Cisco Source Code and AWS Keys Stolen in Trivy Supply Chain Attack

Cisco confirmed a breach of its development environment on March 31, 2026, resulting in the theft of internal source code and AWS credentials. The incident stems from a massive supply chain attack targeting the Trivy vulnerability scanner, as detailed in the Cisco source code theft report. Attackers leveraged compromised GitHub Actions to harvest secrets directly from CI/CD runner memory. For engineering teams relying on automated security scanners, this exposure forces an immediate reevaluation of build environment permissions.

Scope of the Compromise

The attackers cloned more than 300 internal GitHub repositories from Cisco’s environment. These repositories contained proprietary source code for Cisco’s AI Assistants, AI Defense platforms, and unreleased products. The exfiltrated data also includes code belonging to corporate customers, affecting US government agencies, banks, and Business Process Outsourcing firms.

The breach extended beyond source code. Threat actors exfiltrated multiple AWS keys from the build environment. These keys were subsequently used to execute unauthorized activities across a small number of Cisco’s internal AWS accounts.

The Attack Chain

The breach originated on March 19, 2026, when a threat group tracked as TeamPCP (also known as DeadCatx3) compromised Aqua Security’s Trivy project. The group force-pushed malicious commits to 76 of the 77 version tags in the aquasecurity/trivy-action repository and all seven tags in aquasecurity/setup-trivy.

Build pipelines configured to use mutable version tags automatically pulled the compromised code. The payload executed an infostealer called TeamPCP Cloud Stealer directly within the runner environment. This malware extracted SSH keys, cloud tokens, and GitHub personal access tokens from memory before routing them to a typosquatted command and control domain.

The TeamPCP group recently utilized similar lateral movement tactics when a popular LiteLLM PyPI package was compromised to propagate malware.

Component	Detail
Initial Compromise Date	March 19, 2026
Compromised Repositories	aquasecurity/trivy-action, aquasecurity/setup-trivy
Malware Payload	TeamPCP Cloud Stealer
C2 Domain	scan.aquasecurtiy[.]org
Vulnerability Tracking	CVE-2026-33634 (GHSA-69fq-xp46-6x23)

Mitigation and Structural Failures

The underlying vulnerability is tracked as CVE-2026-33634. CISA added this flaw to the Known Exploited Vulnerabilities catalog on March 27, 2026, mandating federal remediation by April 9. Cisco has isolated affected systems, initiated reimaging procedures, and is performing a large-scale rotation of credentials.

The attack succeeded because development pipelines trusted mutable tags like @v0 or @v1 instead of immutable commit hashes. Analysts from firms focused on cloud security noted that when scanners are compromised, they become highly privileged data exfiltration tools. Security tools operating in build environments have access to the exact credentials required to move laterally into production infrastructure.

Audit your CI/CD pipelines immediately to locate all instances of third-party GitHub Actions. Replace mutable version tags with specific commit SHAs to prevent upstream compromises from automatically executing in your build environment. If your systems ran Trivy actions between March 19 and your remediation date, rotate all AWS tokens, SSH keys, and personal access tokens exposed to those runners.