{"id":3719,"date":"2026-03-25T16:14:31","date_gmt":"2026-03-25T16:14:31","guid":{"rendered":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2026\/03\/25\/sophisticated-supply-chain-attack-targeting-trivy-expands-to-checkmarx-litellm\/"},"modified":"2026-03-25T16:14:31","modified_gmt":"2026-03-25T16:14:31","slug":"sophisticated-supply-chain-attack-targeting-trivy-expands-to-checkmarx-litellm","status":"publish","type":"post","link":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2026\/03\/25\/sophisticated-supply-chain-attack-targeting-trivy-expands-to-checkmarx-litellm\/","title":{"rendered":"Sophisticated Supply Chain Attack Targeting Trivy Expands to Checkmarx, LiteLLM"},"content":{"rendered":"
\"supply<\/div>\n

\"supply<\/p>\n

The supply chain attack that compromised Aqua Security\u2019s Trivy<\/a> open source security vulnerability scanner and its associated GitHub Actions earlier this month continues to expand, with software development tools from Checkmarx and LiteLLM being the latest victims of the sophisticated campaign.<\/p>\n

The threat group behind it, TeamPCP, is using the attacks to create persistence and to steal credentials and sensitive digital keys from organizations.<\/p>\n

\u201cThe TeamPCP stealer\u2019s primary function is harvesting credentials from CI runner memory,\u201d Sysdig threat researchers wrote<\/a>. \u201cWhen a compromised Trivy action executes in a workflow, it extracts GitHub personal access tokens (PATs) and other secrets from the Runner.Worker process memory. If those tokens have write access to repositories that also use Checkmarx actions, the attacker can use them to push malicious code to additional action dependencies.\u201d<\/p>\n

The researchers added that such action \u201ccreates a cascading supply chain compromise: One poisoned action harvests credentials that enable poisoning of additional actions, each using a different typosquat domain to avoid pattern-based detection.\u201d<\/p>\n

A Moving Target<\/h2>\n

Damon Small, a board member with security firm Xcape, said that \u201cthe risk here is a \u2018wormable\u2019\u00a0supply\u00a0chain: the malware scrapes runner memory for GitHub PATs and cloud keys, which it then uses to compromise any\u00a0other\u00a0repositories that the infected pipeline has write access to. For defenders, the priority isn\u2019t just updating\u00a0Trivy; it is a scorched-earth credential rotation.\u201d<\/p>\n

Small added that \u201cit takes a special kind of irony for a vulnerability scanner to become the primary infection vector for your entire cloud environment.\u201d<\/p>\n

Organizations with pipelines that ran a Trivy scan between March 19 and 23 need to assume that every secret that was accessible<\/a> through the scans \u2013 from Amazon Web Services (AWS) keys to npm tokens to SSH keys \u2013 has been stolen, Small said.<\/p>\n

\u201cMoving forward, security teams must enforce the pinning of all third-party GitHub Actions to full 40-character commit hashes to prevent this \u2018silent\u2019 tag-swapping from recurring,\u201d he said.<\/p>\n

Incomplete Containment an Issue<\/h2>\n

According to Wiz researchers, TeamPCP actors were able to launch the multi-faceted attack<\/a> through access gained via the \u201cincomplete containment of an earlier incident,\u201d pushing credential stealer code from a typosquatted domain into Trivy and publishing \u201cbackdoored binaries \u2026 to GitHub Releases, Docker Hub, GHCR, and ECR. The maintainers have since removed these malicious artifacts.\u201d<\/p>\n

Palo Alto Networks researchers noted that \u201cincomplete containment is a recurring issue<\/a> in incident response. When breaches are not fully addressed, they create the conditions for the next attack.\u201d That was the case with Trivy.<\/p>\n

The Python-based payload harvested not only credentials from cloud providers<\/a> AWS, Google Cloud Platform, and Microsoft Azure, but also Kubernetes secrets, CI\/CD and application secrets, infrastructure and access information, and cryptocurrency, according to Microsoft\u2019s Defender Security Research Team.<\/p>\n

Keeping Under the Radar<\/h2>\n

The attackers were able to pose as legitimate developers, and according to Microsoft, \u201cafter exfiltration, the malware\u00a0cleaned up\u00a0all temporary files and launched the\u00a0legitimate Trivy scan. The workflow completed successfully with expected output, masking the compromise from pipeline operators.\u201d<\/p>\n

The persona impersonation tactics used by the TeamPCP attackers were similar to what Microsoft researchers saw in the Shai-Hulud 2.0<\/a> campaign.<\/p>\n

Suzu Labs CTO Denis Calderone said security teams need to pay attention to TeamPCP\u2019s technical execution.<\/p>\n

\u201cStolen credentials from a misconfigured GitHub Actions workflow gave the attackers access to push malicious code into 75 of 76 version tags,\u201d Calderone said. \u201cThe payload ran inside CI\/CD pipelines, silently collecting GitHub tokens, cloud credentials, SSH keys, Kubernetes tokens, database passwords, and crypto wallets from every pipeline that pulled the compromised version. CI\/CD runners hold the keys to everything, so compromising the pipeline is effectively compromising every environment that pipeline touches.\u201d<\/p>\n

After the Trivy compromise, TeamPCP was able to expand its reach into Checkmarx\u2019s KICS open static code analysis tool and LiteLLM, an open source AI gateway that offers a unified API that is compatible with OpenAI and use to call more than 100 large language model (LLM) provides, including OpenAI, Azure, AWS\u2019s Bedrock, and Google Cloud Platform.<\/p>\n

TeamPCP Worms Its Way In<\/h2>\n

The expansion to other victims was accomplished through CanisterWorm, which TeamPCP launched by using stolen credentials, according to Palo Alto researchers. The worm compromised more than 45 npm packages across various scopes.<\/p>\n

\u201cLater variants added token theft and malicious publishing in the postinstall hook, making every developer or CI pipeline that installed an affected package an unwitting propagation vector,\u201d they wrote. \u201cTwenty-eight packages were compromised in under 60 seconds.\u201d<\/p>\n

The CanisterWorm component caught the attention of Suzu Labs\u2019 Calderone.<\/p>\n

\u201cThis is the first documented malware to use blockchain for command and control,\u201d Calderone said. \u201cInstead of traditional C2 servers that can be seized or sinkholed, the attackers are using smart contracts as a decentralized dead-drop. There\u2019s no single server to take down, no domain to block. The operator can rotate payloads on-chain without ever touching an infected host.\u201d<\/p>\n

He called it \u201ca fundamental shift in how attackers maintain persistence and control, and if this model proves out, it\u2019s going to change how we think about disrupting campaigns.\u201d<\/p>\n

Targeting Open Source, AI Development<\/h2>\n

Sonatype researchers noted the targeting of LiteLLM<\/a>, writing that the attackers are \u201clooking to take advantage of enterprises leveraging open source to rapidly develop and deploy AI applications. The design of the malware suggests a broad targeting strategy aimed at developers, cloud environments, and modern application infrastructure.\u201d<\/p>\n

Kubernetes environments are getting attention from the bad actors, but the data being collected is intentionally expansive, targeting any system that can store credentials or interact with cloud services.<\/p>\n

\u201cThis makes the software supply chain attack especially dangerous in environments where developers, CI\/CD systems, and production infrastructure share access to sensitive credentials, as compromise in one layer can quickly cascade into others,\u201d they wrote.<\/p>\n

Read More<\/a><\/p>\n

\u200b<\/p>","protected":false},"excerpt":{"rendered":"

The supply chain attack that compromised Aqua Security\u2019s Trivy open source security vulnerability scanner and its associated GitHub Actions earlier […]<\/p>\n","protected":false},"author":1,"featured_media":3720,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[5],"tags":[],"class_list":["post-3719","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-devops"],"_links":{"self":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/3719","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/comments?post=3719"}],"version-history":[{"count":0,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/3719\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media\/3720"}],"wp:attachment":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media?parent=3719"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/categories?post=3719"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/tags?post=3719"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}