On March 19, 2026, the TeamPCP threat actor launched a large-scale supply chain attack targeting widely used open-source security tools integrated into automated software development pipelines. The initial compromise was of Trivy, an open-source vulnerability scanner, where attackers injected malicious code into official GitHub Actions workflows and Docker images. This malware stealthily executed during pipeline scans, exfiltrating SSH keys, cloud access tokens (AWS, GCP), cryptocurrency wallet credentials, Kubernetes secrets, and database connection data. The attack was assigned CVE-2026-33634 with a CVSS score of 9.4, reflecting its critical nature. Shortly after, similar compromises were found in Checkmarx KICS and AST tools, including their OpenVSX extensions. On March 24, the LiteLLM AI gateway was compromised via malicious PyPI packages (versions 1.82.7 and 1.82.8) containing credential-stealing malware. The malware also deployed persistent backdoors in Kubernetes clusters and propagated a self-replicating CanisterWorm worm across the npm ecosystem. Notably, the malware included a destructive payload that wiped Kubernetes clusters if Farsi language or Tehran timezone was detected, indicating a targeted destructive intent. The attackers exploited previously stolen credentials from a February incident to override version tags in Trivy’s GitHub repositories, redirecting trusted versions to malicious commits without visible metadata changes. The malware performed extensive reconnaissance, memory scraping, and secret harvesting from environment files and CI/CD configurations, exfiltrating data to attacker-controlled domains mimicking legitimate ones. Despite rapid removal of malicious artifacts, the attack likely affected thousands of organizations, with over 20,000 repositories vulnerable and claims of hundreds of gigabytes of stolen data and over 500,000 compromised accounts. The attack underscores the evolving threat landscape where CI/CD pipelines and open-source supply chains are prime targets. Traditional signature-based detection failed to identify the injected malware, necessitating behavioral monitoring and strict pipeline security controls. Immediate mitigation involves pinning exact dependency versions with cryptographic hashes, rotating all secrets, auditing workflows for suspicious activity, and restricting GitHub Actions to approved lists. Organizations are urged to conduct proactive threat hunting and restore affected environments from verified backups. Open-source tools like zizmor, gato, and allstar can assist in securing GitHub Actions workflows. This incident highlights the critical importance of securing the software supply chain and CI/CD environments against advanced persistent threats.

The attack has severe implications for organizations worldwide relying on automated CI/CD pipelines and open-source security tools. By compromising trusted tools like Trivy, Checkmarx, and LiteLLM, attackers gained stealthy access to sensitive credentials, cloud infrastructure tokens, and cryptographic keys, enabling lateral movement and persistent access within corporate environments. The theft of SSH keys and cloud tokens risks unauthorized access to critical cloud resources (AWS, GCP), potentially leading to data breaches, service disruptions, and financial losses. The deployment of backdoors in Kubernetes clusters threatens availability and integrity of containerized applications, with the destructive payload capable of wiping entire clusters in targeted regions. The propagation of a self-replicating worm in the npm ecosystem risks widespread infection across JavaScript projects, amplifying the attack’s reach. The incident undermines trust in open-source supply chains and highlights the vulnerability of software development pipelines as a new attack surface. Organizations may face regulatory and reputational damage due to data exfiltration and prolonged undetected compromise. The attack’s sophistication and stealth complicate detection and remediation, increasing the risk of prolonged exposure and secondary attacks. Overall, the incident represents a critical supply chain compromise with broad impact across industries and geographies, emphasizing the need for enhanced supply chain security and CI/CD pipeline hardening.

1. Immediately audit all CI/CD workflows to identify usage of compromised versions of Trivy (use binary 0.69.3, trivy-action 0.35.0, setup-trivy 0.2.6), Checkmarx KICS, AST, and LiteLLM, replacing them with verified clean versions. 2. Pin all dependencies and GitHub Actions to exact commit SHAs or cryptographic hashes rather than floating version tags to prevent silent injection of malicious code. 3. Rotate all secrets, tokens, and credentials potentially exposed during the attack, including SSH keys, cloud access tokens, database credentials, and API keys. 4. Conduct thorough threat hunting in CI/CD logs, network traffic, and GitHub repositories for indicators such as traffic to suspicious domains (scan.aquasecurtiy[.]org, checkmarx[.]zone, models.litellm[.]cloud) and presence of suspicious repositories (e.g., docs-tpcp). 5. Restrict GitHub Actions usage to an approved allowlist and enforce least privilege on GITHUB_TOKEN and other credentials, avoiding write permissions unless absolutely necessary. 6. Minimize injection of secrets into runtime environments; use short-lived credentials managed by secrets managers and implement OIDC integrations where supported. 7. Avoid storing secrets on disk or in temporary files and prevent reuse of secrets across processes. 8. Employ behavioral monitoring tools to detect anomalous activity in CI/CD pipelines and container environments, as signature-based detection is insufficient. 9. Use open-source tools like zizmor, gato, and allstar to statically analyze and enforce security policies on GitHub Actions workflows. 10. Restore affected environments from verified backups after ensuring removal of malicious code and credentials. 11. Educate development and security teams on supply chain risks and enforce strict security hygiene in software development pipelines.