CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Supply chain compromise in Trivy scanner triggers CanisterWorm propagation across CI/CD pipelines

First reported
Last updated
5 unique sources, 7 articles

Summary

Hide ▲

Supply chain compromise in Trivy scanner triggers CanisterWorm propagation across CI/CD pipelines, now expanding to encompass additional open-source ecosystems and attributed to multiple advanced threat actors. The TeamPCP threat group continues to monetize stolen supply chain secrets through partnerships with extortion groups including Lapsus$ and the Vect ransomware operation, with Wiz (Google Cloud) confirming collaboration and horizontal movement across cloud environments. Cisco’s internal development environment was breached using stolen Trivy-linked credentials via a malicious GitHub Action, resulting in the theft of over 300 repositories, including proprietary AI product code and data belonging to corporate customers such as banks, BPOs, and US government agencies. Attackers also abused stolen AWS keys across a subset of Cisco’s cloud accounts, with multiple threat actors observed participating in the breach. New developments include the compromise of the Axios NPM package, a top-10 JavaScript library with over 400 million monthly downloads, via malicious versions 0.27.5 and 0.28.0. The attack delivered a multi-platform RAT through a malicious dependency impersonating crypto-js, with operational sophistication including pre-staging, platform-specific payloads, and anti-forensic cleanup. Initial attribution suggested TeamPCP involvement, but Google attributed the incident to UNC1069, a suspected North Korean actor linked to Lazarus Group, indicating potential actor diversification or false-flag operations. The Axios compromise highlights escalating tradecraft in open-source supply chain attacks, distinct from opportunistic infections and suggesting a focus on access brokering or targeted espionage rather than indiscriminate data theft.

Timeline

  1. 31.03.2026 23:55 1 articles · 23h ago

    UNC1069 attributed to Axios NPM package supply chain compromise via precision attack

    The Axios JavaScript NPM package, with over 400 million monthly downloads, was compromised via malicious versions 0.27.5 and 0.28.0 published by threat actors impersonating the crypto-js library. The compromised packages included a malicious dependency named 'plain-crypto-js' that executed a multi-platform remote access Trojan (RAT) capable of operating on Windows, Linux, and Mac. The RAT contacted live command-and-control servers to deliver platform-specific second-stage payloads before deleting itself and replacing package.json with a clean version to evade forensic detection. The attack originated from the compromise of the lead maintainer’s account 'jasonsaayman', bypassing Axios’ OIDC-based publishing pipeline. Initial attribution suggested links to TeamPCP, but Google’s Threat Intelligence Group attributed the incident to suspected North Korean threat actor UNC1069, indicating a potential shift in actor involvement. Security experts describe the attack as 'operational sophistication' with pre-staged dependencies, platform-specific payloads, and anti-forensic measures, marking a new standard in open-source supply chain attack tradecraft distinct from opportunistic infections. The malicious versions were active for approximately three hours before NPM removal, with the malicious dependency exposed for over 21 hours prior to a security hold.

    Show sources
    Open in new tab
  2. 31.03.2026 20:53 2 articles · 1d ago

    Cisco dev environments breached using Trivy-linked malicious GitHub Actions

    Cisco disclosed a breach of its internal development environment directly linked to the Trivy supply chain attack, where attackers leveraged a malicious GitHub Action to steal credentials and data from dozens of devices, including developer and lab workstations. Attackers stole multiple AWS keys, used them to conduct unauthorized activities in a subset of Cisco’s AWS accounts, and cloned over 300 GitHub repositories—including source code for AI-powered products and code belonging to corporate customers such as banks, BPOs, and US government agencies. Cisco isolated systems, reimaged devices, and initiated wide-scale credential rotation. Multiple threat actors were observed participating in the breach. This timeline is further supported by new reporting on the operational sophistication of the Trivy-linked attacks, including the use of malicious GitHub Actions and the breadth of exfiltrated data across cloud-native environments.

    Show sources
    Open in new tab
  3. 23.03.2026 15:14 5 articles · 9d ago

    CanisterWorm propagates via compromised Trivy scanner in CI/CD pipelines

    TeamPCP begins monetizing stolen supply chain secrets through partnerships with extortion groups like Lapsus$ and the Vect ransomware operation. Security researchers at Wiz (now part of Google Cloud) observed TeamPCP validating, encrypting, and exfiltrating stolen credentials (cloud credentials, SSH keys, Kubernetes configuration files, and coding process secrets) to attacker-controlled domains. Wiz explicitly confirmed collaboration between TeamPCP and the Lapsus$ extortion group to perpetuate chaos and amplify follow-on attacks. Wiz researcher Ben Read described TeamPCP’s horizontal movement across cloud ecosystems as creating a 'snowball effect,' requiring urgent security action. Concurrently, Socket reported posts attributed to the Vect ransomware group on BreachForums announcing a partnership with TeamPCP to deploy ransomware across affected organizations, with Vect operating as a Russian-speaking RaaS group offering affiliates 80–88% profit shares.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Ongoing Ghost Cluster Targets npm and GitHub in Multi-Stage Credential and Crypto Wallet Theft Campaign

A coordinated campaign tracked as Ghost continues to target developers via malicious npm packages and GitHub repositories to deploy credential stealers and cryptocurrency wallet harvesters. The operation leverages social engineering and multi-stage infection chains, including fake installation wizards that request sudo/administrator privileges and deceptive npm logs simulating dependency downloads and progress indicators. Stolen data—including browser credentials, crypto wallets, SSH keys, and cloud tokens—is exfiltrated to Telegram channels and BSC smart contracts. The campaign employs a dual monetization model combining credential theft via Telegram channels with affiliate link redirections stored in a BSC smart contract. Malicious npm packages first appeared under the user 'mikilanjijo', with operations beginning as early as February 2026 and expanding to at least 11 packages such as react-performance-suite and react-query-core-utils. The final payload is a remote access trojan that downloads from Telegram channels, decrypts using externally retrieved keys, and executes locally using stolen sudo passwords to harvest credentials and deploy GhostLoader.

Open in new tab

TeamPCP escalates CanisterWorm campaign with geopolitical targeting and multi-vector attacks

TeamPCP has escalated its multi-vector CanisterWorm campaign into a broader geopolitically targeted operation, now compromising trusted PyPI packages to deliver credential-stealing malware with automated execution mechanisms. The group has targeted the LiteLLM and Telnyx Python packages (versions 1.82.7, 1.82.8, 4.87.1, and 4.87.2), embedding malware that harvests SSH keys, cloud credentials, Kubernetes secrets, database credentials, cryptocurrency wallets, TLS/SSL private keys, and bash history files before exfiltrating data to attacker-controlled infrastructure and establishing persistent backdoors. The campaign began as a supply-chain attack involving 47 compromised npm packages and the @teale.io/eslint-config variant, leveraging ICP canisters for decentralized C2 and persistence via masqueraded systemd services. It escalated to include GitHub repository hijacking (e.g., Aqua Security), Docker Hub compromise, and deployment of an infostealer, then pivoted to targeting CI/CD pipelines directly via GitHub Actions workflows (e.g., Checkmarx, Trivy) using stolen credentials. TeamPCP now compromises GitHub Actions workflows and Open VSX extensions to deploy the TeamPCP Cloud stealer, while refining destructive payloads targeting Iranian systems in Kubernetes environments with time-zone/locale-based wipers. Recent compromises of LiteLLM and Telnyx demonstrate rapid iteration and maturation of supply chain attack methodology, with evidence suggesting collaboration with the Vectr ransomware group for follow-on ransomware operations.

Open in new tab

Tag poisoning in Trivy GitHub Actions repositories delivers cloud-native infostealer payload

Attackers compromised two official Trivy-related GitHub Actions repositories—aquasecurity/trivy-action and aquasecurity/setup-trivy—and backdoored Trivy v0.69.4 releases, distributing a Python-based infostealer that harvests wide-ranging CI/CD and developer secrets. The payload executes in GitHub Actions runners and Trivy binaries, remaining active for up to 12 hours in Actions tags and three hours in the malicious release. The actors leveraged compromised credentials from a prior March incident and added persistence via systemd services, while also linking to a follow-up npm campaign using the CanisterWorm self-propagating worm. The incident traces to a credential compromise initially disclosed in early March 2026, which was not fully contained and enabled subsequent tag and release manipulations. Safe releases are now available and mitigation includes pinning Actions to full SHA hashes, blocking exfiltration endpoints, and rotating all affected secrets.

Open in new tab

Malicious npm Package Targets macOS Users with RAT and Credential Theft

A malicious npm package named "@openclaw-ai/openclawai" masquerades as an OpenClaw installer to deploy a remote access trojan (RAT) and steal sensitive data from macOS systems. The package, uploaded on March 3, 2026, has been downloaded 178 times and remains available. It targets system credentials, browser data, crypto wallets, SSH keys, Apple Keychain databases, and iMessage history, while also installing a persistent RAT with remote access capabilities and a SOCKS5 proxy. The malware uses social engineering to harvest system passwords and employs sophisticated persistence and command-and-control (C2) infrastructure. The package triggers its malicious logic via a postinstall hook, re-installing itself globally and displaying a fake command-line interface to mimic an OpenClaw installation. It then retrieves an encrypted second-stage payload from a C2 server, which is decoded and executed to continue running in the background. The malware also prompts users to grant Full Disk Access (FDA) to Terminal to access protected data. The second-stage payload is a comprehensive information stealer and RAT framework capable of persistence, data collection, browser decryption, C2 communication, and live browser cloning. Collected data is exfiltrated through multiple channels, including the C2 server, Telegram Bot API, and GoFile.io. The malware also monitors clipboard content for specific patterns related to private keys and cryptocurrency addresses. The impact of this malware is significant, as it can compromise sensitive user data and provide attackers with persistent access to infected systems. The sophisticated nature of the malware, including its use of social engineering and encrypted payload delivery, makes it a serious threat to macOS users.

Open in new tab

TeamPCP Worm Exploits Cloud Infrastructure for Criminal Operations

TeamPCP, a threat cluster active since November 2025, has conducted a worm-driven campaign targeting cloud-native environments to build malicious infrastructure. The campaign, observed around December 25, 2025, leveraged exposed Docker APIs, Kubernetes clusters, Ray dashboards, Redis servers, and the React2Shell vulnerability (CVE-2025-55182) to compromise servers for data exfiltration, ransomware deployment, extortion, and cryptocurrency mining. The group operates as a cloud-native cybercrime platform, using misconfigured cloud services and known vulnerabilities to create a self-propagating criminal ecosystem. TeamPCP's activities include deploying various payloads such as proxy.sh, scanner.py, kube.py, react.py, and pcpcat.py to exploit and expand their reach within cloud environments. The group's operations are opportunistic, targeting AWS, Microsoft Azure, Google, and Oracle cloud environments, and have resulted in data leaks and extortion activities. The group has compromised at least 60,000 servers worldwide and has exfiltrated more than two million records from JobsGO, a recruitment platform in Vietnam.

Open in new tab