Executive Summary
Now that the dust has begun to settle on what became a cascading series of supply chain compromises across five major developer tool ecosystems, this briefing ties the various events together and translates them into actionable guidance.
If you’re reading this, you’ve probably heard a lot about Trivy and LiteLLM in the past two weeks. A threat actor, known as the TeamPCP group, conducted an attack campaign that unfolded rapidly over roughly two weeks in March 2026 — with each compromise enabling the next. Understanding the full sequence is helpful for assessing your organization's exposure and prioritizing your response.
Bottom Line
Your cloud credentials, API keys, and secrets may already be in attacker hands if your organization used Trivy, Checkmarx KICS, LiteLLM, Telnyx, or axios during March 2026.
- Attackers compromised these widely-used developer tools and security scanners, injecting code that silently stole credentials from any organization that downloaded or ran them. This cascaded into what security researchers described as one of the largest CI/CD supply chain attacks on record, affecting five package ecosystems and an estimated 5,000+ organizations.
- CISA has added this vulnerability to its Known Exploited Vulnerabilities catalog Federal agencies must remediate by April 8, 2026 Private organizations should treat this as a benchmark deadline
- Many common defenses would fail to prevent these attacks from succeeding. See for more information
Why It Matters
According to and BreachForums reporting, the attackers (TeamPCP) are partnering with ransomware groups to monetize stolen credentials. According to , the first confirmed victim, an AI recruiting startup, lost 4TB of data including source code, customer databases, and identity documents. Many common preventive measures (code reviews, version pinning, package lockfiles) would not have stopped this attack because the attackers compromised trusted maintainer accounts directly. Post-incident analysis suggests organizations that detected it early did so by monitoring for unusual outbound network activity from their build systems.
Key Actions
- Review all CI/CD pipelines and development environments for compromised packages. Check for Trivy (March 19-21), Checkmarx KICS (March 23-24), LiteLLM versions 1.82.7/1.82.8 (March 24-25), Telnyx 4.87.1/4.87.2 (March 27), and axios 1.14.1/0.30.4 (March 31).
- Assume compromise and immediately rotate ALL credentials atomically (meaning all at once, leaving no old credentials active) if your build systems ran any affected package. This includes cloud provider credentials, Kubernetes secrets, GitHub tokens, and any API keys present in those build environments. Verify that no residual access paths remain after rotation.
- Check organizational accounts for unauthorized fallback repositories named tpcp-docs or docs-tpcp. These are exfiltration artifacts created by the malware using stolen GitHub tokens.
If you are unsure whether your organization used any of the affected packages, ask your DevOps or engineering lead to check CI/CD pipeline logs for the date ranges and package names above. That check can typically be completed in under an hour.
Important Notes
- The attack campaign appears paused as of early April. According to FBI reporting, approximately 300GB of stolen data (environment variables, API keys, cloud credentials, and CI/CD secrets) are actively being distributed and monetized through BreachForums and ransomware partnerships.
- Post-incident analysis suggests organizations that caught this early did so through runtime network monitoring of their build systems, not through code review or package scanning. See the Defense Effectiveness Table in the Full Analysis and Recommendations section
- Cyber insurance: Notify your carrier promptly if you confirm exposure. Many policies require notification within 72 hours of a known incident. Credential theft and subsequent ransomware from the same campaign may be treated as separate events under your policy; confirm this with your broker before closing the incident.
- Board communication: If your organization confirms exposure, this warrants board-level notification. Key points: what data or credentials may have been taken 300GB of stolen data (credentials, API keys, and CI/CD secrets) from previous breaches are actively circulating on criminal forums estimated remediation timeline and resource cost, and whether your cyber insurance policy covers the response.
- , , and are available in the .
Full Analysis and Recommendations
Attack Timeline
The following table traces the campaign from initial reconnaissance through the most recent known activity.
| Date |
Event |
| Feb 28 – Mar 19 |
TeamPCP conducts reconnaissance and pre-positions access in Trivy's GitHub Actions workflow via a misconfigured permissions scope. |
| Mar 19 (Trivy) |
TeamPCP exploits the workflow misconfiguration to steal CI/CD secrets and begins force-pushing malicious binaries to Trivy release tags, starting with v0.69.4. Poisoned GitHub Actions (aquasecurity/trivy-action and setup-trivy) also deployed. |
| Mar 19–21 |
Trivy binaries containing an infostealer harvesting environment variables, cloud tokens, and SSH keys are downloaded by an estimated 500–1,000+ organizations. CVE-2026-33634 assigned. |
| Mar 21 |
Aqua Security detects the compromise and begins takedown. The malicious release artifacts remain accessible for approximately 48 hours after initial disclosure while mirrors are cleared. |
| Mar 23 (Checkmarx) |
TeamPCP uses Trivy-stolen CI/CD secrets to compromise Checkmarx GitHub Actions for ast-github-action and kics-github-action. Malicious workflows capture repository secrets, environment variables, and tokens from downstream builds. |
| Mar 24 (LiteLLM) |
TeamPCP publishes poisoned LiteLLM PyPI packages (versions 1.82.7 and 1.82.8). Packages contain a backdoor that exfiltrates environment variables, API keys, and cloud credentials on import. |
| Mar 25 |
confirming shared C2 infrastructure (checkmarx[.]zone) across Trivy and Checkmarx compromises, attributing the campaign to TeamPCP. |
| Mar 27 (Telnyx) |
TeamPCP publishes poisoned Telnyx Python SDK packages (versions 4.87.1 and 4.87.2) to PyPI. Same exfiltration behavior targeting Telnyx API credentials and environment variables. |
| Mar 28 |
to the Known Exploited Vulnerabilities (KEV) catalog with a federal remediation deadline of April 8, 2026. |
| Mar 29 |
Singapore Cyber Security Agency (CSA) publishes advisories (TeamPCP/Trivy/Checkmarx) and (axios/UNC1069 follow-on activity). |
| Mar 30 |
extortion group. FBI confirms approximately 300GB of stolen data (environment variables, API keys, cloud credentials, and CI/CD secrets) distributed to roughly 300,000 BreachForums users. |
| Mar 31 (axios) |
UNC1069 (a separate threat actor linked to TeamPCP infrastructure) publishes poisoned axios npm packages (versions 1.14.1 and 0.30.4), targeting JavaScript and Node.js build environments. |
| Mar 31 |
traced to the TeamPCP campaign via a compromised Tailscale VPN credential. Exfiltrated data includes 939GB of source code, 211GB of user database records (email addresses and hashed passwords), and approximately 3TB of video interviews and passport images, totaling 4TB. |
| Apr 1 |
TeamPCP announces a partnership with the Vect ransomware group on BreachForums. Active new compromises appear paused (no new packages identified), but stolen credentials continue to be distributed and monetized. |
| Apr 2–present |
No new compromised packages identified. TeamPCP campaign appears paused. Credential monetization and ransomware partnership activity continues. |
What These Tools Do
The five compromised tools span different parts of the software development lifecycle. Understanding what they do and what credentials they can access explains why their compromise was so damaging:
- Trivy is an open-source vulnerability scanner widely used in CI/CD pipelines to check container images and application dependencies for known security issues. Because it runs inside build environments, it has access to the same secrets and credentials used during the build process: cloud provider keys registry tokens any environment variables defined in the pipeline. Access level: all CI/CD secrets in scope.
- Checkmarx KICS (ast-github-action and kics-github-action) are GitHub Actions used to scan infrastructure-as-code files (Terraform, Kubernetes manifests, Dockerfiles) for misconfigurations. Like Trivy, they run inside build workflows with access to repository secrets and environment variables. Access level: repository secrets and environment variables for the triggering workflow.
- LiteLLM is a popular open-source Python library that provides a unified interface for calling multiple AI model APIs (OpenAI, Anthropic, Azure, etc.). Organizations use it to manage AI API credentials across their applications. The compromised PyPI package executed on import, before any application code ran, giving it access to the entire process environment. Access level: all environment variables in the running process including all AI API keys, database credentials, and secrets loaded by the application.
- Telnyx Python SDK is the official client library for the Telnyx communications platform (voice, SMS, SIP). Applications using it pass Telnyx API credentials through the library on every call. Access level: environment variables in the running process primarily target Telnyx API keys but harvests all available environment variables.
- axios is one of the most widely used HTTP client libraries in the JavaScript and Node.js ecosystem. It is present in an enormous number of applications and build pipelines, making its compromise a broad-reach attack even compared to the others in this campaign. Access level: environment variables in the Node.js process, including any secrets loaded from .env files or injected by CI/CD systems.
Root Causes: Mis-configured GitHub Action & Non-Atomic Credential Rotation
- The initial Trivy compromise was enabled by a misconfigured GitHub Actions workflow that granted excessive write permissions to forked pull requests.
- This allowed TeamPCP to steal CI/CD secrets without breaking into any developer account directly. These stolen secrets were then used to compromise Checkmarx KICS just four days later, demonstrating how a single misconfigured workflow became the entry point for a cascading multi-platform attack.
- Aqua Security's post-incident analysis revealed that while some/most credentials were changed after the Trivy breach was discovered, the aqua-bot service account password was not. All credentials were not changed atomically (at the same time) This allowed the attackers to retain access. This underscores that credential rotation must be comprehensive and verified; partial rotation creates a false sense of security.
Threat Actor Evolution
TeamPCP has evolved from a supply chain compromise operation to an Initial Access Broker (IAB), meaning they specialize in breaking into organizations and selling that access to other attackers:
- LAPSUS$ Partnership: According to Wiz's March 30 analysis, TeamPCP is collaborating with the LAPSUS$ extortion group to monetize stolen credentials.
- Vect Ransomware: TeamPCP announced a partnership with the Vect ransomware group on BreachForums.
- Credential Distribution: FBI confirms approximately 300GB of compressed stolen data environment variables, API keys, cloud credentials, and CI/CD secrets) are being distributed to roughly 300,000 BreachForums users
- First Confirmed Victim: According to , the company lost 4TB of exfiltrated data: 939GB of source code 211GB of user database records (including email addresses and hashed passwords) approximately 3TB of video interviews and passport image Initial access was via a compromised Tailscale VPN credential traced back to the TeamPCP campaign.
Defense Efficacy: Why Many Common Defenses Would Have Failed
This campaign was designed to defeat many common defensive controls by operating through legitimate, trusted infrastructure. The table below assesses each control hypothetically — whether it would have stopped or limited this attack if deployed — based on post-incident analysis. It does not assert that any specific organization had (or lacked) these controls.
Summary of common defenses and efficacy in the on the next page.
Defense Efficacy Table
| Defense / Measure |
Assessment |
Why |
| Code review (human inspection of changes before merging) |
Would Not Help |
Attackers used compromised maintainer credentials, so changes appeared to come from trusted developers and passed review gates. |
| Tag pinning (@v2) (using version tags to reference specific releases) |
Would Not Help |
76 of 77 release tags were force-pushed to point to malicious commits. Tags are mutable pointers, not immutable identifiers. |
| SHA pinning (pinning to a specific commit hash) |
Would Partially Help |
SHA pinning of the action itself would have protected builds from the tag-swap attack. However, the fork-commit resolution vulnerability allowed an attacker-controlled fork commit to be reachable by SHA from the parent repo, meaning SHA pinning alone is not foolproof and must be combined with branch verification. |
| Package lockfiles (files that record exact dependency versions so every install uses the same packages — e.g.:
package-lock.json
Pipfile.lock |
Would Not Help |
Lockfiles pin package versions but not the artifact content. Compromised builds can produce different binaries from the same version tag. |
| Domain reputation filtering |
Would Not Help |
The C2 domain (scan.aquasecurtiy[.]org) was a typosquat of the legitimate Aqua Security domain. Reputation systems had no prior signal. |
| Dependency scanning / SBOM (Software Bill of Materials) review |
Would Partially Help |
Scanning would have identified the affected versions, but only after the campaign was publicly disclosed. Pre-disclosure, the packages appeared legitimate. |
| Runtime network monitoring (watching what your build systems connect to) |
Would Help |
Organizations that monitored outbound connections from build systems detected the malicious C2 beaconing before credentials were fully exfiltrated. |
| Artifact attestation (verifying that a binary was built from a known source) |
Would Help |
Attestation would have caught the mismatch between the signed tag and the force-pushed malicious binary. This is now a CISA-recommended control for CI/CD environments. |
| Isolated build environments (running builds in sandboxes with no access to production secrets) |
Would Help |
Build environments that held only limited, scoped credentials (credentials restricted to the minimum permissions needed for that specific build job, with no access to production systems or other environments) limited the blast radius. Environments with broad access lost the most.
To implement:
use separate service accounts per pipeline
grant only the permissions each job requires
avoid injecting production credentials into build environments. |
| Vendor security advisories / CVE monitoring |
Would Partially Help |
Advisory monitoring would have triggered rapid response, but only after disclosure. Advance warning required runtime detection. |
| MFA on maintainer accounts (multi-factor authentication) |
Would Not Help |
The initial compromise of Trivy exploited a misconfigured GitHub Actions workflow, not a credential attack. MFA on maintainer accounts would not have stopped this vector. |
The Limits of SHA Pinning
The (March 24) documented a specific vulnerability in GitHub's architecture that allowed the Trivy attack to bypass SHA pinning: GitHub makes fork commits reachable by SHA from the parent repository. An attacker who forks a repo and creates a malicious commit can produce a SHA that GitHub resolves as if it belonged to the original repository. The malicious commit swapped the checkout SHA while keeping the version comment (# v6.0.2) unchanged, relying on the fact that human reviewers read the comment rather than comparing 40-character hex strings.
The following table summarizes pinning strategies and their current limitations:
| Pinning Strategy |
Limitation |
Guidance |
| Tag pinning uses:
actions/checkout@v4 |
Attackers can force-push any commit to any tag |
Do not use tags for security-sensitive actions |
| SHA pinning uses:
actions/checkout@abc123def... |
Fork commits with the same SHA are reachable from the parent repo; commit may belong to an attacker-controlled fork |
After pinning SHA, run:
gh api repos/{owner}/{repo}/commits/{sha}/branches-where-head
if the result is empty, the commit is orphaned and suspect |
| SHA pinning + branch verification |
Adds one API call to your verification step |
Best current practice for GitHub Actions pinning |
| Mirroring actions into your own org |
Requires ongoing maintenance to pull upstream updates |
Eliminates fork-commit and supply chain risks for critical workflows |
Prioritized Response Actions
1. Determine Exposure
Before rotating credentials, identify what was exposed. This determines the scope and urgency of everything else.
- Audit your CI/CD pipeline logs for the affected date ranges and package versions listed in the Attack Timeline above.
- Check for the presence of the persistence script (~/.config/sysmon/sysmon.py and the sysmon.service systemd unit) on build hosts and developer workstations.
- Check for unauthorized GitHub repositories named tpcp-docs or docs-tpcp These indicate that the malware's fallback exfiltration path activated using a stolen GitHub token.
- Review network logs for outbound connections to C2 domains: scan.aquasecurtiy[.]org checkmarx[.]zone models.litellm[.]cloud sfrclak[.]com 83.142.209[.]203
2. Rotate ALL Credentials at the Same Time (“Atomically”)
Begin within 24 hours of confirmed exposure. Do not wait for a scheduled maintenance window. Rotate atomically; rotating only some and leaving others unchanged is what allowed the attacker to retain access to Aqua Security's systems after initial discovery. For most organizations, comprehensive atomic rotation is a 1-3 business day effort; treat it as an emergency change management process. ALL credentials in the affected environments must be treated as compromised:
- Cloud provider credentials (AWS IAM keys, GCP service account keys, Azure client secrets)
- Kubernetes secrets and service account tokens
- GitHub personal access tokens and repository secrets
- All API keys present as environment variables in the affected build environments
- SSH keys stored in build environments or used by CI/CD workflows
- After rotation, verify that no residual access paths remain. Run a credential audit against your identity provider to confirm old credentials are fully invalidated.
3. Audit Build Environments and Build System Access
The malware ran inside build pipelines and developer machines, not in production. Audit accordingly:
- Search for the exfiltration archive on build hosts and developer workstations: find / -name tpcp.tar.gz 2>/dev/null
- Check for the persistence service: systemctl status sysmon.service verify no file exists at ~/.config/sysmon/sysmon.py.
- Review GitHub Actions workflow files for unexpected changes to checkout SHA or action references during March 2026.
- If you use self-hosted runners: treat any runner that processed a build during the affected window as potentially compromised and re-image it.
- Review access logs for all services that received credentials from affected build environments.
4. Strengthen CI/CD Posture (Why: Prevent Recurrence)
These controls address the root causes of this campaign. Implementing them reduces the risk from similar supply chain attacks. Note: Many applications have transitive dependencies (packages that are dependencies of your dependencies) that may also be vulnerable. Audit your full dependency tree, not just your direct dependencies.
- Verify ALL (not just direct) dependency checksums Use software composition analysis (SCA) tools such as Dependabot, Snyk, or Grype to scan build systems and production environments. Enable checksum verification in: pip (—require-hashes) npm (npm ci with lockfiles) Enable GitHub's Dependabot alerts and secret scanning in your repository settings both are free for public and private repositories.
- Use SHA pinning with branch verification Pin GitHub Actions to full commit SHAs (not tags). After pinning, verify the commit exists on a release branch in the official repository using the GitHub CLI: gh api repos/{owner}/{repo}/commits/{sha}/branches-where-head an empty response indicates an orphaned (potentially attacker-controlled) fork commit.
- Consider mirroring critical GitHub Actions into your own organization This eliminates upstream supply chain risk for workflows that are critical to your build process.
- Enable artifact attestation Use GitHub's built-in attestation feature to verify that build outputs were produced from known sources. Add the following step to your workflow after the build step: uses: actions/attest-build-provenance@v1 / with: / subject-path: <your-artifact-path> This would have caught the mismatch between the signed tag and the force-pushed binary, and is now a CISA-recommended control for CI/CD environments.
- Restrict GitHub Actions permissions: Set default permissions to read-only and explicitly grant write access only where needed. Add the following to your workflow file (addressing the misconfiguration that enabled the Trivy compromise): permissions: contents: read / id-token: write write only for OIDC token minting In your organization settings, set the default Actions permissions to: Read repository contents and packages permissions.
- Use a Software Bill of Materials (SBOM): Generate an SBOM for each build. An SBOM lists every dependency and its version, making it possible to rapidly assess exposure when a new supply chain attack is disclosed. GitHub can generate SBOMs automatically via the dependency graph feature.
5. Monitor for and Block Threat Actor Infrastructure
Block the following IOCs at your network perimeter and monitor for and block traffic to them in build environments and production:
- C2 domains: scan.aquasecurtiy[.]org checkmarx[.]zone models.litellm[.]cloud sfrclak[.]com
- Exfiltration IP(s): 83.142.209[.]203
- Alert on processes attempting to: read ~/.config/sysmon/sysmon.py create/modify systemd services named sysmon.service on Linux build hosts
- Alert on GitHub API calls that create new public repositories from build or automation service accounts.
6. Block Arbitrary Outbound Access in Production Environments
- If possible, set a default deny rule for all traffic sourced (initiated) from the Production network and destined for external networks (e.g.: the Internet). Where necessary, allow only specific hosts within the Production network to initiate network traffic to specific hosts via specific ports/protocols outside of the Production network. This is much easier to implement early in the organization’s development If you’re an early-stage company, take the time to do it now.
Appendix: References & IOCs
Regulatory References
- CISA Known Exploited Vulnerabilities (KEV): Federal remediation deadline: April 8, 2026. Private organizations should treat this as a benchmark deadline.
- GitHub Security Advisory: Trivy GitHub Actions workflow misconfiguration.
- Singapore CSA Advisory (TeamPCP/Trivy/Checkmarx): Covers the Trivy and Checkmarx KICS compromises.
- Singapore CSA Advisory (axios/UNC1069): Covers the axios follow-on attack attributed to UNC1069.
Indicators of Compromise (IOCs)
Command & Control (“C2”) Domains
- scan.aquasecurtiy[.]org (Trivy; note: typosquat of aquasecurity.org)
- checkmarx[.]zone (Checkmarx KICS; also used in LiteLLM persistence beaconing)
- models.litellm[.]cloud (LiteLLM)
- sfrclak[.]com (axios/UNC1069)
- 83.142.209[.]203 (Telnyx exfiltration IP)
Persistence Artifacts (Linux)
- Persistence script: ~/.config/sysmon/sysmon.py (installed as systemd service sysmon.service)
- Beaconing behavior: polls checkmarx[.]zone/raw every 50 minutes
- Kill switch: aborts execution if the polled URL contains youtube[.]com
- Exfiltration archive filename: tpcp.tar.gz
- Fallback exfiltration: creates a public GitHub repository named tpcp-docs or docs-tpcp using a stolen GITHUB_TOKEN
Affected Package Versions
- Trivy: v0.69.4 and later March 2026 releases (binaries and GitHub Actions aquasecurity/trivy-action, setup-trivy)
- Checkmarx: ast-github-action and kics-github-action (March 23-24, 2026 releases)
- LiteLLM: versions 1.82.7 and 1.82.8 (PyPI)
- Telnyx Python SDK: versions 4.87.1 and 4.87.2 (PyPI)
- axios: versions 1.14.1 and 0.30.4 (npm) Root cause analysis of the GitHub Actions misconfiguration and non-atomic credential rotation. Attribution of the Trivy and Checkmarx compromises to TeamPCP Confirmation of TeamPCP partnership with LAPSUS$ extortion group Technical analysis of how the Trivy attack bypassed SHA pinning via GitHub fork commit reachability First confirmed victim disclosure 4TB exfiltration details and Tailscale VPN credential vector
Technical References
Aqua Security post-incident analysis
Wiz threat research (March 25)
Command & Control Infrastructure Analysis
Wiz threat research (March 30)
RoseSecurity blog (March 24)
Mercor security disclosure
For assistance implementing these recommendations or to discuss your organization's specific risk profile, .
This briefing is part of Exposure Security's ongoing executive intelligence series. For questions about how this applies to your organization specifically, contact us.