The Tragedy of Trivy: How TeamPCP Poisoned Open Source Supply Chains

The cybersecurity landscape shifted dramatically in early 2026 when the threat group known as TeamPCP launched a sophisticated, multi-stage supply chain attack that compromised widely used open-source tools. What began as a targeted intrusion into Aqua Security’s Trivy vulnerability scanner rapidly escalated into a systemic crisis, infecting Checkmarx’s KICS, the LiteLLM AI gateway, and eventually infecting over 170 npm packages with a self-propagating worm.

This campaign, which spanned GitHub Actions, Docker Hub, PyPI, and npm, demonstrated a terrifying new level of sophistication. By weaponizing the very security tools organizations rely on, TeamPCP bypassed traditional defenses, harvested hundreds of terabytes of sensitive credentials, and established persistent, decentralized backdoors. The fallout exposed major organizations across government, finance, and healthcare, highlighting the fragility of the modern software supply chain.

The Trivy Breach and the Cascade of Failure

The attack originated in late February 2026, when an automated bot named hackerbot-claw exploited a misconfiguration in Trivy’s GitHub Actions workflows. The bot harvested a personal access token (PAT), which Aqua Security initially rotated. However, the rotation was not atomic, leaving a window of opportunity for TeamPCP to regain access weeks later.

On March 19, 2026, the group executed the first wave of the supply chain poisoning. They force-pushed malicious code to 76 of 77 version tags in the aquasecurity/trivy-action repository and all tags in setup-trivy. This allowed them to distribute a credential-stealing payload disguised as a legitimate security update.

The impact was immediate and severe:

  • Credential Harvesting: The malicious binary extracted SSH keys, cloud credentials (AWS, GCP, Azure), Kubernetes tokens, and Docker registry passwords directly from the memory of developer workstations.
  • Tag Poisoning: By manipulating version tags, TeamPCP ensured that any developer pulling the latest version of the tool inadvertently executed the malware.
  • Backdoor Deployment: The attack established a persistent backdoor using a system service that polled an Internet Computer (ICP) blockchain canister for command-and-control instructions, making the infrastructure resistant to takedown.

Weaponizing Security Tools: The CanisterWorm and Beyond

TeamPCP did not stop at Trivy. The group leveraged stolen credentials to pivot laterally across the open-source ecosystem, targeting Checkmarx’s KICS and BerriAI’s LiteLLM within a matter of days. This phase of the campaign introduced CanisterWorm, a self-propagating worm that marked a significant escalation in threat sophistication.

CanisterWorm infected over 47 npm packages in under 60 seconds. It injected malicious preinstall scripts that not only harvested credentials but also actively sought out npm publishing access to poison additional packages. This created a feedback loop where each compromised package became a new vector for propagation.

The worm’s architecture was particularly concerning:

  • Decentralized C2: It utilized the Internet Computer Protocol for command-and-control, allowing attackers to distribute instructions across a blockchain-based network that was difficult to shut down.
  • Destructive Capabilities: In later variants, the worm included a "dead-man's switch" that could wipe systems if its monitoring tokens were revoked, alongside geofenced destructive payloads targeting specific regions.
  • Multi-Ecosystem Spread: The threat actor expanded into PyPI, publishing malicious versions of the mistralai SDK that acted as import-time downloaders, fetching additional payloads from attacker-controlled servers.

A New Era of Supply Chain Warfare

The TeamPCP campaign represents a fundamental shift in how cybercriminals approach supply chain attacks. Rather than targeting individual organizations, they are moving upstream to compromise the shared infrastructure that underpins the entire software industry.

This strategy is effective because security tools like Trivy and KICS are implicitly trusted and run with elevated privileges. When these tools are compromised, the malware gains unimpeded access to production secrets and cloud environments. As noted by security researchers, traditional vendor risk management processes often fail to capture these transitive dependencies, leaving downstream consumers vulnerable even if their direct vendors remain secure.

The scale of the breach is staggering. TeamPCP claimed responsibility for data exfiltration from hundreds of organizations, including major players in the European Commission, Sportradar, and Cisco. The group also collaborated with other ransomware syndicates like CipherForce and LAPSUS$, suggesting a coordinated effort to monetize the stolen credentials through extortion and ransomware deployment.

Securing the Supply Chain: Lessons from Trivy

The Trivy supply chain attack serves as a stark warning for developers and security teams. Trust can no longer be assumed based on a package’s popularity or its maintainer’s reputation. The following steps are critical for mitigating similar risks:

  1. Pin Actions to Commit SHAs: Never use version tags for GitHub Actions. Pinning to specific commit hashes ensures that even if a tag is redirected to malicious code, your pipeline remains secure.
  2. Audit CI/CD Pipelines: Regularly review your pipelines for exposure to recently compromised tools. If any pipeline used unpinned Trivy or KICS actions between March 19-25, 2026, treat every secret accessible to that pipeline as compromised.
  3. Implement Least Privilege: Ensure that CI/CD runners operate with the minimum necessary permissions. Limiting access to cloud credentials and Kubernetes secrets can contain the blast radius of a compromised build.
  4. Monitor for Anomalies: Watch for unusual network connections from build runners, particularly to decentralized networks or unfamiliar domains. Early detection of command-and-control traffic can limit data loss.
  5. Rotate Credentials Frequently: Regularly rotate API keys, SSH keys, and cloud tokens. In the event of a supply chain compromise, short-lived credentials reduce the window of opportunity for attackers.

The TeamPCP campaign has left a permanent mark on the open-source community. It demonstrated that even the most trusted security tools can become vectors for catastrophic breaches. As the threat landscape evolves, the industry must adopt a zero-trust approach to software dependencies, verifying every link in the chain to prevent future poisonings.