TeamPCP Supply Chain Attacks on Trivy, KICS, and LiteLLM — Full Timeline and How to Protect Your CI/CD Pipeline

The Biggest Open Source Supply Chain Attack of 2026 Is Still Unfolding

A threat actor calling themselves TeamPCP has launched a coordinated, multi-stage supply chain attack targeting open source security tools and developer infrastructure. Starting with Aqua Security’s Trivy vulnerability scanner, the campaign has since expanded to compromise Checkmarx’s KICS GitHub Action, OpenVSX extensions, and a trojanized release of LiteLLM on PyPI.

If your CI/CD pipeline runs any of these tools, your secrets may already be exposed. Here is the complete timeline, technical breakdown, and the concrete steps you need to take right now.

Why This Attack Matters

This is not a random npm typosquatting campaign. TeamPCP is systematically targeting security scanners and CI/CD tools that sit inside enterprise pipelines with access to credentials, infrastructure secrets, and production environments.

These tools are secret, infrastructure, and code security scanners by design. If attackers penetrate the tools and those tools run in enterprise environments, the attackers gain access to banks, telecom, and hospitals. They get secrets and a direct view into where the weak points are.

Complete Attack Timeline

Stage 1: Trivy GitHub Actions Compromise (March 19-20)

• TeamPCP compromised Aqua Security GitHub organization and modified tags in the trivy-action repository
• Malicious commits were staged via imposter commits on forks, then tags were updated to point at the malicious code
• The payload gathered environment variables, SSH keys, AWS credentials, and dumped CI runner process memory to carve secrets
• Exfiltrated data was encrypted with an RSA public key and sent to attacker-controlled infrastructure

Stage 2: Trivy Docker Hub Images (March 23)

• Malicious Docker images 0.69.5 and 0.69.6 were pushed to Aqua Security Docker Hub
• Root cause: incomplete secret rotation after the initial breach allowed re-entry

Stage 3: KICS GitHub Action (March 23, 12:58-16:50 UTC)

• Checkmarx KICS infrastructure-as-code scanner was compromised using the same technique
• All 35 tags in the repository were updated to serve malicious code
• The payload used a new exfiltration domain and added a Kubernetes-focused persistence mechanism
• Compromise was achieved via the cx-plugins-releases service account

Stage 4: OpenVSX Extensions (March 23)

• Checkmarx OpenVSX extensions cx-dev-assist 1.7.0 and ast-results 2.53.0 were compromised
• Any VS Code user pulling these extensions from OpenVSX was served malicious code

Stage 5: LiteLLM on PyPI (March 24)

• Trojanized versions 1.82.7 and 1.82.8 of the popular AI proxy library litellm were published to PyPI
• Same exfiltration pattern but using a new domain
• Quarantined by PyPI at 11:25 UTC, roughly 3 hours after publication

Technical Breakdown: How the Payload Works

The attack pattern is consistent across all targets:

1. Initial access: Compromise a service account or maintainer token via credentials stolen in a prior stage
2. Tag manipulation: Create imposter commits on forks, then update repository tags to point at them
3. Secret harvesting: A setup script runs during CI, gathering environment variables, SSH keys, and cloud credentials
4. Memory dumping: On GitHub-hosted runners, a Python script accesses process memory to dump Runner.Worker and extract secrets via regex
5. Cloud metadata crawling: Queries AWS IMDS endpoints and Kubernetes API for service account tokens
6. Encrypted exfiltration: All harvested data is RSA-encrypted and sent to attacker infrastructure, with GitHub repo creation as a fallback
7. Persistence: Drops a follow-on Python payload for long-term access

Are You Affected? How to Check

Immediate Actions

1. Audit your GitHub Actions workflows

Search your repositories for any reference to aquasecurity/trivy-action, Checkmarx/kics-github-action, or Checkmarx/ast-github-action. If you were pinning to a tag rather than a commit SHA, you were vulnerable during the attack windows.

2. Rotate ALL secrets exposed to CI

If any of these tools ran in your pipelines during the attack windows, assume your CI/CD secrets are compromised. Rotate GitHub tokens, AWS access keys, Kubernetes service account tokens, Docker registry credentials, and any secrets passed as environment variables.

3. Check Docker images

If you pulled Trivy Docker images recently, verify you do not have versions 0.69.5 or 0.69.6 and remove them immediately.