Cisco Internal Development Environment Was Breached Through the Trivy Compromise

Cisco was breached after threat actors used stolen credentials from the Trivy supply chain compromise to access the company’s internal development environment. During the incident, source code tied to Cisco and its customers was stolen.

More than 300 GitHub repositories were cloned. The stolen material included source code for AI-related products such as AI Assistants and AI Defense, along with unreleased products. A portion of the cloned repositories reportedly belonged to corporate customers, including banks, business process outsourcing firms, and U.S. government agencies.

How the Trivy Supply Chain Attack Reached Cisco

Trivy was compromised through malicious GitHub Actions changes

The chain of events began with the March 19 compromise of Aqua Security’s Trivy vulnerability scanner, a widely used open-source security tool in cloud-native environments. A threat group known as TeamPCP used credentials that had not been fully revoked after an earlier breach in late February.

Those credentials were used to force-push malicious commits across 76 of 77 version tags in Trivy’s GitHub Actions repository.

The poisoned actions harvested secrets from CI/CD systems

The tampered GitHub Actions contained a credential stealer designed to pull secrets from CI/CD runner memory. The harvested data included:

  • SSH keys
  • Cloud provider tokens
  • Kubernetes credentials
  • GitHub personal access tokens

Cisco’s build and development environment was among the affected environments.

Cisco’s initial response contained the early breach activity

An anonymous source told BleepingComputer that Cisco’s Unified Intelligence Center, CSIRT, and EOC teams contained the initial breach. The intrusion involved a malicious GitHub Action plugin connected to the Trivy compromise.

The impact reportedly extended to dozens of devices, including developer workstations and lab workstations.

What Was Stolen During the Cisco Breach

More than 300 GitHub repositories were cloned

The scale of repository theft stands out. More than 300 GitHub repositories were reportedly cloned during the incident. That included source code related to AI-powered offerings and unreleased products.

Customer-linked repositories were also affected

Some of the stolen repositories reportedly belonged to Cisco customers. Those customers included banks, business process outsourcing firms, and U.S. government agencies.

That detail matters because the breach was not limited to Cisco’s own codebase. It appears to have extended into customer-related development assets stored within the affected environment.

AWS Keys Were Also Stolen and Misused

Multiple AWS keys were stolen during the breach and then used for unauthorized activity across a small number of Cisco AWS accounts.

Reports also indicate that more than one threat actor took part in the CI/CD and AWS account breaches, with different levels of activity across the incident.

Cisco’s Containment and Remediation Measures

Affected systems were isolated and reimaged

Cisco has isolated affected systems and started reimaging them. The company is also carrying out wide-scale credential rotation.

These actions line up with the kind of response needed when stolen secrets, compromised CI/CD workflows, and unauthorized cloud activity are all in play at once.

Cisco expects continued fallout from follow-on attacks

Even with containment underway, Cisco reportedly expects continued fallout tied to follow-on attacks linked to TeamPCP. That suggests the breach is part of a wider campaign rather than a one-off intrusion.

The TeamPCP Campaign Expanded Beyond Cisco and Trivy

The activity spread across multiple ecosystems

The broader campaign did not stop with Trivy. TeamPCP has since compromised the Checkmarx KICS GitHub Actions and the LiteLLM Python package on PyPI.

The campaign has now stretched across five ecosystems:

  • GitHub Actions
  • Docker Hub
  • npm
  • Open VSX
  • PyPI

LiteLLM was backdoored using a stolen publishing token

LiteLLM, a package that handles LLM API keys by design and records more than 95 million monthly PyPI downloads, was backdoored after TeamPCP used a stolen publishing token. That token had been harvested during the original Trivy compromise and then used to push malicious versions directly to the package registry.

Broader Supply Chain Impact

According to Arctic Wolf, the wider TeamPCP campaign may have affected at least 1,000 enterprise SaaS environments.

That estimate pushes the Cisco breach into a much larger picture. This was not just a single company getting hit. It was part of a cascading supply chain campaign that moved from one trusted component to other platforms, packages, and environments.