Major Supply Chain Attack Targets Aqua Trivy, Checkmarx KICS, and LiteLLM Across Multiple Ecosystems
Key Takeaways
- ▸A coordinated supply chain attack exploited incomplete credential rotation in Aqua Trivy to distribute malicious builds across GitHub Releases, Docker Hub, ECR, and GHCR
- ▸Sophisticated imposter commit techniques impersonating legitimate maintainers (Guillermo Rauch, DmitriyLewen) were used to establish malicious build chains via typosquatted C2 infrastructure
- ▸The compromise cascaded to secondary targets including Checkmarx KICS and BerriAI LiteLLM, demonstrating the critical risk of shared CI/CD token exposure across the open-source ecosystem
Summary
A sophisticated multi-week supply chain attack dubbed "TeamPCP" has compromised critical open-source security tools across GitHub Actions, npm, PyPI, Docker Hub, and OpenVSX. The campaign began with an attack on Aqua's Trivy vulnerability scanner, where incomplete credential rotation following a prior breach allowed attackers to publish malicious builds across multiple distribution channels including GitHub Releases, container registries (ECR, Docker Hub, GHCR), and package managers. The attack subsequently spread to Checkmarx KICS (via hijacked OpenVSX extension and GitHub Action) and BerriAI's LiteLLM (through PyPI token harvesting), demonstrating how a single compromised project can cascade into broader ecosystem compromise.
The attack chain exploited sophisticated techniques including imposter commits impersonating legitimate developers (Guillermo Rauch and DmitriyLewen), typosquatted command-and-control domains, and malicious Go file injection. Attackers weaponized a vulnerable pull_request_target GitHub Actions workflow to exfiltrate credentials, then used those tokens to create seemingly legitimate commits and trigger automated release workflows. The malicious v0.69.4 release of Trivy was distributed across multiple channels before detection, affecting developers relying on container images and binary downloads, though package manager installations and Homebrew builds remained unaffected.
- Vulnerable pull_request_target workflows continue to pose significant supply chain risks, enabling PAT exfiltration that persists even after attempted credential rotation
Editorial Opinion
This TeamPCP campaign represents a sophisticated evolution in supply chain attacks, moving beyond simple account compromise to orchestrate multi-stage, multi-ecosystem poisoning. The ability to impersonate trusted maintainers and trigger automated releases highlights critical gaps in GitHub Actions security and the urgency for atomic credential rotation with immediate revocation. Organizations must urgently audit their pull_request_target workflows and implement stricter CI/CD token management; relying on signature verification and binary attestation will become essential for ecosystem resilience.
