← Back to Cybersecurity News Center
Severity
HIGH
CVSS
7.5
Priority
0.508
×
Tip
Pick your view
Analyst for full detail, Executive for the short version.
Analyst
Executive
Executive Summary
A threat actor tracked as TeamPCP has conducted a coordinated supply chain attack against multiple developer and security tools used widely in enterprise DevSecOps pipelines, including Checkmarx KICS, Trivy, VS Code extensions, and the LiteLLM AI library. The attack targets upstream components such as GitHub Actions and open-source package repositories, injecting malicious code into tooling that runs with elevated trust during builds, scans, and code development. Organizations using any of these tools in automated pipelines face risk of backdoor installation, credential theft, and downstream compromise of production environments, with activity assessed as ongoing by multiple vendors.
Impact Assessment
CISA KEV Status
Not listed
Threat Severity
HIGH
High severity — prioritize for investigation
TTP Sophistication
HIGH
7 MITRE ATT&CK techniques identified
Detection Difficulty
HIGH
Multiple evasion techniques observed
Target Scope
INFO
Checkmarx KICS (GitHub Action), Trivy, VS Code plugins (unspecified), LiteLLM AI library
Are You Exposed?
⚠
You use products/services from Checkmarx KICS (GitHub Action) → Assess exposure
⚠
7 attack techniques identified — review your detection coverage for these TTPs
✓
Your EDR/XDR detects the listed IOCs and TTPs → Reduced risk
✓
You have incident response procedures for this threat type → Prepared
Business Context
A threat actor tracked as TeamPCP has conducted a coordinated supply chain attack against multiple developer and security tools used widely in enterprise DevSecOps pipelines, including Checkmarx KICS, Trivy, VS Code extensions, and the LiteLLM AI library. The attack targets upstream components such as GitHub Actions and open-source package repositories, injecting malicious code into tooling that runs with elevated trust during builds, scans, and code development. Organizations using any of these tools in automated pipelines face risk of backdoor installation, credential theft, and downstream compromise of production environments, with activity assessed as ongoing by multiple vendors.
Technical Analysis
TeamPCP is executing a multi-vector software supply chain campaign mapped to MITRE ATT&CK techniques T1195.001 (Compromise Software Dependencies and Development Tools), T1195.002 (Compromise Software Supply Chain), T1554 (Compromise Client Software Binary), T1072 (Software Deployment Tools), T1078.004 (Cloud Accounts), T1566.003 (Spearphishing via Service), and T1059 (Command and Scripting Interpreter).
The attack chain involves compromising upstream GitHub Actions and open-source packages to inject malicious code into: Checkmarx KICS GitHub Action (static analysis), Trivy (container and filesystem vulnerability scanner), unspecified VS Code IDE extensions, and the LiteLLM AI inference library.
Malicious code injected into these tools executes within CI/CD pipelines and developer workstations at a high-trust level, enabling persistence, lateral movement, and data exfiltration.
CWE mapping: CWE-494 (Download of Code Without Integrity Check), CWE-829 (Inclusion of Functionality from Untrusted Control Sphere), CWE-506 (Embedded Malicious Code). No CVE has been assigned. Specific compromised versions have not been consolidated into a single advisory; vendors Wiz, Endor Labs, Snyk, and ReversingLabs have each published technical findings. Activity is assessed as ongoing beyond the initial KICS disclosure per Endor Labs and ReversingLabs technical findings.
Action Checklist
1
Step 1, Immediate: Pin or freeze all GitHub Actions references to a known-good commit SHA rather than a mutable tag; audit any pipeline using the KICS GitHub Action, Trivy, or LiteLLM for recent unexpected changes to workflow files or dependency manifests.
2
Step 2, Immediate: Review VS Code extension inventory across developer endpoints; remove or disable extensions installed from unverified publishers or recently updated without a corresponding changelog entry.
3
Step 3, Detection: Search CI/CD pipeline logs for unexpected outbound network connections, process spawns, or file writes originating from KICS, Trivy, or LiteLLM execution steps; look for base64-encoded commands or curl/wget invocations within scanner output.
4
Step 4, Assessment: Inventory all pipelines and developer workstations that executed a potentially affected version of KICS GitHub Action, Trivy, or LiteLLM within the past 90 days; treat any secrets or credentials accessible during those runs as potentially compromised.
5
Step 5, Communication: Notify application security, DevOps, and platform engineering teams of the campaign scope; escalate to incident response if pipeline compromise is confirmed or if credential exposure cannot be ruled out.
6
Step 6, Long-term: Implement or enforce a software supply chain integrity policy requiring cryptographic verification (e.g., Sigstore/cosign for container images, artifact signing for GitHub Actions) and establish a recurring audit cycle for third-party CI/CD dependencies and IDE extensions.
Detection Guidance
Detection should focus on three layers.
Pipeline layer: inspect CI/CD logs for scanner steps (KICS, Trivy) spawning child processes outside their expected execution tree, making outbound connections to non-vendor infrastructure, or writing files outside designated output directories.
Query example (GitHub Actions log pattern): search runner logs for process names kics, trivy, or litellm followed by curl, wget, python -c, or base64 within the same job run.
Endpoint layer: on developer workstations, monitor VS Code extension host processes (extensionHost) for unexpected network connections or file system writes to credential stores (e.g., ~/.ssh, ~/.aws, OS keychain paths). Dependency layer: compare current lockfile hashes (package-lock.json, requirements.txt, go.sum) against a baseline from before the suspected compromise window; flag any LiteLLM or Trivy dependency that changed without a corresponding pull request. Behavioral IOC: outbound DNS or HTTP requests to infrastructure not associated with Checkmarx, Aqua Security, or LiteLLM official domains originating from scanner or AI library process contexts should be treated as high-confidence indicators of compromise pending investigation. Specific IOC values (IPs, domains, hashes) have not been independently verified for this response and are not included; consult the Wiz, ReversingLabs, Endor Labs, and Snyk technical reports directly for confirmed IOC lists.
Indicators of Compromise (4)
Export as
Splunk SPL
KQL
Elastic
Copy All (4)
4 urls
Type Value Enrichment Context Conf.
🔗 URL
https://www.wiz.io/blog/teampcp-attack-kics-github-action
VT
US
Wiz technical report — primary source for KICS GitHub Action compromise details and potential IOC list
HIGH
🔗 URL
https://www.reversinglabs.com/blog/teampcp-supply-chain-attack-spreads
VT
US
ReversingLabs report covering LiteLLM compromise and ongoing TeamPCP activity
HIGH
🔗 URL
https://www.endorlabs.com/learn/teampcp-isnt-done
VT
US
Endor Labs report confirming actor operations continue beyond KICS initial disclosure and covering Trivy
HIGH
🔗 URL
https://snyk.io/articles/poisoned-security-scanner-backdooring-litellm/
VT
US
Snyk technical analysis of LiteLLM backdoor via poisoned security scanner
HIGH
Platform Playbooks
Microsoft Sentinel / Defender
CrowdStrike Falcon
AWS Security
🔒
Microsoft 365 E3
3 log sources
Basic identity + audit. No endpoint advanced hunting. Defender for Endpoint requires separate P1/P2 license.
🛡
Microsoft 365 E5
18 log sources
Full Defender suite: Endpoint P2, Identity, Office 365 P2, Cloud App Security. Advanced hunting across all workloads.
🔍
E5 + Sentinel
27 log sources
All E5 tables + SIEM data (CEF, Syslog, Windows Security Events, Threat Intelligence). Analytics rules, playbooks, workbooks.
IOC Detection Queries (1)
4 URL indicator(s).
KQL Query Preview
Read-only — detection query only
// Threat: TeamPCP Supply Chain Campaign Compromises Developer Security Toolchain: KICS, Tr
let malicious_urls = dynamic(["https://www.wiz.io/blog/teampcp-attack-kics-github-action", "https://www.reversinglabs.com/blog/teampcp-supply-chain-attack-spreads", "https://www.endorlabs.com/learn/teampcp-isnt-done", "https://snyk.io/articles/poisoned-security-scanner-backdooring-litellm/"]);
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemoteUrl has_any (malicious_urls)
| project Timestamp, DeviceName, RemoteUrl, RemoteIP,
InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
MITRE ATT&CK Hunting Queries (3)
Sentinel rule: Sign-ins from unusual locations
KQL Query Preview
Read-only — detection query only
SigninLogs
| where TimeGenerated > ago(7d)
| where ResultType == 0
| summarize Locations = make_set(Location), LoginCount = count(), DistinctIPs = dcount(IPAddress) by UserPrincipalName
| where array_length(Locations) > 3 or DistinctIPs > 5
| sort by DistinctIPs desc
Sentinel rule: Phishing email delivery
KQL Query Preview
Read-only — detection query only
EmailEvents
| where Timestamp > ago(7d)
| where ThreatTypes has "Phish" or DetectionMethods has "Phish"
| summarize Attachments = make_set(AttachmentCount), Urls = make_set(UrlCount) by NetworkMessageId, Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, DeliveryAction, DeliveryLocation, ThreatTypes
| sort by Timestamp desc
Sentinel rule: Suspicious PowerShell command line
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| where ProcessCommandLine has_any ("-enc", "-nop", "bypass", "hidden", "downloadstring", "invoke-expression", "iex", "frombase64", "new-object net.webclient")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName, InitiatingProcessFileName
| sort by Timestamp desc
No actionable IOCs for CrowdStrike import (benign/contextual indicators excluded).
No hard IOCs available for AWS detection queries (contextual/benign indicators excluded).
Compliance Framework Mappings
T1072
T1195.001
T1078.004
T1566.003
T1195.002
T1554
+1
CM-7
SA-9
SR-3
SI-7
SI-3
SI-4
+2
MITRE ATT&CK Mapping
T1072
Software Deployment Tools
execution
T1195.001
Compromise Software Dependencies and Development Tools
initial-access
T1566.003
Spearphishing via Service
initial-access
T1195.002
Compromise Software Supply Chain
initial-access
T1554
Compromise Host Software Binary
persistence
T1059
Command and Scripting Interpreter
execution
Guidance Disclaimer
