During March 2026 alone, an unprecedented wave of 5+ supply chain attacks occurred, targeting widely-used open-source projects including Trivy and axios. This document serves as a consolidated reference.
- Trivy
- Checkmarx-KICS
- LiteLLM
- Telnyx
- Axios
- Summary
- TeamPCP (also known as DeadCatx3, PCPcat, ShellForce, CipherForce)
- An autonomous bot named
hackerbot-clawexploited apull_request_targetworkflow misconfiguration in Trivy's CI/CD pipeline to steal a GitHub Personal Access Token (PAT). - On March 1, Aqua Security disclosed the incident and performed credential rotation, but the attacker continued operations, suggesting incomplete coverage during the process.
- Compromised the
aqua-botservice account using the stolen token, then created imposter commits spoofing legitimate maintainers (DmitriyLewen, rauchg) - Pushed a commit (#1885610c) that replaced a composite action with a fake checkout commit (#70379aad) containing a Go source downloader
- Released as v0.69.4 → malicious binary distributed across all channels: GitHub Releases, GHCR, Docker Hub, ECR Public, deb/rpm repos
- On 3/22, additionally pushed v0.69.5, v0.69.6, and latest images to Docker Hub using separately stolen Docker Hub credentials (~10 hours of additional exposure)
- When executed, the malicious binary installed a persistence dropper at
~/.config/systemd/user/sysmon.py, polling an ICP blockchain canister every 50 minutes as a decentralized C2
- Exploited the stolen token to force-push 75 out of 76 tags (all except v0.35.0) to malicious commits
- Payload executed before the legitimate Trivy scan → workflows appeared to complete normally
- "TeamPCP Cloud stealer" dumped Runner.Worker process memory, harvested SSH/cloud/K8s secrets, encrypted with AES-256+RSA-4096, and exfiltrated to a remote server
- Fallback mechanism: created a
tpcp-docsrepository in the victim's GitHub account for exfiltration
- Same pattern as trivy-action, all 7 tags force-pushed
- Used the
aqua-botaccount to push malicious workflows to tfsec and traceeshark repos, stealing GPG keys, Docker Hub, Twitter, and Slack credentials - Used a stolen
Argon-DevOps-Mgttoken to deface all 44 repositories in the aquasec-com GitHub org (renamed withtpcp-docs-prefix, exposing proprietary source code) - Used stolen npm tokens to deploy CanisterWorm worm → 66+ npm packages infected, using an ICP blockchain canister as C2 (immune to conventional takedowns)
- The entire campaign originated from a single stolen token
- Trivy binary was compromised via a malicious download from
https://scan.aquasecurtiy[.]org/staticduring the GitHub Actions build process - trivy-action and setup-trivy executed base64-encoded malware to harvest environment variables, public keys, and secrets from GitHub Actions runners
- ⇒ Every project using Trivy became a potential vector for cascading 2nd and 3rd order compromises (LiteLLM, Telnyx, CanisterWorm, etc.)
- Downgraded Trivy and removed the
v0.69.4tag- Emergency downgrade via brew and Docker
- trivy-action, setup-trivy
- Republished affected tags with
vprefix - Added commit SHA pinning support
- Republished affected tags with
- https://github.com/aquasecurity/trivy/security/advisories/GHSA-69fq-xp46-6x23
- https://www.aquasec.com/blog/trivy-supply-chain-attack-what-you-need-to-know/
- https://thehackernews.com/2026/03/trivy-security-scanner-github-actions.html
- https://www.stepsecurity.io/blog/trivy-compromised-a-second-time---malicious-v0-69-4-release
- https://www.wiz.io/blog/trivy-compromised-teampcp-supply-chain-attack
- https://www.microsoft.com/en-us/security/blog/2026/03/24/detecting-investigating-defending-against-trivy-supply-chain-compromise/
- https://www.aikido.dev/blog/teampcp-deploys-worm-npm-trivy-compromise (CanisterWorm)
- https://github.com/Checkmarx/kics-github-action
- https://github.com/Checkmarx/ast-github-action (v2.3.28 confirmed compromised)
- OpenVSX extensions:
ast-resultsv2.53.0,cx-dev-assistv1.7.0
- TeamPCP
- Same tag force-push pattern as trivy-action
- All 35 tags in kics-github-action hijacked
- Force-pushed to commit #8e20c7a
- Used
checkmarx[.]zone(typosquat domain) as C2 - Fallback: created
docs-tpcprepository using victim's GITHUB_TOKEN if C2 failed (same pattern as Trivy) - Injected malicious code into Checkmarx OpenVSX extensions → targeting VS Code local environments
- Unlike Trivy, the account used for this attack was elit-cx, who had not contributed to the repo since 2021
- It remains unclear when this account's token or credentials were originally compromised
- The fact that such a long-inactive contributor still had push permissions raises questions about Checkmarx's access management practices
- Added commit SHA pinning support PR#153
- Removed malicious OpenVSX extensions
- Checkmarx/kics-github-action#152
- https://www.sysdig.com/blog/teampcp-expands-supply-chain-compromise-spreads-from-trivy-to-checkmarx-github-actions
https://github.com/BerriAI/litellm
- TeamPCP
- PyPI publishing token stolen as cascading damage from the Trivy compromise
- LiteLLM's CI/CD pipeline used Trivy without version pinning → the compromised trivy-action exfiltrated the PYPI_PUBLISH token
- CEO (Krish Dholakia)'s GitHub account was also compromised (automated defacement on 3/23–24)
- Credential harvesting and Kubernetes malware deployment (1–2 rounds of base64 decoding)
- v1.82.8 abused Python's
.pthfile mechanism (litellm_init.pth) → executes automatically on every Python process startup, even without importing LiteLLM
- v1.82.8 abused Python's
- Directly uploaded
litellm1.82.7 and 1.82.8 to PyPI (bypassing normal CI/CD) - Exfiltrated encrypted data to
models.litellm[.]cloud(not an official domain) - Flooded GitHub issue #24512 with 88 bot comments from 73 compromised accounts within 102 seconds to dilute discussion, then closed the issue as "not planned"
- Exposed on PyPI for ~40 minutes (10:39 UTC until quarantine)
- ~3.4 million downloads per day
- CVE-2026-33634 assigned (CVSS4B: 9.4)
- Users of the official LiteLLM Proxy Docker image were unaffected due to pinned dependencies
- Pulled PyPI 1.82.7 and 1.82.8 (rapid quarantine by PyPI security team)
- Suspended all releases pending full supply chain review
- Released v1.83.0 via a new hardened CI/CD v2 pipeline
- BerriAI/litellm#24512
- https://docs.litellm.ai/blog/security-update-march-2026
- https://thehackernews.com/2026/03/teampcp-backdoors-litellm-versions.html
- https://futuresearch.ai/blog/litellm-pypi-supply-chain-attack/
https://github.com/team-telnyx/telnyx-python
- TeamPCP
- PyPI token stolen as cascading damage from the Trivy compromise (likely harvested from LiteLLM environments)
- Credential harvesting and Kubernetes malware deployment
- WAV steganography: malicious payload hidden within WAV file audio frame data
- 3-stage runtime attack chain: audio steganography delivery → in-memory data harvester execution → encrypted exfiltration
- Directly uploaded
telnyx4.87.1 and 4.87.2 to PyPI - Malicious code injected into
telnyx/_client.py, auto-executing on package import - C2:
83[.]142.209.203 - Linux/macOS: no persistence — operates in temp directory, auto-deletes after execution (evasion)
- Windows: drops
msbuild.exein Startup folder
- Exposed from 3/27 03:51 to 10:13 UTC (~6.5 hours)
- ~34,000 weekly downloads
- Telnyx platform, APIs, and infrastructure were unaffected (limited to PyPI distribution channel)
- Removed malicious releases, PyPI quarantined
- https://github.com/team-telnyx/telnyx-python/security/advisories/GHSA-955r-262c-33jc
- https://telnyx.com/resources/telnyx-python-sdk-supply-chain-security-notice-march-2026
- https://thehackernews.com/2026/03/teampcp-pushes-malicious-telnyx.html
https://www.npmjs.com/package/axios
- UNC1069 (attributed by Google GTIG, North Korea-nexus threat actor)
- Microsoft tracking name: Sapphire Sleet (= BlueNoroff subgroup)
- Active since at least 2018, financially motivated (cryptocurrency theft)
- Entirely separate from the TeamPCP campaign
- Compromised
jasonsaayman's npm account and changed the email to an attacker-controlled address (ifstap@proton.me)- Used a long-lived access token to publish directly via npm CLI (bypassing GitHub Actions OIDC workflow)
- OIDC Trusted Publishing was configured, but the publish workflow also passed NPM_TOKEN as an environment variable → when both are present, npm uses the token, effectively nullifying OIDC
- Pre-published plain-crypto-js 4.2.0 as a phantom dependency
- Added malicious code in
plain-crypto-js4.2.1 - Published axios 1.14.1 (tagged
latest) and 0.30.4 (taggedlegacy) with the malicious dependency- 3/31 00:21–03:20 UTC (~3 hour window, timed for Sunday-to-Monday overnight)
postinstallhook auto-executes the SILKBELL dropper (setup.js)- Detects OS and deploys platform-specific WAVESHAPER.V2 backdoor (macOS: C++, Windows: PowerShell, Linux: Python)
- C2 traffic mimics
packages.npm.orgfor SIEM evasion (this domain belongs to the National Association of Pastoral Musicians, not the npm registry) - Self-deletes after single execution
- Axios has ~100 million weekly downloads, present in ~80% of cloud/code environments (Wiz estimate)
- ~3% of the userbase downloaded during the exposure window
- Huntress observed at least 135 endpoints contacting attacker C2
- depup
plain-crypto-jsblocked from installation- Malicious releases removed
- Compromised account disabled
- axios/axios#10604
- https://cloud.google.com/blog/topics/threat-intelligence/north-korea-threat-actor-targets-axios-npm-package
- https://www.microsoft.com/en-us/security/blog/2026/04/01/mitigating-the-axios-npm-supply-chain-compromise/
- https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
- https://www.huntress.com/blog/supply-chain-compromise-axios-npm-package
| Date | Event |
|---|---|
| Late Feb | hackerbot-claw bot exploits Trivy's pull_request_target workflow, steals PAT |
| 3/1 | Aqua Security discloses incident, performs credential rotation (residual access remained) |
| 3/19 17:43 UTC | TeamPCP: force-pushes 76 trivy-action tags + 7 setup-trivy tags, releases malicious trivy v0.69.4 |
| 3/19 20:38 UTC | Trivy team detects and removes malicious artifacts |
| 3/20 20:45 UTC | CanisterWorm npm worm begins propagating (66+ packages) |
| 3/22 | Malicious trivy v0.69.5/6/latest pushed to Docker Hub; aquasec-com org 44 repos defaced |
| 3/23 | Checkmarx KICS/AST GitHub Action tags hijacked, OpenVSX extensions infected |
| 3/24 10:39 UTC | LiteLLM 1.82.7 & 1.82.8 malicious upload to PyPI (~40 min exposure) |
| 3/27 03:51 UTC | Telnyx 4.87.1 & 4.87.2 malicious upload to PyPI (~6.5 hr exposure) |
| 3/31 00:21 UTC | Axios 1.14.1 & 0.30.4 malicious upload to npm (~3 hr exposure) — separate attacker (UNC1069, North Korea) |
- Aliases: DeadCatx3, PCPcat, ShellForce, CipherForce
- Active since 2024; built automated supply chain attack capabilities with CanisterWorm in late 2025
- Cascaded from a single stolen credential across 5 ecosystems: GitHub Actions → Docker Hub → npm → OpenVSX → PyPI
- North Korea-nexus, active since 2018, financially motivated (cryptocurrency theft)
- Deployed WAVESHAPER.V2 backdoor
- Completely independent from the TeamPCP campaign
- Credential theft as the entry point: Every attack began with compromising a maintainer account or token
- Mutable tag abuse: Exploited the fact that Git tags can be force-pushed (tag poisoning)
- Abuse of legitimate distribution channels: Malicious versions uploaded directly to PyPI/npm — package names remain legitimate, making detection via functional testing impossible
- Cascading propagation: A single compromise propagates to downstream projects via stolen credentials
- Security tools as attack vectors: Trivy, KICS, and similar scanners run with elevated privileges, maximizing impact when compromised
- Pin GitHub Actions to commit SHAs — tags can be force-pushed
- Pin package versions and use lockfiles — never run unpinned installs
- Monitor CI/CD runner outbound network traffic — detect unexpected POST requests to unknown domains
- Apply least-privilege + expiration to npm/PyPI tokens
- Never coexist OIDC with long-lived tokens — as in the axios case, npm uses the token when both are present, nullifying OIDC
- Perform immediate and complete credential rotation — incomplete rotation was the root cause of the Trivy cascade
- Check for
tpcp-docs/docs-tpcprepositories — TeamPCP's fallback exfiltration mechanism - Apply quarantine periods before auto-updating to latest versions — auto-patching in CI/CD automates your own breach
scan.aquasecurtiy[.]org(Trivy)checkmarx[.]zone(Checkmarx)models.litellm[.]cloud(LiteLLM)83[.]142.209.203(Telnyx)packages.npm.org(Axios, npm disguise)plug-tab-protective-relay.trycloudflare[.]com(Trivy Cloudflare Tunnel C2)- ICP canister
tdtqy-oyaaa-aaaae-af2dq-cai(CanisterWorm)