By Cisco's internal development environment has been breached, and the attackers walked out with more than 300 GitHub repositories, including source code for the company's AI Defense product, unreleased projects, and code belonging to banks and U.S. government agencies. The company has not publicly acknowledged the breach. It has not responded to press inquiries. And the hackers are now blackmailing them with an April 3 deadline.
The attack vector: a poisoned version of Trivy, the open-source vulnerability scanner that thousands of organizations trust to keep their CI/CD pipelines clean. On March 19, TeamPCP force-pushed malicious commits to 76 of 77 version tags in Trivy's GitHub Action repositories. Every pipeline that ran Trivy that day silently executed credential-stealing malware. The scans looked normal. The output was correct. Underneath, the "TeamPCP Cloud Stealer" was dumping process memory, harvesting SSH keys, cloud credentials, and API tokens, then encrypting and exfiltrating the haul.
Cisco's pipelines used Trivy. So the credentials TeamPCP harvested gave them keys to Cisco's build environment. According to BleepingComputer, Cisco's Unified Intelligence Center, CSIRT, and Emergency Operations Center teams contained the breach, but not before significant damage was done.
We covered TeamPCP's broader campaign three days ago when the group was hitting LiteLLM, Telnyx, and Checkmarx KICS. The warning was clear: this campaign was accelerating. Cisco is the confirmation that it found its biggest target.
What Cisco actually lost
The 300+ cloned repositories include source code for Cisco AI Assistants, AI Defense (the company's network-level AI security product), and products that haven't been publicly announced yet. That last category is worth sitting with: the attackers have blueprints for things Cisco's own customers don't know about.
Worse, BleepingComputer reports that a portion of the stolen repositories belongs to corporate customers, including banks, business process outsourcing firms, and U.S. government agencies. Multiple AWS keys were also stolen and used for unauthorized activity across a small number of Cisco's cloud accounts.
According to The CyberSec Guru, screenshots leaked by the ShinyHunters group (which appears to be working alongside TeamPCP) show the AWS Management Console for Cisco's Crosswork Network Controller with hundreds of internal storage volumes. Creation dates as recent as mid-March suggest the attackers maintained access for weeks before discovery.
Multiple sources told BleepingComputer that more than one threat actor was involved in the Cisco CI/CD and AWS account breaches, with varying degrees of activity.
The AI Defense problem
Stealing source code for a security product is a category of damage that doesn't have a simple fix. AI Defense is designed to detect threats against enterprise AI deployments. If you have its source code, you can study exactly how it identifies malicious behavior and build attacks calibrated to slip past it. You can't patch that with a software update. You're rebuilding detection logic from scratch.
Cisco sells AI Defense to enterprises that are betting their AI security posture on it. Those customers now need to ask a question Cisco probably doesn't want to answer: how compromised is the product protecting us?
Cisco's silence is telling
Cisco is rotating credentials, reimaging developer workstations, and isolating affected AWS accounts. That's the right incident response playbook. But the company has not responded to BleepingComputer's press inquiries, has not issued a public statement, and has not notified customers whose code was in those stolen repositories (at least not publicly).
Meanwhile, the company "expects continued fallout" from follow-on attacks exploiting the same stolen credentials, according to BleepingComputer's sources. That is a remarkable admission to make through anonymous sourcing while saying nothing on the record.
For context, Cisco's previous major breach in 2022 involved the Yanluowang ransomware gang stealing 2.8 GB of data. This breach dwarfs it. Three hundred repositories of source code, including unreleased products and government customer data, is a different magnitude of exposure entirely.
What we don't know yet
- Whether the stolen customer repository code includes classified or sensitive government configurations. Cisco provides networking infrastructure to federal agencies, and if those configurations were in the repos, the implications extend well beyond Cisco's corporate perimeter.
- How many other organizations were breached through the same Trivy credential theft. Cisco is the biggest confirmed name, but thousands of pipelines ran the compromised action on March 19. The full victim list is almost certainly longer.
- What exactly the attackers are demanding. ShinyHunters set an April 3 deadline, but the specific terms of the extortion have not been publicly reported.
What happens next
Today is April 3, the deadline ShinyHunters reportedly set. If Cisco doesn't engage (and everything about their posture suggests they won't pay), the stolen data could go public. That would give every attacker on the planet access to Cisco's AI product source code and, potentially, to the proprietary code of Cisco's banking and government customers.
The broader lesson is one the security industry keeps learning the hard way: CI/CD pipelines that touch production credentials deserve the same security scrutiny as production environments themselves. Trivy was a trusted tool. It ran inside the walls. And that trust is exactly what TeamPCP weaponized.
Three days ago, we wrote that TeamPCP's campaign was escalating. This week, Cisco proved us right in the worst possible way.
Omar Rashid covers cybersecurity and technology for The Daily Vibe.
