The open-source software ecosystem, a cornerstone of modern technology, is facing an unprecedented wave of sophisticated supply chain attacks, exposing critical vulnerabilities and demanding urgent attention from developers and organizations worldwide. In a series of coordinated assaults that began in March 2026, malicious actors have systematically infiltrated popular open-source projects, compromising their integrity and posing a significant threat to the vast network of software that relies on them.
The alarming trend was brought into sharp focus on March 19, 2026, when Aqua Security, a prominent cybersecurity firm, disclosed a severe supply chain attack targeting its widely used Trivy vulnerability scanner. The attackers, identified as the group “TeamPCP,” successfully infiltrated Trivy’s continuous integration and delivery (CI/CD) pipeline and GitHub repositories. This intrusion allowed them to trojanize Trivy binaries and manipulate GitHub Actions workflows, ultimately aiming to exfiltrate sensitive credentials from CI/CD environments. The breach, occurring within a company dedicated to security, sent ripples of concern throughout the industry, highlighting the pervasive nature of these threats.
This initial attack on Trivy was not an isolated incident but rather the precursor to a broader campaign. Following the compromise of Trivy, TeamPCP escalated its activities, exploiting the compromised credentials and methods to target other crucial open-source components. The group reportedly compromised dozens of npm JavaScript packages through a novel three-stage attack dubbed “CanisterWorm.” Furthermore, leveraging the stolen credentials obtained from the Trivy incident, they successfully infiltrated and disrupted the popular Python proxy package, LiteLLM. While TeamPCP has not officially claimed responsibility for the LiteLLM and subsequent attacks, the modus operandi strongly suggests their involvement. The same techniques were subsequently employed to breach the systems of Checkmarx, a security company that integrates with open-source projects.
According to reports from International Cyber Digest, TeamPCP has boasted about the scale of their operation, claiming to have “obtained 300 GB of compressed credentials.” Their brazen declaration, “TeamPCP is here to stay. Long live the supply chain,” underscores their intent and the significant threat they pose. The cumulative reach of the compromised open-source projects is staggering, with combined downloads exceeding 100 million per month, illustrating the widespread potential impact of these attacks.
Evidence suggests that TeamPCP’s disruptive activities predated their high-profile attacks on Trivy and its downstream targets. Cloud security firm Upwind detailed how an autonomous AI bot, “hackerbot-claw,” exploited a misconfiguration in Trivy’s GitHub Actions workflows. This vulnerability, specifically a pull_request_target issue, allowed the bot to steal a Personal Access Token (PAT), leading to a complete takeover of the Trivy repository. Although Aqua Security addressed this specific vulnerability, the initial breach left lingering security gaps. Credentials that survived the incomplete remediation efforts were subsequently used to compromise Aqua Security’s GitHub Aqua Bot service account, further enabling the attackers’ broader objectives.
The strategic nature of this campaign was articulated by Kevin McGahey, CTO of DreamFactory, who described TeamPCP’s actions as a “coordinated supply chain campaign that methodically escalated from security tooling to AI infrastructure.” McGahey highlighted the deliberate progression: “Compromise security scanners first (tools that run with elevated permissions in CI/CD pipelines), harvest credentials, then use those credentials to poison downstream infrastructure.” By targeting Trivy, a security tool trusted implicitly and often run with extensive privileges, TeamPCP gained access to critical publishing tokens for PyPI and GitHub personal access tokens, which were instrumental in publishing malicious versions of LiteLLM.
How the Attack Unfolded: A Five-Phase Campaign
Analysts from Palo Alto Networks have meticulously documented the Trivy attack and its subsequent ramifications, describing the entire operation as a five-phase attack chain. This detailed breakdown reveals a sophisticated and methodical approach to infiltrating and exploiting the open-source software supply chain.
Phase 1: Credential Reuse and Repository Takeover
The initial phase of the attack leveraged credentials obtained from the earlier exploitation of Trivy’s GitHub Actions. With these stolen credentials, TeamPCP gained unauthorized access to the Aqua Bot service account, effectively impersonating trusted maintainers. This enabled them to push a malicious tag, specifically v0.69.4, to the Trivy repository. This action triggered an automated release process, leading to the propagation of backdoored binaries across multiple distribution platforms, including GitHub Releases, Docker Hub, GHCR (GitHub Container Registry), and Amazon ECR (Elastic Container Registry).
Phase 2: GitHub Actions Tag Poisoning
Building on their initial success, the attackers turned their attention to poisoning GitHub Actions tags. They illicitly updated 75 out of 76 version tags within the aquasecurity/trivy-action repository. These updated tags no longer pointed to legitimate commits but instead referenced malicious code controlled by the attackers. Consequently, any GitHub Actions workflow that was pinned to a compromised version tag, such as @v0.28.0, would silently pull in the attacker-controlled code without any visible alteration to the workflow definition itself. To evade detection and maintain the appearance of legitimate activity within Git history, the malicious commits were meticulously crafted to replicate the original author metadata and timestamps. This same deceptive technique was employed to poison seven setup-trivy tags.
Phase 3: Three-Stage Credential Theft
The compromised GitHub Actions, now embedded with malicious code, executed a three-stage data theft sequence. This phase was designed to extract a wide array of sensitive information from the compromised environments. The specific details of this sequence, while not fully elaborated in the initial reports, are understood to involve exfiltrating credentials and configuration data that would be crucial for further exploitation.
Phase 4: Persistent Backdoor on Developer Machines
A critical component of the attack involved the persistent compromise of developer workstations. When a trojanized Trivy binary was executed on a developer’s machine, it installed a stealthy and persistent backdoor. This backdoor was established as a systemd service, disguised as sysmon.py. This malicious service maintained regular communication with a “canister” on the Internet Computer (ICP) blockchain, approximately every 50 minutes. This decentralized communication channel was employed to fetch command-and-control instructions, making the backdoor exceptionally difficult to disrupt or detect due to its reliance on distributed infrastructure.
Phase 5: CanisterWorm – Self-Spreading npm Supply Chain Attack
With the vast trove of harvested credentials, TeamPCP unleashed “CanisterWorm,” a self-spreading npm supply chain attack. This campaign successfully compromised over 47 npm packages across various organizational scopes. Later iterations of CanisterWorm incorporated token theft capabilities and automated malicious package publishing through the postinstall hook. This meant that any developer workstation or CI pipeline that installed an affected package inadvertently became a propagation node for the malware. In a single, alarming burst, the attackers managed to backdoor 28 npm packages in under 60 seconds, demonstrating the speed and efficiency of their operations.
The cumulative outcome of this meticulously planned assault was the silent weaponization of the Trivy open-source supply chain, turning a vital security tool into a vector for further compromise.
Broader Implications and Industry Reactions
The sophistication and scope of these attacks have prompted widespread concern and calls for reassessment of security practices within the open-source community. While the initial focus was on the compromised projects themselves, security professionals are also scrutinizing the underlying infrastructure and configurations that enabled these breaches.
Dan Lorenc, CEO and co-founder of Chainguard, a company focused on secure software supply chains, pointed to potential weaknesses in GitHub Actions configurations. In an interview with The New Stack, Lorenc explained that the attack exploited a vulnerability where “untrusted inputs, in this case, branch names, and passed them into the scripts inside the actions without properly escaping them.” This allowed attackers to submit pull requests with malicious content embedded in branch names, enabling them to exploit the action pipelines themselves, push malicious commits, or steal credentials from CI systems.
Lorenc further elaborated on the pervasive nature of these vulnerabilities: “A lot of the defaults are bad, and they can be exploited in subtle ways. This affected both the initial attack on Trivy and the way malware propagated across everyone’s CI systems that used the Trivy GitHub Action. So there’s another wave of attacks happening now with all the credentials that were stolen from those Trivy users.” This indicates a cascading effect, where credentials stolen from one compromise fuel subsequent attacks across different ecosystems.
Industry analysts describe this wave of attacks as an amplified version of previous incidents, such as the infamous Shai-Hulud npm malware attack. The current campaign’s impact is amplified by its multi-ecosystem reach and its sophisticated exploitation of CI/CD pipelines, particularly GitHub Actions.
Mitigation Strategies and Future Preparedness
In response to this escalating threat, security experts are urging immediate and decisive action from developers and organizations. Lorenc strongly advises that “Anyone who had the Trivy action in their pipeline or was running it themselves on their systems likely had credentials stolen and needs to rotate them.” This includes a comprehensive audit and rotation of all sensitive credentials, such as cloud keys, GitHub tokens, SSH keys, Kubernetes tokens, Docker registry credentials, database passwords, TLS keys, and any exposed cryptocurrency wallets. Furthermore, affected CI runners and images should be rebuilt from trusted, clean baselines rather than attempting to remediate compromised systems in place.
To bolster defenses against similar attacks in the future, best practices for using CI/CD tools like GitHub Actions are being emphasized. Pinning GitHub Actions to specific commit SHAs rather than version tags is a critical step. This ensures that an action is locked to a precise, immutable commit, preventing malicious code from being introduced through tag manipulation. Additionally, locking down GitHub tokens and other runner credentials with explicit, least-privilege permissions is essential, granting write access only when absolutely necessary.
This series of attacks serves as a stark reminder that even security tools themselves can become targets and vectors for compromise. Security tools, much like any other software dependency, must be treated with a high degree of scrutiny. This involves diligently tracking their exact versions, verifying checksums, and avoiding automatic updates to “latest” for critical security scanners.
The current wave of attacks is far from over, and the threat landscape continues to evolve. The open-source community faces an ongoing challenge in maintaining the security and integrity of its vast software ecosystem. As software development security becomes increasingly complex, the trust placed in our security programs and tools is being tested, demanding a renewed commitment to vigilance and robust security practices. The incidents involving Trivy, LiteLLM, and numerous npm packages underscore the critical need for proactive security measures and a shared responsibility to protect the foundations of our digital infrastructure.