On the morning of March 19, 2026, thousands of CI/CD pipelines around the world ran routine security scans using Trivy — one of the most trusted open-source vulnerability scanners in cloud-native engineering. What those pipelines actually executed was a credential stealer. The tool designed to protect them had been turned against them.
Twelve days later, a North Korean intelligence operation completed a two-week social engineering campaign against a single open-source maintainer and deployed a cross-platform remote access trojan to every developer machine, CI runner, and production server that installed a fresh copy of Axios — 100 million times per week — during a three-hour window.
These were not the same attack. They were not the same actor. They were not coordinated. They happened to coincide in the same two-week window because the conditions that made both attacks possible — trusted tooling with ambient credential access, volunteer maintainers with no security support — are the same structural conditions that have existed in the ecosystem since the DEF CON 22 dataset was compiled in 2014. The attackers simply got around to it.
Before the attack: the structural setup
Why March 2026 was inevitable: the four conditions that had to be true simultaneously
The March 2026 cascade did not emerge from a novel vulnerability class or a previously unknown attack technique. Every element had appeared in prior incidents. What was new was the convergence: four pre-existing structural conditions aligning in a way that enabled a single compromised tool to cascade through the global DevSecOps infrastructure.
Security tooling had CI/CD pipeline secrets by design
Trivy runs in CI/CD pipelines to scan container images and infrastructure code for vulnerabilities. To do this effectively, it requires elevated access: read access to the container registry, access to source code, and in many configurations, access to the cloud credentials used to deploy the scanned infrastructure. This access was legitimate and intentional. The attack did not require Trivy to be misconfigured. It required Trivy to be Trivy.
GitHub Actions tags were mutable by anyone with repository write access
Git tags are labels that point to commits. They are not immutable. A repository owner can force-push a tag to point to a completely different commit at any time, and consumers of that tag receive no notification. Every CI/CD workflow that references aquasecurity/[email protected] trusts that the tag will forever point to the same code. That trust is a convention, not a guarantee. It cannot be a guarantee by design.
Incomplete credential rotation left residual access from a prior breach
TeamPCP’s access to the Trivy repository infrastructure was not fresh. It derived from a prior Aqua Security security incident in late February 2026 in which the initial containment was incomplete. The aqua-bot service account, the GPG signing keys, and credentials for Docker Hub, Twitter, and Slack had all been at risk. The team believed they had completed rotation. They had not rotated everything. TeamPCP retained residual access and waited.
Security-conscious organizations ran Trivy on every build, every PR, every deployment
This is the inversion that makes the March 2026 cascade philosophically significant beyond its technical details. Organizations with mature security postures ran Trivy most. They scanned every pull request, every container push, every infrastructure change. Each of those scans was an execution of the malicious binary. The more security-conscious you were, the more times you executed the credential stealer. Diligence was the amplifier.
The TeamPCP campaign: full reconstruction
March 19–27: how a security scanner becomes a credential harvesting platform at global scale
Prior breach
A separate breach of Aqua Security’s infrastructure exposed credentials including the aqua-bot service account, signing keys, and platform tokens. The containment was real but incomplete. TeamPCP identified and retained access to the Argon-DevOps-Mgt service account, which bridged multiple GitHub organizations.
17:43 UTC
Using the retained aqua-bot credentials, TeamPCP force-pushed malicious commits to 76 of 77 version tags in aquasecurity/trivy-action and all 7 tags in aquasecurity/setup-trivy. Simultaneously, a backdoored Trivy binary was published as v0.69.4 to GitHub Releases, GHCR, Docker Hub, ECR Public, deb/rpm repos, and get.trivy.dev. The commits spoofed legitimate maintainer identities. GitHub flagged them with “This commit does not belong to any branch in this repository” — a warning that very few automated systems or engineers would notice in normal operations.
The payload ran in entrypoint.sh before the legitimate Trivy scan. Pipelines received normal scan output. No anomalous exit codes. No scan failures. Every secret accessible to the runner was exfiltrated to a Cloudflare Tunnel C2 endpoint (plug-tab-protective-relay.trycloudflare.com) encrypted with AES-256+RSA-4096 in a compressed tpcp.tar.gz archive.
~21:00 UTC
The Trivy team identified the compromise approximately 3 hours after the attack began and removed the malicious artifacts from distribution channels. The trivy-action tags were remediated by 05:40 UTC on March 20. But three hours was enough. Every CI/CD pipeline that ran during that window — including late-night US deployments, Asian business-hour builds, and scheduled overnight scans — executed the credential stealer.
Early
Using npm publish tokens harvested from the previous day’s CI/CD runners, TeamPCP deployed CanisterWorm. This is the first documented malware using the DFINITY Internet Computer Protocol (ICP) blockchain as decentralized command-and-control infrastructure. ICP canisters are smart contract execution environments on the Internet Computer blockchain. A canister’s address is a content hash; it cannot be taken down without the ICP network’s consensus. Domain takedowns, IP blocks, and certificate revocation — the standard cybersecurity takedown toolkit — do not apply to ICP canisters.
CanisterWorm authenticated against the npm registry using stolen publish tokens and infected packages maintained by the compromised accounts, including @emilgroup and @opengov enterprise namespaces. Over 47 packages were infected in under 60 seconds. Each infected package contained a copy of the worm that would activate when the package was installed, harvesting npm tokens from the installing environment and using them to propagate further.
Traditional malware C2 uses domain names or IP addresses as communication endpoints. Both are revocable by registrars, ISPs, and government agencies. Tor and I2P provide some resilience but are well-understood and partially blockable at network layer. ICP canisters are cryptographically addressed smart contracts running on a decentralized blockchain with 100+ independent node providers globally. There is no registrar to contact, no hosting provider to serve a takedown notice, and no single point of failure to disrupt. The security community had theorized this attack class; CanisterWorm was its first production deployment.
Docker extension
TeamPCP had also compromised Docker Hub credentials for the Aqua Security account through a separate credential path (not the tag-poisoning method). On March 22, they pushed additional malicious Trivy Docker images — v0.69.5, v0.69.6, and latest — using these credentials, bypassing all GitHub-based controls that had been put in place. This extended the active exposure window by approximately 10 hours. Mirror.gcr.io may still serve cached malicious images for some time after the removal.
Checkmarx
Using the Argon-DevOps-Mgt service account, which bridged the Aqua Security and Checkmarx GitHub organizations, TeamPCP force-pushed malicious commits to all 35 version tags in Checkmarx’s kics-github-action and ast-github-action repositories. The payload was functionally similar to the Trivy stealer but with a different C2 domain (checkmarx.zone). A sysmon.service persistence backdoor was planted on affected Linux systems — polling checkmarx.zone every 50 minutes — representing an active access channel on any unremediated host. The team also defaced all 44 repositories in Aqua Security’s aquasec-com GitHub org, renaming them with tpcp-docs- prefixes and exposing proprietary source code.
LiteLLM
BerriAI (LiteLLM’s maintainer) used Trivy scanning in their CI/CD pipeline. The poisoned trivy-action that ran on March 19–20 harvested BerriAI’s PyPI publishing token. Five days later, TeamPCP used that token to publish litellm==1.82.7 and litellm==1.82.8 directly to PyPI, bypassing all normal release controls and GitHub Actions provenance checks.
The attack introduced two persistence mechanisms. First: a .pth file in Python’s site-packages directory. Python processes .pth files at interpreter startup, before any import. The file executed a credential-stealing import on every Python invocation: python, pip, pytest, jupyter. Removing LiteLLM does not remove the .pth file unless you know to look for it. Second: Kubernetes lateral movement via privileged pods deployed to every node through kube-system, giving full host filesystem access to any K8s cluster accessible from the compromised environment.
LiteLLM is an AI gateway routing requests to 100+ LLM providers — OpenAI, Anthropic, Azure OpenAI, Google Vertex AI, AWS Bedrock, and more. It stores the corresponding API keys. Wiz Research found it present in 36% of monitored cloud environments. A compromise of LiteLLM is not a compromise of one service. It is a simultaneous compromise of every LLM integration an organization has.
Python’s site-packages directory contains .pth files that configure the Python path. If a .pth file contains an import or exec statement, Python executes it at interpreter startup. The malicious LiteLLM package created litellm_init.pth in site-packages with an import that loaded credential-harvesting code. When you pip uninstall litellm, pip removes the LiteLLM module files. It does not remove the .pth file, which was placed there by a postinstall step separate from the module installation. Detection: grep -r "import" $(python -c "import site; print(site.getsitepackages()[0])")/*.pth. Any .pth file containing an import statement is suspicious.
Telnyx SDK
The Telnyx Python SDK compromise introduced a technique that the security research community had discussed theoretically but had not previously observed in an active supply chain attack: steganographic payload delivery via WAV audio files. The malicious SDK version included a .wav file dependency that appeared to be an audio resource. The actual content was an AES-256+RSA-4096 encrypted second-stage payload encoded into the least-significant bits of the audio waveform.
The steganographic encoding was sophisticated enough that the file passed standard binary analysis and file-type checks. The audio was valid WAV format and would play as noise if opened in an audio player. The malware component extracted and decrypted the payload only when specific environmental conditions were met, making sandbox analysis less reliable.
By this point in the campaign, TeamPCP had announced operational partnerships with CipherForce and Vect ransomware groups. The estimated 300 GB of compressed credentials harvested across the full campaign was being actively monetized: developer credentials for sale or use in further intrusions, LLM API keys resold or used directly, cloud credentials used for cryptomining or ransomware staging.
Standard audio steganography embeds data in the least-significant bits (LSBs) of audio samples. A 16-bit audio sample has a range of 65,536 values; changing the last bit shifts the audio value by 1/65,536 of its range, which is inaudible to human ears and below the noise floor of most recording environments. A 3-minute stereo WAV file at 44.1kHz contains approximately 15.9 million samples; storing 1 bit per sample yields ~1.99 MB of hidden capacity, more than sufficient for a compressed encrypted payload. The Telnyx variant used a proprietary scheme that spread the payload across multiple LSBs with AES-256 encryption and RSA-4096 key wrapping, making detection dependent on knowing the key or having a clean reference file to compare against.
The concurrent DPRK operation
March 31: a completely independent actor, a two-week investment, a three-hour window
While TeamPCP was running its cascade across March 19–27, an entirely separate North Korean intelligence operation was running on a parallel track. UNC1069 — also tracked as Sapphire Sleet, STARDUST CHOLLIMA, BlueNoroff, and CryptoCore by different vendor intelligence teams — had been working a social engineering campaign against Axios lead maintainer Jason Saayman for approximately two weeks.
The two operations were not coordinated. They did not share infrastructure. They targeted different ecosystems via different methods for different ultimate objectives. They happened to converge in the same twelve-day window because both were exploiting the same structural vulnerability: open-source maintainers with significant deployment footprints, no institutional security support, and high susceptibility to social engineering from well-resourced adversaries.
Axios is the most downloaded HTTP client library for Node.js. At ~100 million weekly downloads, it is a foundational dependency of the JavaScript ecosystem. A compromised Axios release tagged latest reaches every developer machine and CI/CD pipeline running npm install without a pinned version. The ROI calculation: one maintainer’s credentials, accessible via social engineering, yields access to 174,000 downstream packages and every environment that installs any of them. UNC1069 had previously targeted cryptocurrency founders and venture capitalists using similar social engineering methods; OSS maintainers with comparable footprints were a natural extension of that target set.
The attacker did not approach Saayman as an unknown contact. They constructed a believable identity: the appearance of a founder of a real, legitimate, well-known technology company. The operation included:
- Cloning the company founder’s LinkedIn presence and other public profile indicators
- Creating a real Slack workspace (not a fake link — an actual functional Slack workspace) branded to the company’s CI system, with a plausible naming convention
- Populating the Slack workspace with channels sharing the real company’s LinkedIn posts (which redirected to the legitimate account, providing authentic-looking content)
- Populating the workspace with what appeared to be other team members (additional compromised or synthetic accounts)
- Building rapport over multiple interactions before requesting anything that would require access
Saayman’s own postmortem described the Slack workspace as “thought out very well” with channels that made it look like a functional company environment. The social engineering was not a phishing email. It was a multi-week relationship.
After establishing the relationship in Slack, the attacker scheduled a Microsoft Teams meeting with Saayman involving what appeared to be multiple participants from the fake company. During the call, the attacker reported an audio problem — “I can’t hear you, there seems to be a microphone issue” — and suggested Saayman install a specific application or run a script to “fix” the audio. The fix was the RAT delivery mechanism. Once executed, it established persistence and harvested npm account credentials.
UNC1069 deployed a cross-platform RAT framework with three parallel implementations sharing identical C2 protocol, command structure, and beacon behavior. CosmicDoor (Nim-based, macOS) and its Go counterpart (Windows) served as the primary backdoor and persistence mechanism. SilentSiphon was the credential harvester: capturing credentials from web browsers, password managers, and secrets associated with GitHub, GitLab, Bitbucket, npm, Yarn, pip, RubyGems, Rust Cargo, and .NET NuGet. WAVESHAPER.V2 served as a conduit for additional downloaders and information stealers including HYPERCALL, SUGARLOADER, HIDDENCALL, SILENCELIFT, DEEPBREATH, and CHROMEPUSH. This is not a simple RAT. It is an intelligence collection platform designed specifically to harvest developer credentials across every package manager and source control system the target uses.
With npm credentials in hand, the attacker changed the registered email on Saayman’s npm account to an attacker-controlled ProtonMail address, establishing persistent registry access. A pre-staged decoy package ([email protected]) had been published approximately 18 hours earlier to establish registry history and reduce the chance of automated anomaly detection on the malicious version.
At 00:21 UTC, [email protected] was published with [email protected] as a dependency. At approximately 01:00 UTC, [email protected] was published with the same payload. Both were tagged latest and legacy respectively, ensuring coverage of all active semver ranges. [email protected]’s postinstall hook executed setup.js automatically, which identified the target OS and downloaded the appropriate platform-specific stage-2 payload from sfrclak[.]com:8000.
Community members who noticed the compromise and filed issues on the Axios repository had their issues deleted in real time by the compromised account. This active issue deletion extended the window by suppressing community detection signals. At 01:38 UTC, axios collaborator DigitalBrainJS — who had less permission than the compromised account but noticed the issue deletions — opened a deprecation PR and escalated directly to npm. npm removed the malicious versions at 03:15 UTC. Window: 2 hours, 54 minutes.
The blast radius
How 12 days of nation-state activity translates into organizational exposure
The blast radius comparison below is instructive, but raw download numbers understate the actual organizational impact. Axios downloads are not unique organizations; many are repeated builds in CI/CD pipelines. The more relevant metric is: how many distinct developer machines and CI runners were executing fresh npm installs during the three-hour window? The answer is unknown but estimated in the millions, across every time zone where Node.js development activity occurs at midnight UTC.
Threat actor profiles
Who ran these operations, and what the attribution tells us about the threat landscape
- Also tracked as: DeadCatx3, PCPcat, ShellForge, UNC6780 (Google Mandiant)
- Classification: Financially motivated cybercriminal group with cloud-native specialization
- Primary motive: Credential theft → ransomware monetization via partner groups
- Prior activity: Cryptomining, data exfiltration, ransomware staging via misconfigured Docker APIs, K8s clusters, Redis servers
- Entry vector: Residual access from incomplete credential rotation (Aqua Security, Feb 2026)
- Novel technique 1: ICP blockchain canisters as censorship-resistant C2 (CanisterWorm)
- Novel technique 2: WAV steganography for second-stage payload delivery (Telnyx SDK)
- Ransomware partnerships: CipherForce, Vect; LAPSUS$ for data extortion
- Data harvested: ~300 GB compressed credentials, AWS/GCP/Azure keys, K8s tokens, LLM API keys, npm/PyPI tokens, SSH keys
- Notable victim: European Commission — 92 GB stolen, published by ShinyHunters
- Also tracked as: STARDUST CHOLLIMA (CrowdStrike), BlueNoroff, CryptoCore, Alluring Pisces, CageyChameleon
- Classification: DPRK state-sponsored, Lazarus Group subcluster, financially motivated
- Primary motive: Hard currency generation for DPRK regime via credential theft and direct crypto theft
- Prior target set: Cryptocurrency exchanges, DeFi protocols, VC firms, crypto founders — pivoted to OSS maintainers as credential value became apparent
- Entry vector: 2-week individualized social engineering campaign; fake company identity, Slack workspace, Teams call
- Social engineering sophistication: Individually tailored to target; cloned real company founder’s identity; created functional fake workspace with authentic-looking activity
- Malware suite: CosmicDoor (Nim/macOS, Go/Windows), SilentSiphon (credential harvester), WAVESHAPER.V2, HYPERCALL, SUGARLOADER, HIDDENCALL, DEEPBREATH, CHROMEPUSH
- Credential targets: npm, GitHub, GitLab, Bitbucket, pip, RubyGems, Cargo, NuGet — all package managers simultaneously
- Operational patience: Two weeks of preparation for a three-hour execution window — nation-state ROI calculation at 100M weekly downloads
The attribution convergence on these two campaigns — Google Threat Intelligence Group attributing UNC1069 (Axios), Mandiant attributing UNC6780 (Trivy/TeamPCP), Microsoft’s Sapphire Sleet attribution for Axios, CrowdStrike’s STARDUST CHOLLIMA attribution — is itself significant. Multiple major intelligence teams independently identified the same actor clusters within days of each incident. This level of attribution confidence is rare for supply chain attacks, and its availability here reflects both the sophistication of the detection community and the fact that these actors made mistakes that left attributable infrastructure artifacts.
The European Commission breach: a case study
What “1,000+ enterprise environments compromised” actually means in practice
The European Commission was among the organizations whose CI/CD infrastructure ran the compromised Trivy binary during the March 19–20 window. CERT-EU attributed the subsequent breach to TeamPCP. The result: approximately 92 GB of compressed data — emails, personal details, internal documents from staff across dozens of EU institutions — was exfiltrated from the Commission’s AWS infrastructure and subsequently published by ShinyHunters, the data extortion group that has operated Breach Forums since 2020.
The dual attribution — TeamPCP for the intrusion, ShinyHunters for the publication — reflects a professionalization of the cybercriminal ecosystem that mirrors legitimate business models. TeamPCP specializes in initial access and credential harvesting. ShinyHunters specializes in data brokerage and extortion. CipherForce and Vect specialize in ransomware deployment. The specialization makes each component more effective and the overall ecosystem more resilient to disruption of any single actor.
Many government security frameworks and FedRAMP-equivalent programs explicitly require continuous vulnerability scanning of container images and infrastructure code. Organizations operating under these frameworks had the strongest compliance incentives to run Trivy on every build. They also often ran Trivy in self-hosted runners with broader permission scopes, because government environments tend to use more restrictive network policies that require runners to have direct access to sensitive infrastructure. The compliance requirement that was supposed to improve security — continuous vulnerability scanning — became the mechanism for the largest credential theft in the history of European Union institutions.
What detection looked like (and didn’t)
The signals that were present, the signals that were missing, and what you can do about each
npm audit signatures (npm 9+) would have seen this immediately. Detection latency: seconds after publication.sfrclak[.]com:8000; a runner with egress restricted to package registries would not have been able to reach it..pth persistence mechanism executed on every Python invocation. Unless EDR coverage was specifically looking for unexpected imports from site-packages .pth files, this would appear identical to legitimate Python startup behavior. Most EDR products in 2026 do not specifically instrument Python .pth file execution.Remediation: if you were exposed
The minimum viable response for environments that ran affected tooling between March 19–April 3
- Rotate all secrets that were environment variables in any runner that executed Trivy during this window: AWS IAM keys, GCP service account keys, Azure credentials, Kubernetes service account tokens, SSH private keys, Docker registry credentials, GitHub PATs, npm and PyPI publish tokens, database credentials
- Update Trivy binary to v0.69.3 or earlier; update trivy-action to v0.35.0 (commit 57a97c7) or later; update setup-trivy to v0.2.6 (commit 3fb12ec) or later
- Pin all future GitHub Actions references to full commit SHAs, not version tags
- Audit GitHub Actions workflow logs for connections to scan.aquasecurtiy.org or 45.148.10.212
- Check for tpcp-docs- prefixed repositories in your GitHub organizations (indicates credential access was used for repository defacement)
- Audit Kubernetes clusters for unauthorized workloads in kube-system namespace
- If sysmon.service is present on Linux hosts: this is the Checkmarx KICS persistence backdoor — remove and rotate all credentials on affected hosts
- Rotate all LLM API keys (OpenAI, Anthropic, Azure OpenAI, Google Vertex, AWS Bedrock, and all others configured in LiteLLM) immediately
- Check for
litellm_init.pthin all Python site-packages directories:find $(python -c "import site; print(':'.join(site.getsitepackages()))") -name "*.pth" -exec grep -l "import" {} \; - Remove any
.pthfiles with import statements; these are not created by standard Python packages and should not be present - Audit Kubernetes clusters for privileged pods in kube-system that were not deployed by your team — the lateral movement mechanism created privileged pods with full host filesystem access to every node
- Treat any system that had LiteLLM installed and ran a Python interpreter after the installation as fully compromised, even if the malicious package has been removed
- Safe versions: [email protected] or earlier (1.x), [email protected] or earlier (0.30.x)
- Check for
plain-crypto-jsin node_modules; if present, treat the environment as compromised - Search for outbound connections to sfrclak.com or 142.11.206.72 on port 8000 in network logs during the window
- Rotate all developer credentials on machines that ran npm install during this window: browser-saved credentials, password manager entries, GitHub tokens, cloud provider credentials
- Check for persistence mechanisms: scheduled tasks (Windows), launchd agents (macOS), systemd units (Linux) created by an npm postinstall script
The meta-irony deserves explicit statement one more time, because it is the thematic core of this episode and of the series: Trivy is a vulnerability scanner. Its elevated CI/CD pipeline access was not a misconfiguration. It was a design requirement. The security tool that was supposed to make your pipeline safer ran the credential stealer because it was doing exactly what it was designed to do — running in your pipeline with access to everything your pipeline touches. The March 2026 cascade did not represent a failure of security engineering. It represented the weaponization of security engineering. The fairy dust that dissipated in this episode was the assumption that the tools designed to protect you are themselves protected.