Trivy supply chain attack infects 1,000+ cloud environments, drags LiteLLM down with it

Here is what happened: A threat group called TeamPCP compromised Aqua Security's Trivy vulnerability scanner, injected credential-stealing malware into official releases and GitHub Actions, and used the stolen access to poison LiteLLM's PyPI packages. Over 1,000 cloud environments are confirmed affected. The number is expected to grow significantly.

If you run Trivy in your CI/CD pipeline or use LiteLLM in your stack, stop reading this summary and go check your versions right now.

Timeline of events

• Late February 2026: TeamPCP exploits a misconfiguration in Trivy's GitHub Action component and steals a privileged access token. Aqua Security attempts remediation but does not fully resolve the issue.

• March 19, ~17:43 UTC: Attackers use the retained access to push a malicious Trivy release (v0.69.4). They spoof commits as legitimate maintainers, and the release triggers backdoored binaries published to GitHub Releases, Docker Hub, GHCR, and ECR. The malware phones home to a typosquatted domain (scan.aquasecurtiy[.]org).

• March 19-20: Attackers force-push 75 out of 76 trivy-action tags to malicious versions. Seven setup-trivy tags are also force-pushed. Socket analyst Philipp Burckhardt reports over 10,000 workflow files on GitHub reference trivy-action.

• March 20-21: Stolen credentials from Trivy's CI environment are used to compromise LiteLLM. The attackers obtain LiteLLM's PYPI_PUBLISH token (stored as a .env variable in the project's GitHub repo) via the Trivy pipeline. LiteLLM versions 1.82.7 and 1.82.8 are published to PyPI containing credential-stealing code in a component file called litellm_init.pth.

• March 22: Additional malicious Trivy images (v0.69.5, v0.69.6) appear on Docker Hub. TeamPCP defaces Aqua Security's internal GitHub, renaming all 44 repositories with the message "TeamPCP Owns Aqua Security." TeamPCP also deploys a worm called CanisterWorm to the npm ecosystem using stolen publish tokens.

• March 24 (RSAC 2026): Mandiant Consulting CTO Charles Carmakal confirms over 1,000 impacted SaaS environments. Wiz researcher Ben Read tells The Register that TeamPCP is now collaborating with Lapsus$.

What the malware actually does

The payload runs a three-stage attack on your CI/CD runner:

First, it scrapes memory from the Runner.Worker process, searching for secrets stored in the pattern {"value":"","isSecret":true}. Then it sweeps the filesystem for SSH keys, cloud credentials across AWS, GCP, and Azure, Kubernetes service account tokens, and cryptocurrency wallets across 50+ sensitive file paths. Finally, it encrypts everything using AES-256-CBC with RSA-4096 hybrid encryption and exfiltrates the bundle to attacker-controlled infrastructure, according to Wiz's analysis.

As a fallback exfil method, the malware creates a repository called tpcp-docs in the victim's GitHub account and uploads stolen credentials as a release asset. If the malware detects it is running on a developer machine rather than a CI runner, it drops a base64-encoded Python persistence mechanism.

For LiteLLM specifically, the Python Packaging Authority (PyPA) advisory is blunt: "Anyone who has installed and run the project should assume any credentials available to the LiteLLM environment may have been exposed, and revoke/rotate them accordingly."

How bad is it really

This is a serious, active supply chain compromise with real downstream impact. Let me be specific about the blast radius rather than wave my hands.

The confirmed number from Mandiant is 1,000+ SaaS environments currently dealing with the threat actor. Carmakal said that number could expand to 10,000. Wiz says LiteLLM is present in 36% of all cloud environments they monitor, which gives you a sense of the potential exposure surface, though "present in the environment" and "running the compromised version" are different things.

The version tag poisoning is what makes this particularly effective. Most CI/CD pipelines reference GitHub Actions by version tag, not pinned commit hash. So when TeamPCP force-pushed 75 of 76 trivy-action tags, pipelines kept running without any visible change. The one unaffected tag was @0.35.0, according to Socket.

There is also the Lapsus$ angle. Wiz's Ben Read said the attackers are converging with "high-profile extortion groups." Carmakal described the actors as "known for being exceptionally aggressive with their extortion" and based primarily in the US, UK, Canada, and Western Europe. According to the attackers' own Telegram messages, they plan to continue targeting additional popular open source projects.

The incomplete remediation in February is worth noting. Aqua Security knew about the initial misconfiguration, attempted a fix, but the issue was never fully resolved. That left the door open for TeamPCP to return with the stolen token and escalate. Credential rotation after a breach needs to be exhaustive, not selective.

What to do right now

If you use Trivy in CI/CD:

1. Check if your pipelines reference aquasecurity/trivy-action or aquasecurity/setup-trivy by version tag. If so, they were likely compromised. Pin to a verified commit SHA, not a tag.
2. Audit your CI/CD runner logs for connections to scan.aquasecurtiy[.]org (note the typo in "security" -- that is the actual attacker domain) or to plug-tab-protective-relay.trycloudflare.com.
3. Check your GitHub account for a repository named tpcp-docs you did not create. If it exists, your credentials were exfiltrated.
4. Rotate every secret that was accessible to your CI/CD environment: AWS keys, GCP service accounts, Azure credentials, Kubernetes tokens, SSH keys, GitHub tokens. All of them.
5. Review Trivy versions: v0.69.4, v0.69.5, and v0.69.6 are confirmed malicious. Roll back to a known-good version.

If you use LiteLLM:

1. Check your installed version immediately. LiteLLM v1.82.7 and v1.82.8 are compromised and have been removed from PyPI.
2. Look for the file litellm_init.pth in your environment. If present, your credentials have been stolen.
3. Rotate all API keys, LLM provider tokens, and database credentials accessible to LiteLLM. The PyPA advisory says to assume exposure.
4. Update to a clean LiteLLM version. Berri AI CEO Krrish Dholakia has confirmed all PyPI publishing tokens have been deleted and the team is moving to trusted publishing via JWT tokens.

For everyone:

Stop pinning GitHub Actions to version tags. Use commit SHAs. This is the single most effective mitigation against this class of attack, and the security community has been saying it for years. Today is a good day to finally do it.

Omar Rashid covers cybersecurity for The Daily Vibe.