Summary
The threat actor TeamPCP has recently launched a coordinated campaign targeting security tools and open-source developer infrastructure by pivoting with stolen CI/CD secrets and signing credentials (such as GitHub Actions tokens and release signing keys). At the time of writing, repositories for Trivy, Checkmarx, and LiteLLM have been impacted, and reports indicate that at least 1,000 enterprise software-as-a-service (SaaS) environments may be affected by this threat campaign.
Initial Compromise: Trivy
On March 20, 2026, Aqua Security announced that the open-source Trivy project, a vulnerability scanner used across containers and CI/CD, had been recently compromised through a misconfigured GitHub Actions workflow. The threat actor TeamPCP reportedly stole CI/CD secrets, deleted trusted tags, and force-pushed malicious binaries beginning with Trivy v0.69.4, along with poisoned GitHub Actions such as aquasecurity/trivy-action and setup-trivy. These artifacts contained an infostealer capable of harvesting environment variables, cloud tokens, and SSH keys from build environments. In response, Aqua Security and GitHub revoked compromised credentials, removed malicious releases, and rebuilt affected pipelines. The incident was assigned CVE-2026-33634.
- In subsequent reporting, additional malicious Trivy Docker images were identified on Docker Hub, and researchers observed worm-like propagation techniques leveraging exposed SSH keys, insecure Docker and Kubernetes APIs, and compromised npm packages to spread across connected systems. Evidence also showed persistence mechanisms in CI workflows, creating the risk that malicious code could be reintroduced even after initial remediation.
Follow-On Compromise: Checkmarx GitHub Actions and Developer Tooling
On March 23, TeamPCP reportedly leveraged previously stolen CI/CD secrets to compromise Checkmarx’s GitHub Actions for 2 repositories: ast-github-action and kics-github-action, which are infrastructure-as-code security scanning workflows. The threat actor modified these workflows to execute malicious code during CI runs, enabling the collection of sensitive data such as repository secrets, environment variables, and tokens exposed during pipeline execution. Due to these actions being commonly integrated into automated security scanning and build processes, any repository invoking the compromised workflows during the impact window may have unknowingly executed the malicious code.
Follow-On Compromise #2: LiteLLM
On March 24, the campaign expanded to LiteLLM through poisoned PyPI packages (versions 1.82.7 and 1.82.8). LiteLLM is an LLM API proxy and gateway which recently received ~97 million downloads per month, making it a widely deployed component across development environments. It is often included as a transitive dependency in other projects, meaning environments may be impacted even if LiteLLM was not explicitly installed. These packages contained credential-stealing and backdoor code designed to harvest SSH keys, cloud credentials, Kubernetes secrets, database credentials, environment variables, and other sensitive data, while establishing persistent access to attacker-controlled infrastructure. The malicious packages were available on PyPI for a brief period before being removed and quarantined.
- The malware leveraged a .pth file, which executes automatically during Python interpreter startup. This means the payload runs in most Python processes without needing the package to be explicitly imported, so simply installing LiteLLM is enough to trigger execution, significantly increasing the attack surface.
- LiteLLM’s role as a centralized interface for large language model providers further amplified the impact. Environments running LiteLLM typically store multiple API keys (for providers such as OpenAI, Anthropic, and others) in one place, making it a high-value target for credential harvesting.
Assessment
These compromises create significant risk for downstream projects that depend on the affected software. A single exposed package or workflow can spread malware, steal credentials, and enable persistent access across connected systems. While malicious versions of Trivy, Checkmarx (KICS) GitHub Action tags, and LiteLLM PyPI packages have been removed or quarantined from their distribution channels, TeamPCP may continue to pivot to additional projects as long as compromised credentials and trust relationships remain available.
Arctic Wolf has Managed Detection and Response detection coverage in place that matches several publicly known malicious indicators associated with this campaign.
Recommendations
Revert to Known-Safe Versions
Immediately revert Trivy, Checkmarx (KICS), and LiteLLM to versions released prior to the compromise window reported in the TeamPCP campaign if your environment has pulled or used impacted versions. Ensure that all binaries, containers, and dependencies are pulled from official sources and verify integrity using checksums or signatures provided by the maintainers. Avoid using cached artifacts from CI/CD pipelines or third-party mirrors, and reinstall dependencies in a clean environment to prevent lingering compromise.
For more details on affected versions, see the following:
Rotate CI/CD Secrets and Signing Credentials
All credentials potentially exposed during the compromise should be considered compromised if they were used with or accessed by the impacted versions of Trivy, Checkmarx (KICS), or LiteLLM. Rotate repository secrets, GitHub Actions tokens, API keys, and release signing keys associated with these projects. Audit access logs for unusual activity, revoke any potentially exposed tokens, and reissue signing credentials.
Contact Arctic Wolf if a Compromise is Suspected
If you are an Arctic Wolf customer and suspect that you have been affected by this campaign, please email security@arcticwolf.com and call one of the following numbers:
- For US support, please call +1 (888) 272-8429
- For CA support, please call +1 (800) 300-0263
- For DE support, please call +49 30 16637144
- For UK support, please call +44 800 260 6438
- For AUS support, please call +61 2 5119 8562
Monitor for Downstream Supply Chain Impact
Continuously monitor your software supply chain for signs of downstream impact. Review dependency trees, build logs, and software bills of materials (SBOMs) for unexpected changes. Track unauthorized workflow executions, modified release artifacts, or abnormal pipeline behavior. Stay updated with advisories from the affected projects and the wider security community, as further compromise or related incidents may appear over time.
Install Arctic Wolf Agent & Sysmon
Arctic Wolf Agent and Sysmon provide Arctic Wolf with visibility into events needed to identify tools, techniques, and tactics that are utilized by threat actors.
- For instructions on how to install Arctic Wolf Agent, see the below install guides:
- If you have a supported EDR solution deployed in your environment, please configure it for monitoring with Arctic Wolf.
Note: Arctic Wolf recommends following change management best practices for deploying Agent and Sysmon, including testing changes in a testing environment before deploying to production.
