When the Security Scanner Became the Weapon: Inside the TeamPCP Supply Chain Campaign

On March 19, 2026, thousands of CI/CD pipelines ran routine vulnerability scans using Trivy—one of the most trusted open-source security scanners in the cloud-native ecosystem. What those pipelines actually executed, however, was a credential stealer. The security tool designed to protect them had been turned against them.

The threat actor group TeamPCP had quietly compromised Aqua Security’s service account weeks earlier. They then used it to force-push malicious code to 76 of 77 trivy-action version tags. Within hours, the attack cascaded across four additional ecosystems: npm packages, Docker Hub images, Checkmarx GitHub Actions, and—as of this morning—the LiteLLM Python package on PyPI. The campaign is tracked as CVE-2026-33634 (CVSS 9.4).

This is not a theoretical supply chain risk. This is what it looks like when it happens at scale.

What Makes This Campaign Different

We have seen supply chain attacks before—SolarWinds, Codecov, and the tj-actions incident last year. TeamPCP’s campaign stands apart for three reasons:

1. Self-propagating worm capability: Stolen npm tokens were automatically weaponized to infect victim-maintained packages, creating new upstream compromises without attacker intervention. This transforms supply chain risk from single-hop to exponential.
2. Blockchain-based command and control (C2): TeamPCP used an Internet Computer Protocol (ICP) canister as a dead-drop C2—the first documented abuse of decentralized blockchain infrastructure for this purpose. Traditional takedown methods simply do not work against it.
3. Security tools as the attack surface: Trivy (vulnerability scanner), Checkmarx KICS (IaC scanner), and LiteLLM (LLM gateway) are tools organizations deploy to improve their security posture. The most diligent organizations—the ones scanning every build—had the greatest exposure.

The Cascade in Five Days

The speed of propagation is what keeps us up at night:

• Day 1 (Mar 19): Trivy binary, GitHub Actions, and Docker images are compromised. Credential stealers harvest secrets from CI/CD runner memory.
• Day 2 (Mar 20): Stolen npm tokens feed a self-propagating worm (CanisterWorm) that infects 66+ npm packages across multiple organizations.
• Day 4 (Mar 22): Malicious Docker images are pushed. 44 Aqua Security repositories are defaced. An Iran-targeted wiper component is discovered.
• Day 5 (Mar 23): Checkmarx KICS and AST GitHub Actions are hijacked. Malicious VS Code extensions are published.
• Day 6 (Mar 24): LiteLLM is compromised on PyPI using credentials stolen from a Trivy scan—completing the chain from security scanner to AI infrastructure.

Each hop was enabled by credentials harvested in the previous phase. One stolen token became five compromised ecosystems.

Why the LiteLLM Compromise Changes the Equation

The final phase of this campaign deserves special attention. LiteLLM is an open-source LLM proxy and gateway with over 40,000 GitHub stars and approximately 95 million monthly downloads on PyPI. Organizations use it to route requests to over 100 LLM providers—including OpenAI, Anthropic, Azure OpenAI, Google Vertex AI, AWS Bedrock, and more—through a single unified interface. It manages API keys, tracks usage costs, and load-balances across models. Wiz Research found LiteLLM is present in 36% of the cloud environments they monitor.

Here is why that matters: a typical LiteLLM deployment stores API keys for every LLM provider an organization uses. Compromising LiteLLM does not just give the attacker cloud credentials—it gives them the keys to an organization’s AI infrastructure. Every model, every provider, and every API key in one place.

TeamPCP compromised LiteLLM because BerriAI’s CI/CD pipeline used Trivy for security scanning. When the poisoned trivy-action executed within that pipeline, it harvested the PyPI publishing token. The attackers then published malicious versions 1.82.7 and 1.82.8 directly to PyPI, bypassing the normal release process.

The malware used a Python .pth file—a mechanism that auto-executes on any Python interpreter startup without requiring an import. As a restul, every python, pip, or pytest command would trigger the credential stealer. PyPI quarantined the malicious packages within approximately three hours, but with 3.6 million daily downloads, the exposure window was significant.

As of March 25, reporting indicates that TeamPCP has pivoted from credential theft to active extortion. the group is reportedly working through approximately 300 GB of compressed stolen credentials and collaborating with the LAPSUS$ extortion group to target multi-billion-dollar companies. Mandiant estimates over 1,000 SaaS environments have been impacted, with the number expected to grow to 5,000-10,000.

The Architectural Problem

Dan Lorenc, CEO of Chainguard, catalogued six fundamental design failures in GitHub Actions that enabled this campaign—from mutable tags without transparency logs to the dangerous pull_request_target trigger that granted initial access. His assessment: “The design of Actions is plain irresponsible today and ignores a decade of supply chain security work from other ecosystems.”

The uncomfortable truth is that the mitigations we recommend—pin to commit SHAs, restrict allowed actions, and monitor CI/CD egress—are workarounds for architectural decisions that should never have shipped as defaults. Chainguard’s research on “imposter commits” further demonstrates that even organization-level action allowlists can be bypassed using commits from forked repositories.

What You Should Do This Week

Our report includes a prioritized “Lessons Learned” section with 11 specific steps organized by urgency. The top three for immediate action:

1. Pin every GitHub Action to a full commit SHA. Mutable version tags are the root vulnerability. This is the single highest impact change you can make today.
2. Audit every workflow using pull_request_target. This trigger is the initial access vector that enabled the entire campaign—and the SpotBugs breach before it, and the Nx breach before that.
3. Rotate every secret accessible to pipelines running Trivy, Checkmarx KICS, or LiteLLM between March 19 and March 24. Treat them as compromised.

Read the Full Threat Intelligence Report

We have published a detailed threat intelligence report covering the complete attack timeline, MITRE ATT&CK® mapping, indicators of compromise, technical payload analysis, and defensive recommendations. It is designed to be immediately actionable for cloud security teams and useful as reference material for incident response.

Download: “When the Security Scanner Became the Weapon” – TeamPCP Supply Chain Campaign TTP Report (PDF) 

SANS Emergency Webcast

Given the severity and ongoing nature of this campaign, we are hosting a SANS Emergency Webcast: “When the Security Scanner Became the Weapon.” Eric Johnson and I will walk through the complete attack chain—from the initial pull_request_target exploitation to the cascading compromise of five ecosystems—demonstrate detection techniques, and take your questions live.

If you manage CI/CD pipelines, deploy security scanners, or use LiteLLM within your AI infrastructure, this content is directly relevant to your environment.

Watch the replay by registering for the “When the Security Scanner Became the Weapon” webcast. 

Turn Insight into Action

SANS Cloud Security courses, including SEC540: Cloud Native Security and DevSecOps Automation and SEC510: Cloud Security Engineering and Controls, teach the practical skills needed to secure CI/CD pipelines, manage identity, and prevent the kind of cascading compromise seen in this attack. 

Kenneth G. Hartman is a SANS Certified Instructor and founder of Lucid Truth Technologies. Eric M. Johnson is a SANS Fellow.