],"CI/CD Security","Tag Poisoning","Infostealer","GitHub Actions","Cloud Security","2026-03-25T15:00:00.000Z","NewsArticle",{"geographic_scope":230,"industries_affected":231,"other_affected":234,"people_affected_estimate":238},"global",[232,233],"Technology","Other",[235,236,237],"SaaS environments","open-source software users","AI developers","Over 1,000 organizations compromised, potential for 10,000",6,"2026-04-08T12:00:00Z",[242],{"update_id":243,"update_date":240,"datetime":240,"title":244,"summary":245,"sources":246},"update-1","Update 1","Cisco confirmed as victim of Trivy supply chain attack, leading to source code and AWS key theft from internal development environments.",[247,250],{"title":248,"url":249},"The Week in Breach News: April 08, 2026 | Kaseya","https://www.kaseya.com/resource/the-week-in-breach-news-april-08-2026/",{"title":251,"url":252},"Cisco Reportedly Hit By Cyberattack Via Trivy Supply Chain Compromise","https://www.crn.com/news/security/cisco-reportedly-hit-by-cyberattack-via-trivy-supply-chain-compromise",1775683842336]