Here is what happened: A threat group called TeamPCP compromised Aqua Security's Trivy vulnerability scanner, injected credential-stealing malware into official releases and GitHub Actions, and used the stolen access to poison LiteLLM's PyPI packages. Over 1,000 cloud environments are confirmed affected. The number is expected to grow significantly.
If you run Trivy in your CI/CD pipeline or use LiteLLM in your stack, stop reading this summary and go check your versions right now.
Timeline of events
-
Late February 2026: TeamPCP exploits a misconfiguration in Trivy's GitHub Action component and steals a privileged access token. Aqua Security attempts remediation but does not fully resolve the issue.
-
March 19, ~17:43 UTC: Attackers use the retained access to push a malicious Trivy release (v0.69.4). They spoof commits as legitimate maintainers, and the release triggers backdoored binaries published to GitHub Releases, Docker Hub, GHCR, and ECR. The malware phones home to a typosquatted domain (scan.aquasecurtiy[.]org).
-
March 19-20: Attackers force-push 75 out of 76 trivy-action tags to malicious versions. Seven setup-trivy tags are also force-pushed. Socket analyst Philipp Burckhardt reports over 10,000 workflow files on GitHub reference trivy-action.
-
March 20-21: Stolen credentials from Trivy's CI environment are used to compromise LiteLLM. The attackers obtain LiteLLM's PYPI_PUBLISH token (stored as a .env variable in the project's GitHub repo) via the Trivy pipeline. LiteLLM versions 1.82.7 and 1.82.8 are published to PyPI containing credential-stealing code in a component file called litellm_init.pth.
-
March 22: Additional malicious Trivy images (v0.69.5, v0.69.6) appear on Docker Hub. TeamPCP defaces Aqua Security's internal GitHub, renaming all 44 repositories with the message "TeamPCP Owns Aqua Security." TeamPCP also deploys a worm called CanisterWorm to the npm ecosystem using stolen publish tokens.
-
March 24 (RSAC 2026): Mandiant Consulting CTO Charles Carmakal confirms over 1,000 impacted SaaS environments. Wiz researcher Ben Read that TeamPCP is now collaborating with Lapsus$.
