TeamPCP is the likely cyber threat actor behind attacks on Trivy, Checkmarx's KICS and VS Code plug-ins, and the LiteLLM AI library — and all signs point to more attacks to come.
Following a broad supply chain attack that compromised Aqua Security's Trivy open source security scanner, Checkmarx on Tuesday disclosed that attackers had infiltrated a version of Keeping Infrastructure as Code Secure (KICS), the open source static code analysis project it develops and maintains.
The cybercriminals targeted KICS GitHub Action, which organizations use to run KICS scans within CI/CD pipelines, poisoning multiple versions of the software. Any organization with automated CI/CD pipelines configured to run KICS GitHub Action during a four-hour window on the morning of March 23 could be affected, Checkmarx warned.
On the same day, threat actors published malicious versions of two Checkmarx VS Code plug-ins to the OpenVSX registry, where they remained available for approximately three hours on March 23.
Related:Axios NPM Package Compromised in Precision Attack
The attacks emerged just days after Aqua Security reported that a threat actor used stolen privileged access credentials to poison 76 of 77 previously released versions of Trivy's GitHub Action with an infostealer. The same actor also exploited a compromised automated service account to publish two tainted Docker images.
At least one security vendor has attributed the malware used in the Trivy and Checkmarx attacks to TeamPCP, a threat actor gaining notoriety for automated attacks on cloud infrastructure, many involving credential theft. Additional supply chain targets have also surfaced.
GitGuardian reported Tuesday that the campaign had spread to the PyPI software registry, where TeamPCP infected Litellm package versions 1.82.7 and 1.82.8 with the same infostealer malware used in the Trivy campaign.
The infostealer in the poisoned Litellm versions, now removed by PyPI maintainers, enables comprehensive credential theft, including SSH keys, cloud credentials, API tokens, Docker configurations, crypto wallet information, and more, GitGuardian said.
Many organizations use Litellm to build AI-powered applications, so the potential impact could be substantial.
"Litellm is downloaded millions of times a day and it is highly likely that the blast radius is significant, despite PyPI's quick response in removing the malicious package," Guillaume Valadon, cybersecurity researcher at GitGuardian, tells Dark Reading.
Related:AI-Driven Code Surge Is Forcing a Rethink of AppSec
For organizations, the message is clear, Valadon says: "Attackers are after your secrets. When it comes to incident response, the key now is to have a real-time inventory of compromised secrets so you can revoke them in an instant, thereby neutralizing the threat posed by these supply chain attacks using infostealers."
Checkmarx has not yet disclosed full details of the compromise involving the two malicious VS Code plug-ins or the KICS GitHub Action, beyond confirming they're linked. The company has not provided specifics on the malicious payload, though its recommendation that automated build pipelines potentially exposed to the infected plug-ins immediately rotate all credentials, access keys, and login credentials suggests the payload is an infostealer.
In response to a Dark Reading inquiry, a Checkmarx spokesman said via email that the company has communicated incident details to customers in addition to its public disclosure. "Checkmarx is in the process of adding an update that the malicious artifacts have been removed from Open VSX. We continue our active investigation and will share more as we have it," the statement read.
Related:F5 BIG-IP Vulnerability Reclassified as RCE, Under Exploitation
According to GitGuardian's Valadon, the attacks involving Aqua's Trivy, Checkpoint's VS Code plug-ins, KICS GitHub Action, and Litellm are clearly related. "They share similar indicators of compromise (IoCs), such as the public key used for exfiltration, the targeted services and files, as well as the persistence technique," he says.
Meanwhile, a message left by the attackers — a link to the Queen video "The Show Must Go On" — "suggests that this is only the beginning."
Wiz Research, which is independently tracking the campaign, has also attributed the activity to TeamPCP, saying its telemetry points to a common threat actor behind the Trivy, Checkmarx, and LiteLLM compromises. The company believes TeamPCP has begun collaborating with the notorious LAPSUS$ extortion group to "perpetuate the chaos."
"This isn't just credential stealing; it's an ecosystem-wide 'cascade' targeting the modern cloud-native and AI stack," Ben Read, a lead researcher at Wiz, said in a statement. Wiz's research has shown liteLLM is present in 36% of all cloud environments, he said.
"By targeting security scanners and AI tools, this campaign gains a foothold in the most sensitive parts of the development life cycle," he explained. "Public Telegram messages from the actors warn of a 'snowball effect' and future targets across favorite open-source projects."
In separate comments to Dark Reading, Read says the attack involving OpenVSX plug-ins was also part of the same campaign because it involves the same code and public key: "The actors have said they are partnering with different organizations, likely to carry out extortions, but we have not confirmed that this has happened yet."
