[Breaking] A Cascade Started from Trivy. 4 OSS Projects Fell in 10 Days

On March 19, 2026, the security scanner Trivy was compromised. Within ten days, Checkmarx, LiteLLM, and Telnyx fell in a cascading chain. The perpetrator: "TeamPCP." Using credentials stolen from one breach to break into the next target — a domino-effect attack.

On March 26, CISA added it to the KEV catalog. Federal agencies are required to remediate by April 9. Microsoft, CrowdStrike, and Palo Alto Networks have all published analysis reports. Here is a timeline of what happened.

What Happened in 10 Days

← Swipe to navigate

Why One Attack Spread to Four

The core of this cascading attack lies in "GitHub Actions tags."

Most CI/CD pipelines reference GitHub Actions with version tags like uses: aquasecurity/trivy-action@v0.35. These tags are "mutable." The author can reassign them to a different commit at any time. TeamPCP exploited exactly this.

By reassigning a legitimate tag to a malicious commit, every CI/CD pipeline using that action picks up the malware on its next run. Pipeline execution environments store secrets such as API keys and package registry credentials as environment variables. The malware extracted these wholesale, encrypted them with AES-256-CBC, and sent them to an external server.

The stolen credentials included GitHub and PyPI credentials for the next targets. That is why the dominoes kept falling. The PAT stolen from Trivy was used to breach Checkmarx, and the PyPI credentials stolen from LiteLLM's CI/CD were used to hijack Telnyx's PyPI package. ReversingLabs calls this a "cascading supply chain attack."

Who Is TeamPCP

Attribution has been confirmed through analysis by Endor Labs. All four attacks used the same RSA-4096 public key, the same encryption scheme (AES-256-CBC + RSA OAEP), and the same archive header patterns.

A distinctive technical characteristic of TeamPCP is their use of Internet Computer (ICP) blockchain "canisters" for C2 (command and control) communications. Traditional C2 servers can be blocked by IP address or domain, but canisters on a blockchain are extremely difficult to take down.

When defacing 44 Aqua Security repositories, they renamed them to "tpcp-docs-*" and rewrote the descriptions to "TeamPCP Owns Aqua Security." This was a provocative declaration of "owning" a security company.

How the Attack Techniques Evolved

Over 10 days, the attack methods clearly evolved.

The initial Trivy attack simply encrypted and sent data to a domain, but by the Telnyx attack the technique had evolved to steganographically hiding the payload in WAV audio file frame data. If malware is concealed inside an audio file, conventional file scanning will not detect it.

What CISA's Response Means

On March 26, 2026, CISA added the Trivy vulnerability to the KEV catalog as CVE-2026-33634 (CVSS 9.4). It is classified under CWE-506 (Embedded Malicious Code).

Addition to the KEV catalog means that Federal Civilian Executive Branch (FCEB) agencies are legally obligated to remediate under BOD 22-01. The deadline is April 9, 2026. Agencies that cannot remediate by the deadline are required to report the reason to CISA.

For private organizations, this is also a de facto warning. Having a vulnerability that CISA explicitly named left unpatched becomes a compliance risk.

Why Major Vendors All Published Analysis at Once

What shocked the industry about this attack was that "the security tools themselves became the attack vector." Trivy is a tool for finding container vulnerabilities. The instrument of defense became the point of entry.

Microsoft published detection, investigation, and defense guidance. CrowdStrike released an analysis titled "From Scanner to Stealer." Palo Alto Networks titled theirs "Security Scanners Become the Weapon," and Wiz, Snyk, and Legit Security followed suit.

Security tools run with high privileges and are rarely questioned during execution. They have access to CI/CD pipeline secrets, which means the damage when they are compromised is orders of magnitude greater. Palo Alto Networks identified this structural risk as "an intrinsic problem."

Is Your CI/CD Safe

The most important mitigation the industry agreed on from this attack is to pin GitHub Actions to a full commit hash (SHA).

# Dangerous (tags can be reassigned)
uses: aquasecurity/trivy-action@v0.35

# Safe (SHA is immutable)
uses: aquasecurity/trivy-action@57a97c7d44e6e34358ac38b3e15a2f6a92f25e04

Tags are convenient but "mutable." SHAs are immutable. This attack exploited exactly that mutability. It is strongly recommended to switch all third-party Actions used in CI/CD pipelines to SHA pinning.

What Happens Next

TeamPCP's attacks show no sign of stopping. In 10 days they compromised four OSS projects in a chain, evolving their techniques and moving to the next target. The number of potentially affected repositories is estimated at over 20,000 in Kaspersky's analysis, with Arctic Wolf estimating over 1,000 enterprise SaaS environments affected.

"33,000 GitHub stars don't pay for a security audit." Trust in OSS security tools depends on trust in those tools' own security posture. This incident will serve as a turning point for reexamining the assumptions underlying that trust.

References

• • Aqua Security: Trivy Supply Chain Attack – What You Need to Know
• • CISA: Adds One Known Exploited Vulnerability to Catalog
• • Sysdig: TeamPCP Expands Supply Chain Compromise
• • Help Net Security: TeamPCP Supply Chain Attacks
• • Help Net Security: TeamPCP Strikes Telnyx PyPI
• • Microsoft Security Blog: Detecting and Defending Against Trivy Compromise
• • CrowdStrike: From Scanner to Stealer
• • Palo Alto Networks: Security Scanners Become the Weapon
• • ReversingLabs: Inside TeamPCP Cascading Attack
• • Kaspersky: Critical Supply Chain Attack
• • Security Affairs: 44 Aqua Security Repositories Defaced