How a Security Scanner Took Down the AI Supply Chain

A vulnerability scanner trusted to protect a CI pipeline was the entry point. An AI proxy handling your LLM API keys was the target. The credentials stolen from the first were used to compromise the second, and the cascade didn't stop there.

What happened

In late February 2026, the financially motivated threat group TeamPCP exploited a misconfigured GitHub Actions workflow in Aqua Security’s Trivy - one of the most widely deployed open-source vulnerability scanners — to inject credential-stealing code into official release binaries. These weren’t typosquatted packages or rogue mirrors: the poisoned binaries were distributed through Trivy’s legitimate channels. Developers pulling from the source they were supposed to trust received a trojanized binary that ran the real scanner and the stealer in parallel, maintaining full functional appearance.

The harvested credentials fueled a chain reaction across the software supply chain. Within days, TeamPCP used stolen tokens to:

Force-push malicious commits to all 35 release tags of Checkmarx’s KICS GitHub Action, injecting credential stealers into any CI/CD pipeline referencing Checkmarx actions

Backdoor LiteLLM - the open-source AI proxy gateway with ~95 million monthly PyPI downloads – by publishing two malicious versions directly to PyPI using harvested credentials

Propagate CanisterWorm, a self-replicating npm worm, across 66+ packages and 141+ artifacts using stolen npm tokens, with an ICP blockchain canister as its command-and-control channel

By March 24, Mandiant reported over 1,000 SaaS environments affected.

Inside the report

The attached PDF covers the full technical details behind the campaign:

Infrastructure analysis: how TeamPCP isolated C2 clusters between workstreams, pre-staged VPS infrastructure months to years before activation, and left residual cross-campaign artifacts that link the operations cryptographically

Payload deep-dives: the LiteLLM .pth interpreter hook, the Checkmarx JavaScript credential stealer, trojanized Trivy binaries across 10 platforms, and the CanisterWorm self-propagation mechanism

Attribution: the shared RSA-4096 key, persistence namespace, and encryption scheme that tie every payload to a single actor, plus TeamPCP’s collaboration with LAPSUS$ for extortion
Detection and hunting guidance: IOCs (domains, IPs, file hashes), host-based indicators, Kubernetes pod signatures, and infrastructure patterns to hunt for in your environment

The AI supply chain no one is talking about

The LiteLLM compromise deserves particular attention. Not just for its scale, but for what it reveals about a structural risk in the AI ecosystem.

LiteLLM isn’t just another Python package. It’s the proxy layer that organizations use to route requests across LLM providers. OpenAI, Anthropic, Google, Azure, and dozens more. By design, it handles every API key the organization feeds through it. A compromised LiteLLM installation doesn’t just leak infrastructure credentials; it leaks the keys to an organization’s entire AI stack.

The attack’s delivery mechanism made it worse. LiteLLM v1.82.8 used a Python .pth file. Any Python process on a system with the compromised package installed triggered the stealer silently, in a detached background process, with no visible output or startup delay. Even if the library wasn’t imported. This is functionally equivalent to hooking the interpreter itself.

This incident is also a sharp reminder of the importance of sovereignty over your AI stack. For organizations – and especially nations – building critical capabilities on top of third-party AI components they don’t control, this is the threat model crystallized. For nations building critical capabilities on third-party AI components they don’t control, this campaign is the threat model made real.

A Geopolitically Targeted Wiper Hidden in the Payload Chain

One of the more striking findings from this campaign is its geopolitical angle, which is surprising for a financially motivated group.

The attack surface itself carries a geopolitical dimension: the compromised upstream projects – Aqua Security’s Trivy and Checkmarx – are products of Israeli cybersecurity companies. Additionally, the destructive payload selectively targets Iranian infrastructure. The payload – kamikaze.sh - deploys a Kubernetes DaemonSet with geopolitical targeting logic. On Iranian systems, it executes a full destructive wipe. On all others, it installs a persistent backdoor. Whether this reflects TeamPCP’s own agenda, an operational relationship with a state-aligned actor, or opportunistic provocation, the implication is the same: supply chain compromises at this scale can carry nation-targeted destructive payloads embedded within what appears to be a financially motivated campaign.

Full IOCs, infrastructure diagrams, and detailed payload analysis are available in our technical report.