A threat actor tracked as TeamPCP by SANS ISC and UNC6780 by Google GTIG has exploited the Trivy open-source security scanner to compromise CI/CD pipelines, resulting in confirmed Cisco source code theft. The campaign is actively tracked in SANS ISC reporting, inverts a core DevSecOps assumption: that security tooling itself is trustworthy. Defenders should prioritize audit of scanner credentials and pipeline permissions immediately.