The Biggest Open Source Supply Chain Attack of 2026 Is Still Unfolding
A threat actor calling themselves TeamPCP has launched a coordinated, multi-stage supply chain attack targeting open source security tools and developer infrastructure. Starting with Aqua Security’s Trivy vulnerability scanner, the campaign has since expanded to compromise Checkmarx’s KICS GitHub Action, OpenVSX extensions, and a trojanized release of LiteLLM on PyPI.
If your CI/CD pipeline runs any of these tools, your secrets may already be exposed. Here is the complete timeline, technical breakdown, and the concrete steps you need to take right now.
Why This Attack Matters
This is not a random npm typosquatting campaign. TeamPCP is systematically targeting security scanners and CI/CD tools that sit inside enterprise pipelines with access to credentials, infrastructure secrets, and production environments.
These tools are secret, infrastructure, and code security scanners by design. If attackers penetrate the tools and those tools run in enterprise environments, the attackers gain access to banks, telecom, and hospitals. They get secrets and a direct view into where the weak points are.
Complete Attack Timeline
Stage 1: Trivy GitHub Actions Compromise (March 19-20)
- TeamPCP compromised Aqua Security GitHub organization and modified tags in the trivy-action repository
- Malicious commits were staged via imposter commits on forks, then tags were updated to point at the malicious code
- The payload gathered environment variables, SSH keys, AWS credentials, and dumped CI runner process memory to carve secrets
- Exfiltrated data was encrypted with an RSA public key and sent to attacker-controlled infrastructure
Stage 2: Trivy Docker Hub Images (March 23)
- Malicious Docker images 0.69.5 and 0.69.6 were pushed to Aqua Security Docker Hub
- Root cause: incomplete secret rotation after the initial breach allowed re-entry
Stage 3: KICS GitHub Action (March 23, 12:58-16:50 UTC)
- Checkmarx KICS infrastructure-as-code scanner was compromised using the same technique
- All 35 tags in the repository were updated to serve malicious code
- The payload used a new exfiltration domain and added a Kubernetes-focused persistence mechanism
- Compromise was achieved via the cx-plugins-releases service account
Stage 4: OpenVSX Extensions (March 23)
- Checkmarx OpenVSX extensions cx-dev-assist 1.7.0 and ast-results 2.53.0 were compromised
- Any VS Code user pulling these extensions from OpenVSX was served malicious code
Stage 5: LiteLLM on PyPI (March 24)
- Trojanized versions 1.82.7 and 1.82.8 of the popular AI proxy library litellm were published to PyPI
- Same exfiltration pattern but using a new domain
- Quarantined by PyPI at 11:25 UTC, roughly 3 hours after publication
Technical Breakdown: How the Payload Works
The attack pattern is consistent across all targets:
- Initial access: Compromise a service account or maintainer token via credentials stolen in a prior stage
- Tag manipulation: Create imposter commits on forks, then update repository tags to point at them
- Secret harvesting: A setup script runs during CI, gathering environment variables, SSH keys, and cloud credentials
- Memory dumping: On GitHub-hosted runners, a Python script accesses process memory to dump Runner.Worker and extract secrets via regex
- Cloud metadata crawling: Queries AWS IMDS endpoints and Kubernetes API for service account tokens
- Encrypted exfiltration: All harvested data is RSA-encrypted and sent to attacker infrastructure, with GitHub repo creation as a fallback
- Persistence: Drops a follow-on Python payload for long-term access
Are You Affected? How to Check
Immediate Actions
1. Audit your GitHub Actions workflows
Search your repositories for any reference to aquasecurity/trivy-action, Checkmarx/kics-github-action, or Checkmarx/ast-github-action. If you were pinning to a tag rather than a commit SHA, you were vulnerable during the attack windows.
2. Rotate ALL secrets exposed to CI
If any of these tools ran in your pipelines during the attack windows, assume your CI/CD secrets are compromised. Rotate GitHub tokens, AWS access keys, Kubernetes service account tokens, Docker registry credentials, and any secrets passed as environment variables.
3. Check Docker images
If you pulled Trivy Docker images recently, verify you do not have versions 0.69.5 or 0.69.6 and remove them immediately.
4. Check VS Code extensions
If you use OpenVSX, check for cx-dev-assist 1.7.0 or ast-results 2.53.0 and remove them.
5. Check Python dependencies
If you use litellm, ensure you are not on version 1.82.7 or 1.82.8.
Long-Term Defenses: Hardening Your Supply Chain
Pin to Commit SHAs, Not Tags
Tags can be repointed, and that is exactly what TeamPCP exploited. Always pin GitHub Actions to specific commit SHAs for immutable references.
Implement SLSA Provenance Verification
Use SBOM and Sigstore to verify the provenance of your dependencies. Software Bills of Materials let you track exactly what is in your supply chain, and Sigstore provides cryptographic signing to verify artifacts have not been tampered with.
Use Allowlists for GitHub Actions
GitHub Organizations can restrict which Actions are allowed to run. Set a strict allowlist of approved Actions and require SHA pinning for all of them.
Network Segmentation for CI Runners
Your CI runners should not have unfettered outbound network access. Implement Zero Trust networking for build environments. Block outbound connections except to known-good registries, monitor DNS queries for unusual domains, and use private registries instead of pulling directly from public sources.
Short-Lived Credentials Only
Never store long-lived secrets in CI. Use OIDC federation and short-lived tokens for cloud provider access. If a token is stolen, its blast radius is limited by its expiration time.
Continuous Dependency Monitoring
Do not wait for incidents to audit your dependencies. Use tools that continuously monitor for supply chain anomalies including unexpected version bumps, new maintainers, and suspicious code patterns.
The Bigger Picture
There is growing speculation about a possible connection between TeamPCP and the LAPSUS$ group, though this remains unconfirmed. The operational pattern is clear: compromise one tool, harvest credentials, use those credentials to compromise the next tool. It is a self-propagating worm through the open source ecosystem.
The uncomfortable truth is that even security tools backed by well-funded commercial vendors are not immune. The lesson is not that these companies failed but that no single point of trust is sufficient.
As threat modeling teaches us: every dependency is an attack surface. The tools meant to protect your supply chain are themselves part of the supply chain. Defense in depth is the only approach that works.
Recommended Security Resources
- Software Supply Chain Security by Cassie Crossley covers end-to-end supply chain security including SBOMs, provenance, and organizational practices
- Container Security by Liz Rice is essential reading for anyone running containers in production, covering image scanning and runtime security
- Hacking Kubernetes by Andrew Martin and Michael Hausenblas provides threat-driven analysis of Kubernetes security including supply chain attacks
- Securing DevOps by Julien Vehent covers practical CI/CD security patterns including pipeline hardening
- A YubiKey 5 NFC provides FIDO2 phishing-resistant authentication that could have prevented the initial account compromises in this campaign
Stay Updated
This situation is still developing. TeamPCP has signaled they plan to continue targeting security tools. We will update this article as new information emerges.
For daily security intelligence and breaking threat alerts, subscribe to Alpha Signal Pro for our daily newsletter covering supply chain security, market intelligence, and emerging threats.
Last updated: March 24, 2026