The TeamPCP supply chain campaign represents a sophisticated and broad attack targeting critical security tooling and developer ecosystems. The initial access began on February 28, 2026, culminating in a major compromise of the Checkmarx ast-github-action GitHub Action. Contrary to initial reports focusing on a single compromised version (v2.3.28), new evidence shows all 91 published tags from v0.1-alpha through v2.3.32 were poisoned with malicious commits. Each tag was individually backdated and crafted to execute a credential-stealing setup.sh script before running the legitimate action, enabling attackers to harvest secrets from CI/CD environments regardless of the tag version used. This under-reporting led many organizations to overlook compromised runs referencing other tags. Concurrently, CISA added CVE-2026-33634, a critical vulnerability in Trivy scanning tools, to its Known Exploited Vulnerabilities catalog, confirming active exploitation. Organizations using Trivy binaries or GitHub Actions must upgrade to safe versions immediately. The PyPI package LiteLLM was also compromised, with malicious versions 1.82.7 and 1.82.8 yanked after quarantine was lifted. The vendor BerriAI has frozen releases pending a full supply chain security review, engaging Google’s Mandiant for forensic analysis. Any use of compromised LiteLLM versions requires immediate secret rotation. Community detection tools have been released to scan for indicators such as malicious .pth files, persistence backdoors, and attacker Kubernetes pods. The threat actor TeamPCP openly claims responsibility and indicates a long-term campaign focused on stealing terabytes of trade secrets by weaponizing security tools themselves. The campaign’s timing around the RSA Conference suggests strategic planning to exploit reduced security staffing. Parallel supply chain attacks, such as ForceMemo, highlight the broader threat landscape. Organizations must conduct thorough log reviews, secret rotations, and update to clean versions of affected tools to mitigate risk.

This campaign poses a significant risk to organizations worldwide that rely on compromised security tools and developer packages. The widespread poisoning of all Checkmarx ast-github-action tags means that any CI/CD pipeline using these actions during the exposure window likely had secrets stolen, potentially exposing credentials, tokens, and other sensitive information. The compromise of LiteLLM, present in over a third of monitored cloud environments, further expands the attack surface, risking credential theft and persistent backdoors in Kubernetes clusters. Exploitation of CVE-2026-33634 in Trivy scanning tools threatens organizations using these tools for container and infrastructure security, potentially allowing attackers to bypass security controls or gain footholds. The campaign’s focus on security tooling supply chains undermines trust in critical development and security processes, increasing the risk of intellectual property theft, data breaches, and long-term espionage. The timing around major security events may reduce detection and response capabilities. Organizations with automated CI/CD pipelines, cloud-native deployments, and heavy reliance on open-source security tools are particularly vulnerable. Failure to detect and remediate could lead to extensive lateral movement, data exfiltration, and operational disruption.

Organizations should immediately search CI/CD logs for any execution of checkmarx/ast-github-action between 12:58 and 19:16 UTC on March 23, 2026, across all tag versions, not just v2.3.28. Any detected usage should trigger immediate rotation of all secrets accessible to those workflows. Upgrade to Checkmarx ast-github-action v2.3.33 or later, the only safe version. For Trivy users, ensure binaries are at least v0.69.2, trivy-action at v0.35.0 or pinned to SHA 57a97c7e7821a5776cebc9bb87c984fa69cba8f1, and setup-trivy at v0.2.6. Remove and replace any LiteLLM versions 1.82.7 or 1.82.8; rotate all credentials present as environment variables, configuration files, or Kubernetes secrets on affected systems. Deploy community detection tools such as jthack/litellm-vuln-detector to scan for persistence mechanisms and exfiltration indicators. Harden CI/CD environments by restricting secret exposure, implementing least privilege, and monitoring for anomalous activity. Maintain heightened monitoring during major industry events when staffing may be reduced. Engage in supply chain risk management practices including verifying package integrity, using reproducible builds, and employing software bill of materials (SBOM) tools. Coordinate with vendors and threat intelligence sources for updates and forensic support. Prepare for potential breach disclosures and extortion attempts linked to this campaign.