TeamPCP: Supply Chain Attack Targets Trivy, KICS GitHub Action, and LiteLLM

Executive Summary

Security vendors have linked recent incidents involving trusted software components to a supply chain attack campaign by TeamPCP, a cloud-focused threat actor group. The reported activity involved three widely used types of development components, which include:

• Aqua Security’s Trivy: a security scanning component commonly used to identify vulnerabilities and misconfigurations in containers, images, repositories, and cloud-native environments.
• Checkmarx’s KICS GitHub Action: a CI/CD workflow component used to scan infrastructure-as-code (IaC) for security and compliance issues as part of automated development pipelines.
• LiteLLM: a Python dependency used to simplify and centralize access to multiple large language model (LLM) services in application and AI workflows.

Technical Overview

Timeline of activity

• On March 19, 2026, Aqua Security disclosed that a threat actor compromised credentials to publish malicious releases of Trivy version 0.69.4, along with trivy-action and setup-trivy in GitHub Actions. Aqua reported that they removed all malicious artifacts from affected distribution channels.
• On March 22 and March 23, 2026, JFrog, Orca Security, and StepSecurity linked the broader TeamPCP activity to follow-on npm ecosystem compromises, including the self-propagating CanisterWorm campaign. Their reporting suggests this phase expanded beyond the initial trusted CI/CD and package components, showing how stolen access could be reused to spread malicious packages across additional software distribution paths. 
• On March 23, 2026, Wiz reported that Checkmarx’s KICS GitHub Action had been compromised after threat actors force-pushed multiple tags to malicious commits, causing workflows pinned to those tags to execute a rogue setup.sh payload. Wiz said the malware was designed to steal secrets, exfiltrate stolen data, and in some environments attempt Kubernetes-based persistence through deployment of a highly privileged pod. Checkmarx later confirmed that the affected window was 12:58–16:50 UTC, that the incident was resolved by 19:24 UTC, and that users should move to kics-github-action v2.1.20 or newer. 
• Also on March 23, 2026, Checkmarx disclosed that two malicious OpenVSX plugin artifacts were published: ast-results-2.53.0.vsix and cx-dev-assist-1.7.0.vsix. According Checkmarx, organizations were only potentially affected if they downloaded and executed those artifacts from OpenVSX during the impacted window, while the VS Code Marketplace versions were not affected.
• On March 24, 2026, Endor Labs reported that LiteLLM versions 1.82.7 and 1.82.8 on PyPI contained malicious code not present in the upstream repository, while 1.82.6 was identified as the last known clean version. Their analysis found a credential-harvesting payload, Kubernetes-oriented lateral movement logic, and in version 1.82.8, a .pth mechanism that could trigger the payload on Python startup even without importing the package directly. 

Inside the threat actor’s playbook: Why these components mattered

These attacks appear to have focused on trusted components embedded in CI/CD, developer, and cloud-native workflows rather than on brands or vendors themselves. GitHub Actions, security scanners, plugins, and Python packages are attractive because they often run automatically and may have access to tokens, secrets, source code, registries, and Kubernetes-connected environments. Compromising one of these components can give broad downstream reach to a threat actor across many organizations without having to breach each one directly. 

Enterprise risk and impact

This attack pattern matters because it abuses trust in software delivery paths. When a package, action, or plugin is executed inside a trusted build or runtime environment, the malicious code can inherit access to high-value credentials and infrastructure. Even short-lived exposure windows can have significant impact if the affected component is widely used in automated pipelines. The practical risk is not limited to the initial compromise: it can extend to secret theft, lateral movement, persistence, and follow-on access to cloud and Kubernetes environments. 

Conclusion

Relevant indicators and observed attack patterns associated with this campaign have been added to Cato IPS as part of virtual patching coverage. Cato is actively monitoring for related activity, and Cato MDR is available to assist customers with validation, investigation, and response as needed.