TeamPCP supply chain attack: three hits in five days
Trivy is the most widely adopted open source vulnerability scanner, with 33,000 GitHub stars and over 100 million Docker Hub downloads. On March 19, it brought a credential stealer into every CI/CD pipeline that ran it.
Checkmarx and LiteLLM are the most impactful known downstream victims. Checkmarx KICS is an open-source security scanner. Its compromised GitHub Actions launched a second wave of credential harvesting among its users. LiteLLM is the most popular LLM proxy, present in 36% of cloud environments. Its compromised PyPI package installed a .pth file that executes on every Python startup. Anyone who ran pip install litellm on March 24 had every credential on that machine exfiltrated.
Fear is the main marketing driver for selling cybersecurity products, so this incident has gotten wide vendor coverage. This post sells nothing. It analyzes what TeamPCP actually wants, offers tactical hardening advice, and uncovers a systemic issue with the vendors' open-source projects.
1. What does TeamPCP actually want?
TeamPCP, also tracked as DeadCatx3, PCPcat, ShellForce, CanisterWorm, has been active since at least December 2025. Krebs on Security classifies them as financially motivated, targeting corporate cloud environments. Flare's assessment: they "weaponize exposed control planes rather than exploiting endpoints."
But financially motivated actors do not deface 197 repositories after silently exfiltrating credentials. TeamPCP did: "teampcp owns BerriAI" pushed to 15 org repos and 182 personal repos in a 5-minute burst after the operation was complete. They also deployed a wiper targeting Iran-based systems that same weekend, destroying data across Kubernetes nodes if it detects an Iranian timezone or Farsi language.
My read: they are building a strong access broker brand. "TeamPCP Cloud stealer" in the payload, "tpcp.tar.gz" as the exfil filename, defacement after every completed operation are their marketing portfolio. The hacktivism and the Iran wiper are noisy tactics that mask the true objective: credential harvesting at scale for resale.
2. Attack chain TL;DR.
In late February, TeamPCP stole the aqua-bot personal access token (PAT), a long-lived token with write access to Trivy's repos through a GitHub Actions misconfiguration that Aqua has not fully disclosed. A script injection vulnerability in trivy-action (GHSA-9p44-j4g5-cfx5) had been published on February 18 and was the most likely entry vector. Aqua rotated credentials on March 1 but missed one. On March 19, TeamPCP force-pushed 76 trivy-action tags to malicious commits. They ran a credential stealer on a user CI/CD pipeline before the real scan. The attacker stole Checkmarx tokens that gave them all 35 KICS tags. They also obtained LiteLLM PyPI credentials that allowed them to push a malicious PyPI release on March 24. Read a detailed analysis on OpenSourceMalware.
3. What is the blast radius?
I do not know. Trivy tags were live for twelve hours, Checkmarx KICS for four, LiteLLM on PyPI for three. Every pipeline that ran a compromised version had its secrets harvested. How many credentials were exfiltrated, whether LiteLLM is the only downstream target or the first discovered, and what the Checkmarx harvest produced are all open questions. Aqua's advisory warns that stolen NPM tokens are being weaponized to propagate malware across the NPM ecosystem, so it's far from over.
4. What should I do today?
I'll skip the "rotate credentials", 15-item checklist, and "buy AI security for supply chain". What caught my attention is SHA pinning spreading as a silver bullet on social media. "Just pin GitHub Actions to a commit SHA hash: uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1" and problem solved. It'd have helped in this specific tag-repointing attack. Assuming that TeamPCP stole the aqua-bot PAT and thus fully controlled the Trivy repo, they could have just placed a malicious commit that you'd have pinned.
If you can do only one thing, refactor your CI/CD to run third-party scanners in a separate job with no secrets and a read-only GITHUB_TOKEN. One workflow file change and you'll probably clean up a few more skeletons along with it.
5. The structural problem.
AI has popularized the "open-source is the only right path" narrative, but we really need to understand that vendors' open-source projects are actually not products, but go-to-market tools. They run at the best effort, just enough to generate leads for the vendor's sales funnel.
Both Aqua and Checkmarx secured their commercial products. The malicious Trivy v0.69.4 never reached the Aqua Platform. Checkmarx also confirmed that no enterprise customers were impacted by the KICS' compromise.