Cisco Source Code and AWS Keys Stolen in Trivy Supply Chain Attack
Cisco confirms a major data breach involving stolen AI product source code and AWS keys following a malicious compromise of the Trivy vulnerability scanner.
Cisco confirmed a breach of its development environment on March 31, 2026, resulting in the theft of internal source code and AWS credentials. The incident stems from a massive supply chain attack targeting the Trivy vulnerability scanner, as detailed in the Cisco source code theft report. Attackers leveraged compromised GitHub Actions to harvest secrets directly from CI/CD runner memory. For engineering teams relying on automated security scanners, this exposure forces an immediate reevaluation of build environment permissions.
Scope of the Compromise
The attackers cloned more than 300 internal GitHub repositories from Cisco’s environment. These repositories contained proprietary source code for Cisco’s AI Assistants, AI Defense platforms, and unreleased products. The exfiltrated data also includes code belonging to corporate customers, affecting US government agencies, banks, and Business Process Outsourcing firms.
The breach extended beyond source code. Threat actors exfiltrated multiple AWS keys from the build environment. These keys were subsequently used to execute unauthorized activities across a small number of Cisco’s internal AWS accounts.
The Attack Chain
The breach originated on March 19, 2026, when a threat group tracked as TeamPCP (also known as DeadCatx3) compromised Aqua Security’s Trivy project. The group force-pushed malicious commits to 76 of the 77 version tags in the aquasecurity/trivy-action repository and all seven tags in aquasecurity/setup-trivy.
Build pipelines configured to use mutable version tags automatically pulled the compromised code. The payload executed an infostealer called TeamPCP Cloud Stealer directly within the runner environment. This malware extracted SSH keys, cloud tokens, and GitHub personal access tokens from memory before routing them to a typosquatted command and control domain.
The TeamPCP group recently utilized similar lateral movement tactics when a popular LiteLLM PyPI package was compromised to propagate malware.
| Component | Detail |
|---|---|
| Initial Compromise Date | March 19, 2026 |
| Compromised Repositories | aquasecurity/trivy-action, aquasecurity/setup-trivy |
| Malware Payload | TeamPCP Cloud Stealer |
| C2 Domain | scan.aquasecurtiy[.]org |
| Vulnerability Tracking | CVE-2026-33634 (GHSA-69fq-xp46-6x23) |
Mitigation and Structural Failures
The underlying vulnerability is tracked as CVE-2026-33634. CISA added this flaw to the Known Exploited Vulnerabilities catalog on March 27, 2026, mandating federal remediation by April 9. Cisco has isolated affected systems, initiated reimaging procedures, and is performing a large-scale rotation of credentials.
The attack succeeded because development pipelines trusted mutable tags like @v0 or @v1 instead of immutable commit hashes. Analysts from firms focused on cloud security noted that when scanners are compromised, they become highly privileged data exfiltration tools. Security tools operating in build environments have access to the exact credentials required to move laterally into production infrastructure.
Audit your CI/CD pipelines immediately to locate all instances of third-party GitHub Actions. Replace mutable version tags with specific commit SHAs to prevent upstream compromises from automatically executing in your build environment. If your systems ran Trivy actions between March 19 and your remediation date, rotate all AWS tokens, SSH keys, and personal access tokens exposed to those runners.
Get Insanely Good at AI
The book for developers who want to understand how AI actually works. LLMs, prompt engineering, RAG, AI agents, and production systems.
Keep Reading
How to Route GPU GitHub Actions to Hugging Face Jobs
Offload your training and GPU-heavy CI workloads to Hugging Face Jobs using their new ephemeral GitHub runners and action integrations.
OpenAI Secures ChatGPT macOS App After Axios Library Attack
OpenAI rotated its macOS code-signing certificates and hardened GitHub workflows following a dependency confusion attack on the ChatGPT desktop client.
AI Prompt Injection Masks Malware in 19 PyPI Science Packages
The Hades supply chain campaign compromised 19 bioinformatics and Graph ML libraries on PyPI with memory scrapers and AI scanner misdirection.
LiteLLM Drops Delve After Supply Chain Attack Exposes Fraudulent SOC 2 Audits
LiteLLM terminates its relationship with compliance startup Delve following a major PyPI supply chain attack and allegations of fraudulent SOC 2 certifications.
Mastra AI npm Packages Backdoored via easy-day-js Typosquat
A North Korean state-sponsored group hijacked a dormant npm account to inject a malicious typosquat dependency into 144 Mastra AI agent framework packages.