Someone Poisoned the Security Scanner. Yes, the Security Scanner.

In partnership with

Someone Poisoned the Security Scanner

If you spent last week running Trivy scans and feeling good about your container security posture — I have bad news.

On March 19th, a threat actor called TeamPCP compromised Aqua Security's Trivy vulnerability scanner — one of the most popular open-source security tools in the DevOps ecosystem — and turned it into a credential-stealing weapon. Then they used the stolen credentials to cascade into Checkmarx's GitHub Actions, and eventually into LiteLLM's npm packages. Over 1,000 cloud environments were infected before anyone noticed.

This is the biggest supply chain attack of 2026 so far. And the irony is thick enough to choke on: the security tools designed to protect your pipeline became the attack vector.

What Actually Happened

Here's the timeline, because it moved fast:

March 19: TeamPCP pushed trojanized versions of Trivy (0.69.4, 0.69.5, and 0.69.6) to Docker Hub. These looked like normal releases. They were not. The malicious images contained an infostealer called "TeamPCP Cloud stealer" that silently harvested SSH keys, AWS/Azure/GCP credentials, Kubernetes configs, Docker tokens, database connection strings, VPN configs, .env files, crypto wallets, and Slack/Discord webhooks.

Same day: 75 out of 76 trivy-action GitHub Action tags were force-pushed to malicious versions. If your CI/CD pipeline automatically pulled the latest Trivy action — and thousands of pipelines do — you were owned.

March 19-22: Using credentials harvested from Trivy victims, TeamPCP pivoted to Checkmarx. They compromised two Checkmarx GitHub Actions (ast-github-action and kics-github-action) with an identical credential stealer. KICS is an infrastructure-as-code security scanner used by organizations to check Terraform, CloudFormation, and Kubernetes manifests for misconfigurations. The people scanning for security problems were now creating them.

March 22-24: The attack spread to LiteLLM, a popular AI/LLM proxy library, and over 60 npm packages were compromised. Microsoft published emergency guidance. Wiz, Palo Alto, Sysdig, and Arctic Wolf all published incident analyses. The last known clean Trivy version on Docker Hub is 0.69.3.Why This One Hits Different

We've seen supply chain attacks before. SolarWinds. Log4Shell. The tj-actions compromise last year. But TeamPCP's campaign is notable for three reasons:

1. They attacked the defenders. Trivy isn't some random npm package with 12 downloads. It's a cornerstone of cloud-native security, used by thousands of organizations to scan containers, filesystems, and IaC configs for vulnerabilities. Checkmarx KICS is in the same category. These are tools that security teams trust by default. If you can't trust your scanner, what can you trust?

2. It was self-amplifying. Each compromised tool leaked credentials that were used to compromise the next tool. Trivy creds led to Checkmarx. Checkmarx creds led to LiteLLM. LiteLLM creds led to npm packages. It's a worm that moves through the software supply chain by weaponizing trust relationships between tools. Every pipeline that ran a Trivy scan became a launchpad for the next phase.

3. It exploited mutable tags. The core of the attack was embarrassingly simple: force-push malicious code to existing version tags on GitHub and Docker Hub. If your pipeline pins trivy-action@v4 instead of a specific SHA hash, you got the poisoned version automatically. No alerts. No approval required. Just a CI/CD job that ran exactly as scheduled — except now it was exfiltrating your secrets to a typosquatted domai

88% resolved. 22% stayed loyal. What went wrong?

That's the AI paradox hiding in your CX stack. Tickets close. Customers leave. And most teams don't see it coming because they're measuring the wrong things.

Efficiency metrics look great on paper. Handle time down. Containment rate up. But customer loyalty? That's a different story — and it's one your current dashboards probably aren't telling you.

Gladly's 2026 Customer Expectations Report surveyed thousands of real consumers to find out exactly where AI-powered service breaks trust, and what separates the platforms that drive retention from the ones that quietly erode it.

If you're architecting the CX stack, this is the data you need to build it right. Not just fast. Not just cheap. Built to last.

See the data

n.

What You Need to Do Right Now

If your organization uses Trivy, Checkmarx KICS, or LiteLLM in any capacity, here's your Monday morning checklist:

Check your Trivy version. If you pulled Trivy Docker images 0.69.4, 0.69.5, or 0.69.6 between March 19-24, assume compromise. The last clean version is 0.69.3. Check your container registries, CI/CD logs, and deployment manifests.

Rotate everything. If any of these tools ran in your pipeline during the attack window, rotate all secrets they had access to: cloud provider credentials (AWS, Azure, GCP), SSH keys, database passwords, API tokens, Docker registry credentials, Kubernetes service account tokens. All of it. Right now. Not Monday afternoon. Monday morning.

Audit your GitHub Actions. Search your repositories for references to aquasecurity/trivy-action, checkmarx/ast-github-action, and checkmarx/kics-github-action. Check what version you're pinned to and when it last ran.

Pin actions to SHA hashes, not tags. This is the single most important takeaway. Tags are mutable — anyone with write access can change what they point to. SHA hashes are immutable. Instead of uses: aquasecurity/trivy-action@v4, use uses: aquasecurity/trivy-action@a1b2c3d4... (the full commit SHA). Yes, it's uglier. Yes, it's harder to update. That's the point.

Check Microsoft's guidance. Microsoft published a detailed detection and response guide on March 24th covering indicators of compromise, KQL queries for Defender, and remediation steps. If you're a Microsoft shop, start there.

The Bigger Picture

Here's what keeps me up at night about this: the average organization now uses 152 SaaS apps. Their CI/CD pipelines pull from dozens of open-source tools, registries, and GitHub Actions. Every one of those is a trust boundary, and most teams treat them like plumbing — invisible, assumed safe, never inspected.

The CI/CD pipeline has become the most valuable target in your entire infrastructure. It has access to your source code, your secrets, your cloud credentials, and your deployment keys. It's the skeleton key. And most organizations protect it with... mutable version tags and the assumption that open-source maintainers won't get compromised.

By mid-2026, the average cost of a CI/CD pipeline breach has hit $5.1 million. Eighty-five percent of high-security organizations have already moved to ephemeral runners — containers spun up for a single job and destroyed immediately after. If you're not doing this yet, TeamPCP just gave you the business case.

Your build pipeline is not plumbing. It's the front door. Start treating it that way.

Stay safe out there. And for the love of everything, pin your damn actions to SHA hashes.

— Stetson