← Back to Cybersecurity News Center
Severity
HIGH
CVSS
7.5
Priority
0.508
Executive Summary
A threat actor tracked as TeamPCP has conducted a coordinated supply chain attack against multiple developer and security tools used widely in enterprise DevSecOps pipelines, including Checkmarx KICS, Trivy, VS Code extensions, and the LiteLLM AI library. The attack targets upstream components such as GitHub Actions and open-source package repositories, injecting malicious code into tooling that runs with elevated trust during builds, scans, and code development. Organizations using any of these tools in automated pipelines face risk of backdoor installation, credential theft, and downstream compromise of production environments, with activity assessed as ongoing by multiple vendors.
Technical Analysis
TeamPCP is executing a multi-vector software supply chain campaign mapped to MITRE ATT&CK techniques T1195.001 (Compromise Software Dependencies and Development Tools), T1195.002 (Compromise Software Supply Chain), T1554 (Compromise Client Software Binary), T1072 (Software Deployment Tools), T1078.004 (Cloud Accounts), T1566.003 (Spearphishing via Service), and T1059 (Command and Scripting Interpreter).
The attack chain involves compromising upstream GitHub Actions and open-source packages to inject malicious code into: Checkmarx KICS GitHub Action (static analysis), Trivy (container and filesystem vulnerability scanner), unspecified VS Code IDE extensions, and the LiteLLM AI inference library.
Malicious code injected into these tools executes within CI/CD pipelines and developer workstations at a high-trust level, enabling persistence, lateral movement, and data exfiltration.
CWE mapping: CWE-494 (Download of Code Without Integrity Check), CWE-829 (Inclusion of Functionality from Untrusted Control Sphere), CWE-506 (Embedded Malicious Code). No CVE has been assigned. Specific compromised versions have not been consolidated into a single advisory; vendors Wiz, Endor Labs, Snyk, and ReversingLabs have each published technical findings. Activity is assessed as ongoing beyond the initial KICS disclosure per Endor Labs and ReversingLabs technical findings.
Action Checklist
Step 1, Immediate: Pin or freeze all GitHub Actions references to a known-good commit SHA rather than a mutable tag; audit any pipeline using the KICS GitHub Action, Trivy, or LiteLLM for recent unexpected changes to workflow files or dependency manifests.
Step 2, Immediate: Review VS Code extension inventory across developer endpoints; remove or disable extensions installed from unverified publishers or recently updated without a corresponding changelog entry.
Step 3, Detection: Search CI/CD pipeline logs for unexpected outbound network connections, process spawns, or file writes originating from KICS, Trivy, or LiteLLM execution steps; look for base64-encoded commands or curl/wget invocations within scanner output.
Step 4, Assessment: Inventory all pipelines and developer workstations that executed a potentially affected version of KICS GitHub Action, Trivy, or LiteLLM within the past 90 days; treat any secrets or credentials accessible during those runs as potentially compromised.
Step 5, Communication: Notify application security, DevOps, and platform engineering teams of the campaign scope; escalate to incident response if pipeline compromise is confirmed or if credential exposure cannot be ruled out.
Step 6, Long-term: Implement or enforce a software supply chain integrity policy requiring cryptographic verification (e.g., Sigstore/cosign for container images, artifact signing for GitHub Actions) and establish a recurring audit cycle for third-party CI/CD dependencies and IDE extensions.
Detection Guidance
Detection should focus on three layers.
Pipeline layer: inspect CI/CD logs for scanner steps (KICS, Trivy) spawning child processes outside their expected execution tree, making outbound connections to non-vendor infrastructure, or writing files outside designated output directories.
Query example (GitHub Actions log pattern): search runner logs for process names kics, trivy, or litellm followed by curl, wget, python -c, or base64 within the same job run.
Endpoint layer: on developer workstations, monitor VS Code extension host processes (extensionHost) for unexpected network connections or file system writes to credential stores (e.g., ~/.ssh, ~/.aws, OS keychain paths). Dependency layer: compare current lockfile hashes (package-lock.json, requirements.txt, go.sum) against a baseline from before the suspected compromise window; flag any LiteLLM or Trivy dependency that changed without a corresponding pull request. Behavioral IOC: outbound DNS or HTTP requests to infrastructure not associated with Checkmarx, Aqua Security, or LiteLLM official domains originating from scanner or AI library process contexts should be treated as high-confidence indicators of compromise pending investigation. Specific IOC values (IPs, domains, hashes) have not been independently verified for this response and are not included; consult the Wiz, ReversingLabs, Endor Labs, and Snyk technical reports directly for confirmed IOC lists.
Indicators of Compromise (4)
| Type | Value | Context | Confidence |
|---|
| URL |
https://www.wiz.io/blog/teampcp-attack-kics-github-action |
Wiz technical report — primary source for KICS GitHub Action compromise details and potential IOC list |
high |
| URL |
https://www.reversinglabs.com/blog/teampcp-supply-chain-attack-spreads |
ReversingLabs report covering LiteLLM compromise and ongoing TeamPCP activity |
high |
| URL |
https://www.endorlabs.com/learn/teampcp-isnt-done |
Endor Labs report confirming actor operations continue beyond KICS initial disclosure and covering Trivy |
high |
| URL |
https://snyk.io/articles/poisoned-security-scanner-backdooring-litellm/ |
Snyk technical analysis of LiteLLM backdoor via poisoned security scanner |
high |
Compliance Framework Mappings
T1072
T1195.001
T1078.004
T1566.003
T1195.002
T1554
+1
CM-7
SA-9
SR-3
SI-7
SI-3
SI-4
+2
MITRE ATT&CK Mapping
T1072
Software Deployment Tools
execution
T1195.001
Compromise Software Dependencies and Development Tools
initial-access
T1566.003
Spearphishing via Service
initial-access
T1195.002
Compromise Software Supply Chain
initial-access
T1554
Compromise Host Software Binary
persistence
T1059
Command and Scripting Interpreter
execution
Guidance Disclaimer
The analysis, framework mappings, and incident response recommendations in this intelligence
item are derived from established industry standards including NIST SP 800-61, NIST SP 800-53,
CIS Controls v8, MITRE ATT&CK, and other recognized frameworks. This content is provided
as supplemental intelligence guidance only and does not constitute professional incident response
services. Organizations should adapt all recommendations to their specific environment, risk
tolerance, and regulatory requirements. This material is not a substitute for your organization's
official incident response plan, legal counsel, or qualified security practitioners.
