If your team used Trivy, KICS, LiteLLM, or Telnyx between late February and late March 2026, the credentials in your CI/CD pipeline may already be in someone else’s hands. Not a hypothetical. By April 2026, Halcyon estimated over 1,000 SaaS environments compromised in a single coordinated campaign. The first named victim appeared on the VECT leak site on April 15.
The threat actor is TeamPCP. Rather than going after your organisation directly, they went after the security and developer tools your pipeline already trusts. One stolen token. Four major tools poisoned. Thousands of organisations’ credentials swept without the attacker ever needing to touch your systems.
This is part of the broader ransomware mutation underway in 2026. By the end of this article you will know whether you were exposed, what VECT did with the credentials TeamPCP collected, and which engineering practices close the supply chain gap — not just for Trivy, but for the entire attack category.
How Did TeamPCP Compromise Four Developer Tools in a Single Month?
On February 27, 2026, TeamPCP exploited a misconfigured pull_request_target GitHub Actions workflow at Aqua Security to steal a Personal Access Token (PAT) belonging to the aqua-bot service account. That one token gave them write access to Trivy’s entire distribution infrastructure: GitHub releases, Docker Hub, GHCR, ECR Public, and the GitHub Actions workflows for trivy-action and setup-trivy.
Aqua detected the intrusion and tried to rotate the credentials. The rotation left residual access. TeamPCP came back on March 19.
What followed was a four-week multi-ecosystem attack:
- March 19 — Trivy (CVE-2026-33634): v0.69.4 weaponised; 76 of 77 trivy-action tags and all 7 setup-trivy tags force-pushed with malicious code
- March 21 — KICS (Checkmarx): All 35 version tags force-pushed; data exfiltrated to
checkmarx[.]zone - March 24 — LiteLLM (BerriAI): PyPI versions 1.82.7 and 1.82.8 poisoned; v1.82.8 added a
.pthfile executing malware on every Python process startup - March 27 — Telnyx SDK: Official PyPI package replaced with a three-stage RAT; credentials exfiltrated to
83[.]142[.]209[.]203
The technique is called tag poisoning. Force-pushing malicious commits to an existing, trusted version tag overwrites the content without changing the tag name. Downstream consumers who do not pin to a commit SHA silently receive the malicious version. The tag looks unchanged. Only a SHA comparison reveals the substitution.
Why Did a Security Tool Running in CI/CD Give TeamPCP Such Broad Access?
Think of a CI/CD security scanner like a cleaner with a master key. Trusted, present everywhere, running with elevated permissions on every build, and rarely audited. That is exactly why security tools are the highest-value supply chain targets.
The TeamPCP Cloud Stealer was purpose-built for this. Once a poisoned Trivy version ran in a GitHub Actions workflow, it dumped process memory from the runner, sweeping SSH keys, cloud provider credentials, Kubernetes secrets, and API tokens. One poisoned version running across 1,000 pipelines equals 1,000 credential sweeps.
The fallback channels were designed for resilience. If the primary C2 at scan.aquasecurtiy[.]org was blocked, the Cloud Stealer created a tpcp-docs repository inside the victim’s GitHub organisation and staged stolen secrets there as a release asset — traffic that looks like normal GitHub API activity. A second fallback used a blockchain-hosted C2 that resists standard domain seizure.
On developer machines (not GitHub Actions runners), the binary also wrote a persistence dropper at ~/.config/systemd/user/sysmon.py — a systemd service polling the C2 for further instructions.
This is how supply chain compromise precedes credential harvesting — the credentials swept here were the raw material for what followed.
Were You Exposed? How to Check Your TeamPCP Blast Radius
The exposure window is February 27 – March 27, 2026. Run a three-layer check.
Layer 1 — Affected Tools and Versions
Did your pipelines or developer environments run any of these during the window?
- Trivy Docker image: versions 0.69.4, 0.69.5, 0.69.6
- aquasecurity/trivy-action: 76 of 77 tags poisoned
- aquasecurity/setup-trivy: all 7 tags (versions 0.2.0 through 0.2.6)
- Checkmarx/kics-github-action: all 35 version tags force-pushed March 21
- LiteLLM (PyPI): versions 1.82.7 and 1.82.8
- Telnyx SDK (PyPI): versions 4.87.1 and 4.87.2
Layer 2 — Pipeline Execution Check
- Review GitHub Actions run logs for the window
- Search for outbound connections to
scan[.]aquasecurtiy[.]org(note the typo — not the real Aqua Security domain) - Check for a
tpcp-docsrepository in your GitHub organisation — this is a definitive IOC; preserve it before doing anything else - Check for outbound traffic to
models.litellm[.]cloud,83.142.209[.]203, andcheckmarx[.]zone
Not finding a tpcp-docs repo is necessary but not sufficient. Primary C2 exfiltration leaves no trace.
Layer 3 — Developer Machine Check
- Trivy or KICS ran locally: check for
~/.config/systemd/user/sysmon.pyandsysmon.service - LiteLLM: check
site-packagesforlitellm_init.pth - Kubernetes: review audit logs for pod names matching
node-setup-*
If you were running any of these tools during the window, treat all secrets your CI/CD pipeline loaded as compromised. Rotate cloud provider credentials, SSH keys, GitHub tokens, and Kubernetes secrets. As Datadog Security Labs put it: “Do not treat reverting the compromised packages as a complete remediation.”
If you use a managed scanning platform that runs Trivy internally, contact the vendor. You may have been exposed without knowing it.
What Did VECT Do with the Access TeamPCP Provided?
TeamPCP’s role was credential acquisition at scale. VECT’s role was monetisation: double-extortion — data exfiltration plus encryption, with ransom demanded under threat of publication. Working backups do not protect you from the exfiltration half.
Before anyone considers paying: VECT’s encryption has a nonce-handling bug that permanently discards decryption data for files larger than 128 KB. HivePro, JUMPSEC, and Check Point Research all confirm this independently. If you pay, you still cannot recover your data.
Then VECT posted open affiliate keys on BreachForums tied to the Trivy victim pool — any forum member could activate a VECT Affiliation Key immediately, no vetting required. If your credentials were swept, you are not negotiating with one group. You are a target accessible to every affiliate who picked up that key.
On April 15, 2026, VECT listed its first named victim — a property-management technology company — claiming four million emails and 700 GB of data.
For the full VECT profile, see VECT: the ransomware TeamPCP delivered.
Why Is a Supply Chain Attack Harder to Detect Than a Direct Intrusion?
In a direct intrusion, the attacker touches your systems — unusual logins, unfamiliar processes, lateral movement. Traditional monitoring is built around those signals. In a supply chain attack, the malicious code arrives as a trusted tool update. The attacker is inside the perimeter by definition, wearing the credentials of a tool you chose to trust.
Tag poisoning is particularly hard to catch. If you are not pinning to a commit SHA, you have no way of knowing that a version tag you have used for months now points to different code. The tag name is unchanged. Only a SHA comparison reveals the substitution.
By the time Halcyon’s alert published on April 17, most organisations had already had their credentials swept. Detection came after exfiltration, not before. Connecting the LiteLLM compromise to the Trivy compromise required cross-ecosystem threat intelligence that most SMBs simply do not have.
Coveware‘s Q1 2026 analysis adds a structural point: AI-assisted development accumulates unaudited dependencies faster than security review can keep pace. That gap is exactly where TeamPCP operates. Prevention — not detection — is the right design target.
How Do You Redesign CI/CD Pipeline Trust to Prevent This Attack Category?
The goal here is not Trivy-specific remediation. It is preventing the supply chain attack category. Three practices would have materially limited TeamPCP’s damage.
SHA Commit Pinning
Mutable version tags — @v2, @latest — are the vulnerability. A force-push silently replaces what you trusted. As StepSecurity documented after KICS: any workflow referencing checkmarx/kics-github-action by tag was executing attacker-controlled code. The same workflow pinned to a verified commit SHA was not. Pin GitHub Actions to their full immutable commit SHA. Use confirmed safe SHAs from Aqua Security’s post-incident account. Do not assume latest is clean.
PAT Scope Reduction
The aqua-bot PAT had write access it did not need. That over-permission let TeamPCP poison Trivy’s entire distribution infrastructure from one stolen credential. Give every service account PAT the minimum necessary permission: scoped to the specific repository, scoped to the specific operations, no long-lived tokens. A leaked PAT with narrow scope cannot poison unrelated repositories regardless of how long it stays valid.
Dependency Locking with Hash Verification
For PyPI packages: pip install --require-hashes prevents silent substitution even if the version number matches. A poisoned package with a different hash fails immediately. Also audit site-packages for unexpected .pth files periodically — any Python package in a build environment carries this vector, not just LiteLLM.
Set up alerts for unexpected repository creation in your GitHub organisation — the tpcp-docs pattern is detectable in advance. Subscribe to GitHub Security Advisories for every tool in your CI/CD pipeline.
These three practices close the tag poisoning, credential scope, and PyPI substitution vectors. They make your pipeline a harder target than the next one — and that is part of ransomware’s quantum-AI mutation and the structural shift in how ransomware operations acquire access.
Frequently Asked Questions
What is CVE-2026-33634?
CVE-2026-33634 is the identifier for the Trivy supply chain compromise executed by TeamPCP from February 27, 2026. KICS, LiteLLM, and Telnyx do not share a single CVE — each compromise involved a separate ecosystem. Use CVE-2026-33634 to check vendor advisories and vulnerability databases for official remediation guidance.
Which Trivy versions were affected?
Weaponised Docker image releases: v0.69.4, v0.69.5, v0.69.6. The trivy-action Action had 76 of 77 tags force-pushed; setup-trivy had all 7 tags compromised. If your pipeline referenced trivy-action or setup-trivy by tag during the window (February 27 – late March 2026), treat it as exposed. Check Aqua Security’s post-incident account for confirmed safe SHAs.
What is the tpcp-docs repository and what does finding it mean?
tpcp-docs is a repository TeamPCP’s Cloud Stealer creates inside the victim’s GitHub organisation when its primary C2 is unreachable — a fallback staging area for exfiltrated secrets. Finding it is a definitive indicator of compromise. Do not delete it. Preserve it for forensic review, rotate all secrets accessible during the exposure window, and notify your incident response team.
Is it safe to use Trivy again?
Yes, provided you upgrade to a verified clean version and pin to a commit SHA rather than a mutable tag. Aqua Security published confirmed safe versions and replacement SHAs in their post-incident account. The attack exploited the distribution mechanism, not a vulnerability in Trivy’s scanning logic.
What does “tag poisoning” mean and why doesn’t version pinning stop it?
Tag poisoning is force-pushing malicious commits to an existing, trusted Git version tag without changing the tag name. Pinning to a version tag (e.g., @v2.0.1) does not protect against this because version tags are mutable. Only pinning to an immutable commit SHA prevents substitution — the SHA is cryptographically tied to specific content and cannot be reassigned.
What is the difference between the LiteLLM and Trivy compromises?
Trivy used tag poisoning on GitHub Actions targeting ephemeral CI runners. LiteLLM was a PyPI attack: versions 1.82.7 and 1.82.8 poisoned on March 24, 2026. Version 1.82.8 added a .pth file that executes malware on every Python process startup — ongoing risk on any developer machine where the file has not been removed.
What should I do if my organisation appears on the VECT leak site?
Confirm at teampcp.cyberdigest.international — Tor Browser is not required. Engage legal counsel and an incident response firm before any payment decision. VECT’s encryption has a flaw making files over 128 KB unrecoverable even with the key. VECT posted open affiliate keys on BreachForums — payment to one operator does not guarantee non-publication by others. Rotate all credentials and notify affected parties per your jurisdiction’s breach notification obligations.
What is “vibe coding” and why does Coveware connect it to supply chain attacks?
Vibe coding is AI-assisted development where developers integrate third-party libraries with minimal security review, prioritising speed over verification. Coveware’s Q1 2026 analysis notes AI-assisted builds “can introduce obscure open-source components and transitive (‘shadow’) dependencies that security teams don’t realise are in production.” The same productivity gains that make it attractive accelerate the accumulation of unaudited supply chain exposure.
Did the TeamPCP attack affect organisations that don’t run Trivy directly?
Yes. Any organisation using a managed scanning platform that internally runs Trivy may have been exposed without knowing it — contact your vendor. KICS, LiteLLM, and Telnyx operated independently of Trivy; exposure via those tools exists regardless of whether you ran Trivy. The relevant question: “What tools do we trust in our pipeline, and do we know what those tools themselves depend on?”
What is Ransomware-as-a-Service (RaaS) and why does it matter for the VECT threat?
RaaS is a model where ransomware developers licence their malware to affiliates who execute attacks independently for a share of proceeds. VECT matters here because they posted open affiliate keys on BreachForums tied to the Trivy victim pool. Any affiliate who acquired those keys may independently pursue extortion against organisations in the victim set — the number of potential extortion actors is not bounded.
