The TeamPCP Campaign: What Open-Source Supply Chain Attacks Mean for Your Security Programme

On March 19, 2026, attackers compromised Aqua Security's Trivy vulnerability scanner. Within six days, that single breach had cascaded into Checkmarx's KICS static analysis tool and BerriAI's LiteLLM, a Python library for interacting with large language model providers that Wiz estimates is present in roughly 36% of cloud environments. The campaign spanned GitHub Actions, Docker Hub, PyPI, NPM, and the OpenVSX extension marketplace.
‍

What Happened: The Cascading Supply Chain Attack

Each stage of the TeamPCP gave the attackers the access they needed for the next, creating a cascading chain across vendors and ecosystems.

Stage 1: Trivy - Compromising the Security Scanner (March 19)

In late February, an attacker exploited a misconfiguration in Trivy's GitHub Actions workflows to steal a service account credential. Aqua rotated the credential, but the rotation was not atomic, and the attackers retained access before the credentials were fully revoked. On March 19, they used it to push a malicious Trivy release (CVE-2026-33634) and tamper with nearly all version tags for Trivy's GitHub Action and setup-trivy, turning the project's own release infrastructure into a distribution mechanism for credential-stealing payloads.

Stage 2: Lateral Movement and Escalation (March 20-23)

The stolen credentials gave the attackers access to multiple platforms and a second security vendor over four days:

• NPM (March 20): Deployed a self-propagating worm infecting multiple packages in under a minute.
• Docker Hub (March 22): Published malicious Trivy container images using compromised credentials, bypassing GitHub's release process.
• GitHub (March 22): 44 internal Aqua Security repositories defaced, renamed, and exposed publicly.
• Checkmarx / OpenVSX (March 23): Compromised Checkmarx's KICS and AST GitHub Actions and published malicious extensions to the OpenVSX IDE marketplace.

Stage 3: LiteLLM - From Security Tools to AI Infrastructure (March 24)

LiteLLM's build pipeline used Trivy for security scanning. The attackers used a stolen PyPI publishing token to publish two malicious versions of LiteLLM (1.82.7 and 1.82.8), which were live for roughly three hours before being quarantined. Version 1.82.8 executed automatically whenever any Python process started in an affected environment, harvesting cloud tokens, database credentials, SSH keys, and environment variables.
‍

What This Means for Supply Chain Security

The individual steps were well-documented attack patterns, but the campaign was effective because of how supply chains connected them across otherwise unrelated tools and vendors. A credential rotation that may not have fully revoked access gave the attackers a second opportunity, and the chain of dependencies between Trivy and downstream tools like LiteLLM did the rest.

Security tooling was the attack surface. Trivy is a vulnerability scanner. KICS is a static analysis tool. The tools organisations run to secure their pipelines were the entry point. These tools are often implicitly trusted and granted broad access to CI/CD environments.

Transitive dependencies are invisible to traditional TPRM. Not every organisation that depended on LiteLLM also used Trivy. LiteLLM was compromised because its build pipeline depended on Trivy, which was compromised first. Open-source tools like Trivy rarely appear in vendor questionnaires because there is no commercial relationship to assess. A security scanner compromising an AI library compromising downstream consumers is exactly the kind of chain that traditional vendor questionnaires don't capture.

A single campaign spanned five ecosystems. TeamPCP pivoted across GitHub Actions, Docker Hub, PyPI, NPM, and OpenVSX. Monitoring a single package registry or platform is not enough when one set of stolen credentials can reach across all of them.
‍

What To Do Now

If you have not done so already, we recommend:

• Pin all GitHub Actions to commit SHAs, not version tags. Tags can be silently redirected to malicious code. GitHub's Immutable Releases feature (GA since October 2025) helps here by preventing published action assets from being tampered with, but adoption is opt-in and not all actions use it yet. SHA pinning remains the safest default.
• Audit CI/CD pipelines for exposure to Trivy or Checkmarx actions between March 19-25. If any pipeline used these tools without SHA pinning, treat every secret accessible to that pipeline as compromised and rotate immediately.
• Check for affected LiteLLM versions (1.82.7 and 1.82.8). LiteLLM may be present as a transitive dependency. Audit dependency trees using SBOM tooling or package auditing tools.
• Quarantine non-security dependency updates. A short delay before adopting non-security updates gives the community time to identify compromised packages before they reach your pipelines.
  ‍

Sources

• Wiz - Three's a Crowd: TeamPCP Trojanizes LiteLLM in Continuation of Campaign
• Rami McCarthy - TeamPCP Supply Chain Campaign - Incident Timeline & IOCs
• Aqua Security - Trivy Ecosystem Supply Chain Attack (GHSA-69fq-xp46-6x23)
• OpenSourceMalware.com - TeamPCP aquasec-com GitHub Org Compromise
• Datadog Security Labs - LiteLLM compromised on PyPI: Tracing the March 2026 TeamPCP supply chain campaign
• BerriAI - LiteLLM PyPI Supply Chain Compromise (versions 1.82.7, 1.82.8)

‍