The supply chain attack that compromised Aqua Security’s Trivy open source security vulnerability scanner and its associated GitHub Actions earlier this month continues to expand, with software development tools from Checkmarx and LiteLLM being the latest victims of the sophisticated campaign.
The threat group behind it, TeamPCP, is using the attacks to create persistence and to steal credentials and sensitive digital keys from organizations.
“The TeamPCP stealer’s primary function is harvesting credentials from CI runner memory,” Sysdig threat researchers wrote. “When a compromised Trivy action executes in a workflow, it extracts GitHub personal access tokens (PATs) and other secrets from the Runner.Worker process memory. If those tokens have write access to repositories that also use Checkmarx actions, the attacker can use them to push malicious code to additional action dependencies.”
The researchers added that such action “creates a cascading supply chain compromise: One poisoned action harvests credentials that enable poisoning of additional actions, each using a different typosquat domain to avoid pattern-based detection.”
A Moving Target
Damon Small, a board member with security firm Xcape, said that “the risk here is a ‘wormable’ supply chain: the malware scrapes runner memory for GitHub PATs and cloud keys, which it then uses to compromise any other repositories that the infected pipeline has write access to. For defenders, the priority isn’t just updating Trivy; it is a scorched-earth credential rotation.”
Small added that “it takes a special kind of irony for a vulnerability scanner to become the primary infection vector for your entire cloud environment.”
Organizations with pipelines that ran a Trivy scan between March 19 and 23 need to assume that every secret that was accessible through the scans – from Amazon Web Services (AWS) keys to npm tokens to SSH keys – has been stolen, Small said.
“Moving forward, security teams must enforce the pinning of all third-party GitHub Actions to full 40-character commit hashes to prevent this ‘silent’ tag-swapping from recurring,” he said.
Incomplete Containment an Issue
According to Wiz researchers, TeamPCP actors were able to launch the multi-faceted attack through access gained via the “incomplete containment of an earlier incident,” pushing credential stealer code from a typosquatted domain into Trivy and publishing “backdoored binaries … to GitHub Releases, Docker Hub, GHCR, and ECR. The maintainers have since removed these malicious artifacts.”
Palo Alto Networks researchers noted that “incomplete containment is a recurring issue in incident response. When breaches are not fully addressed, they create the conditions for the next attack.” That was the case with Trivy.
The Python-based payload harvested not only credentials from cloud providers AWS, Google Cloud Platform, and Microsoft Azure, but also Kubernetes secrets, CI/CD and application secrets, infrastructure and access information, and cryptocurrency, according to Microsoft’s Defender Security Research Team.
Keeping Under the Radar
The attackers were able to pose as legitimate developers, and according to Microsoft, “after exfiltration, the malware cleaned up all temporary files and launched the legitimate Trivy scan. The workflow completed successfully with expected output, masking the compromise from pipeline operators.”
The persona impersonation tactics used by the TeamPCP attackers were similar to what Microsoft researchers saw in the Shai-Hulud 2.0 campaign.
Suzu Labs CTO Denis Calderone said security teams need to pay attention to TeamPCP’s technical execution.
“Stolen credentials from a misconfigured GitHub Actions workflow gave the attackers access to push malicious code into 75 of 76 version tags,” Calderone said. “The payload ran inside CI/CD pipelines, silently collecting GitHub tokens, cloud credentials, SSH keys, Kubernetes tokens, database passwords, and crypto wallets from every pipeline that pulled the compromised version. CI/CD runners hold the keys to everything, so compromising the pipeline is effectively compromising every environment that pipeline touches.”
After the Trivy compromise, TeamPCP was able to expand its reach into Checkmarx’s KICS open static code analysis tool and LiteLLM, an open source AI gateway that offers a unified API that is compatible with OpenAI and use to call more than 100 large language model (LLM) provides, including OpenAI, Azure, AWS’s Bedrock, and Google Cloud Platform.
TeamPCP Worms Its Way In
The expansion to other victims was accomplished through CanisterWorm, which TeamPCP launched by using stolen credentials, according to Palo Alto researchers. The worm compromised more than 45 npm packages across various scopes.
“Later variants added token theft and malicious publishing in the postinstall hook, making every developer or CI pipeline that installed an affected package an unwitting propagation vector,” they wrote. “Twenty-eight packages were compromised in under 60 seconds.”
The CanisterWorm component caught the attention of Suzu Labs’ Calderone.
“This is the first documented malware to use blockchain for command and control,” Calderone said. “Instead of traditional C2 servers that can be seized or sinkholed, the attackers are using smart contracts as a decentralized dead-drop. There’s no single server to take down, no domain to block. The operator can rotate payloads on-chain without ever touching an infected host.”
He called it “a fundamental shift in how attackers maintain persistence and control, and if this model proves out, it’s going to change how we think about disrupting campaigns.”
Targeting Open Source, AI Development
Sonatype researchers noted the targeting of LiteLLM, writing that the attackers are “looking to take advantage of enterprises leveraging open source to rapidly develop and deploy AI applications. The design of the malware suggests a broad targeting strategy aimed at developers, cloud environments, and modern application infrastructure.”
Kubernetes environments are getting attention from the bad actors, but the data being collected is intentionally expansive, targeting any system that can store credentials or interact with cloud services.
“This makes the software supply chain attack especially dangerous in environments where developers, CI/CD systems, and production infrastructure share access to sensitive credentials, as compromise in one layer can quickly cascade into others,” they wrote.
