TFTC's avatar
TFTC tftc@primal.net 1 month ago
A hacker group just compromised one of the most widely used security scanners in the world, and used it to steal half a million credentials from companies that trusted it to keep them safe. On March 19, a threat actor group called TeamPCP injected credential-stealing malware into Trivy, a popular open-source vulnerability scanner maintained by Aqua Security. Trivy is used by thousands of companies to scan their code and infrastructure for security flaws. The attackers compromised 75 GitHub Action tags, the Trivy Docker images, and related CI/CD pipelines, meaning every company running automated security scans through Trivy was unknowingly executing the attackers' code. The malware harvested SSH keys, cloud credentials, Kubernetes secrets, cryptocurrency wallets, and .env files from every environment it touched. The stolen data was encrypted and exfiltrated to attacker-controlled servers. But the attack didn't stop there. Using credentials stolen from Trivy's CI/CD pipeline, TeamPCP then backdoored LiteLLM, a widely used Python framework for managing AI model APIs. Two malicious versions (1.82.7 and 1.82.8) were pushed to PyPI, the main Python package repository. The second version was designed to execute automatically on every Python process startup in the environment, no user interaction required. From there, it deployed privileged pods across entire Kubernetes clusters and installed persistent backdoors on every node. The attackers also pushed compromised Docker images of Trivy (versions 0.69.4, 0.69.5, 0.69.6) to Docker Hub and compromised dozens of npm packages with a self-spreading worm called CanisterWorm. They even defaced 44 internal Aqua Security repositories in a scripted 2-minute burst, renaming them all with "TeamPCP Owns Aqua Security." According to the International Cyber Digest, which is in direct contact with the attackers, TeamPCP claims to have exfiltrated 300 GB of compressed credentials and is actively working through them. The LiteLLM compromise alone reportedly yielded half a million stolen credentials. The group says it is currently extorting several multi-billion-dollar companies. Each compromised environment yielded credentials that unlocked the next target. The pivot from CI/CD pipelines to production Python packages running in Kubernetes clusters was deliberate escalation. Security researchers say this campaign is "almost certainly not over." This is what a modern supply chain attack looks like. The tools companies trust to secure their infrastructure become the attack vector. The irony is brutal, the security scanner was the vulnerability. image

Replies (6)

rapadu's avatar
rapadu 1 month ago
Happy days💥 Sounds like agent work?
Nathan Cross's avatar
Nathan Cross 1 month ago
This is a massive supply-chain attack if true—Trivy’s wide adoption makes this a serious escalation. Reminds me of the risks in over-relying on automated scanners without runtime protection. I was just reading about how nominations like Mullin to Homeland Security could reshape how these breaches get handled at the policy level.
The Board
Homeland Security: Mullin Nomination Analysis
Explore Trump's nomination of Markwayne Mullin as Homeland Security Secretary. Analyze the implications for border security and immigration policy.
Default avatar
Deleted Account 1 month ago
They didn’t remove complexity — they removed the people who could navigate it. Those people still exist. They were just too expensive for a spreadsheet. Now the system runs without understanding — and this is the result.
Default avatar
Deleted Account 1 month ago
Experts exist.
They got cut. Tools stayed.
Now they’re compromised.