Listen to this Post
Introduction
In a stark reminder of the vulnerabilities inherent in the modern software development ecosystem, recent supply chain attacks have targeted widely used open-source security and AI tools. The threat actor, identified as TeamPCP, has infiltrated projects ranging from Checkmarx’s KICS static code analysis tool to Trivy, VS Code plug-ins, and the LiteLLM AI library. These attacks exploit the trust developers place in third-party software dependencies, emphasizing that even automated CI/CD pipelines are now high-value targets for cybercriminals.
Supply Chain Attacks on KICS and VS Code Plug-ins
Checkmarx disclosed that attackers compromised the KICS GitHub Action, which is used by organizations to run KICS scans within CI/CD pipelines. Multiple versions of the tool were poisoned, potentially affecting any system that ran the action during a four-hour window on March 23. Simultaneously, malicious versions of Checkmarx VS Code plug-ins were briefly published to the OpenVSX registry, exposing users to potential credential theft.
Connection to Trivy Attack
These attacks closely follow a similar breach of the Trivy open-source security scanner, where 76 out of 77 released versions of Trivy’s GitHub Action were poisoned with infostealer malware. The same threat actor also compromised Docker images via automated service accounts. Security researchers have linked both the Trivy and Checkmarx attacks to TeamPCP, a group known for automated cloud infrastructure attacks often targeting developer credentials.
Expanding Threat Across Registries
GitGuardian reported that the campaign extended to the PyPI registry, with LiteLLM packages (versions 1.82.7 and 1.82.8) infected by the same infostealer malware. This malware can exfiltrate SSH keys, cloud credentials, API tokens, Docker configurations, and crypto-related data. Considering LiteLLM’s widespread use in AI application development, the potential impact is extensive.
Developer Secrets as Primary Targets
Checkmarx has advised users to rotate all credentials and access keys in automated build pipelines that may have interacted with the compromised plug-ins. While details of the malicious payload remain limited, the guidance strongly suggests the presence of an infostealer. Researchers note that the attacks share indicators of compromise, including public keys for data exfiltration, targeted files, and persistence techniques.
Evidence of TeamPCP’s Growing Influence
Wiz Research and other security analysts track the campaign, linking TeamPCP to Trivy, Checkmarx, and LiteLLM attacks. The group is believed to be collaborating with the LAPSUS$ extortion network to amplify the attacks. By targeting security scanners and AI tools, TeamPCP gains access to sensitive stages of the software development lifecycle, warning of a “snowball effect” on future open-source targets.
Implications for Organizations
The attacks underscore a critical reality for modern development environments: automated pipelines, open-source libraries, and AI tools are now primary targets for credential-stealing malware. Organizations must maintain real-time visibility of compromised credentials and adopt proactive revocation practices. The widespread adoption of LiteLLM in cloud environments further amplifies the risk, potentially affecting 36% of cloud deployments.
What Undercode Say: An Analytical Perspective
These incidents highlight a growing paradigm in cyberattacks: supply chain compromise as a vector for high-impact, automated credential theft. TeamPCP’s operations reveal several strategic tactics: first, targeting software with high adoption among developers, ensuring maximum reach; second, leveraging automation in CI/CD pipelines and code repositories to deploy malware quickly; third, focusing on credentials and sensitive development artifacts rather than merely causing system outages.
The implications for cloud-native and AI-centric environments are profound. By compromising KICS, Trivy, and LiteLLM, attackers exploit trust in the very tools meant to secure code and automate infrastructure. This creates a cascading risk: a single compromised dependency can propagate malware across numerous organizations simultaneously.
Moreover, the potential collaboration with LAPSUS$ indicates that these attacks may transition from opportunistic theft to organized extortion campaigns. The use of infostealers capable of harvesting SSH keys, API tokens, and cloud credentials suggests that attackers are preparing for long-term persistence, lateral movement, and monetization through ransomware or data sales.
From a risk management perspective, the attacks reveal the urgent need for a multi-layered security approach. Organizations should integrate supply chain risk monitoring, real-time alerting on dependency changes, automated secret revocation, and continuous audits of CI/CD pipeline configurations. Traditional security perimeters are insufficient; defense now requires assuming that every third-party package and automated script could be compromised.
Additionally, the psychological signaling in TeamPCP’s messages—such as linking to “The Show Must Go On” by Queen—reflects a deliberate strategy to intimidate and destabilize developer communities. This suggests that beyond technical damage, attackers aim to erode trust in the open-source ecosystem, which could slow adoption of critical development tools and create operational hesitancy in organizations reliant on rapid deployment.
The pattern of attacks also underscores the need for improved vendor accountability. Open-source maintainers must implement rigorous code-signing practices and automated anomaly detection in CI/CD pipelines. Security scanning alone is no longer sufficient if the tools themselves can be compromised; trust frameworks for open-source dependencies must evolve to incorporate provenance verification and zero-trust deployment of software artifacts.
Finally, these incidents emphasize the convergence of software development and cybercrime economics. By attacking tools used in software creation, TeamPCP maximizes the leverage and efficiency of its campaigns. It’s a sobering reminder that modern cyber threats are not only technical challenges but also strategic maneuvers exploiting systemic weaknesses in the software supply chain.
Fact Checker Results
✅ TeamPCP linked to Trivy, Checkmarx, and LiteLLM attacks.
✅ Malicious packages included infostealers targeting developer credentials.
❌ No confirmed financial extortion yet; collaboration with LAPSUS$ remains unverified.
Prediction
📊 Given TeamPCP’s targeting strategy and increasing sophistication, supply chain attacks on widely used open-source tools and AI libraries are likely to escalate. Organizations may face broader credential theft, automated malware propagation, and potential collaboration with extortion networks, emphasizing the urgent need for zero-trust policies and enhanced CI/CD monitoring.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: www.darkreading.com
Extra Source Hub (Possible Sources for article):
https://www.reddit.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
