The TeamPCP campaign exploited the aquasecurity/trivy-action GitHub Action as its primary delivery vector, with LiteLLM (PyPI) and Checkmarx KICS confirmed as additional compromised components in the same campaign. These are cross-vendor infrastructure components affecting any organization that invoked them in GitHub Actions CI/CD pipelines, not a single vendor’s product. Any pipeline that referenced the compromised Trivy action, LiteLLM, or KICS during the exposure window should be treated as having exposed all pipeline secrets; organizations should enforce SHA pinning for all third-party GitHub Actions, audit pipeline secret access logs, and implement supply chain inventory controls aligned with NIST SP 800-218 (SSDF) and NIST SP 800-161r1.