{"id":199147,"date":"2026-03-25T12:29:00","date_gmt":"2026-03-25T16:29:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/03\/25\/trojanization-of-trivy-checkmarx-and-litellm-solutions\/"},"modified":"2026-03-25T13:40:17","modified_gmt":"2026-03-25T17:40:17","slug":"trojanization-of-trivy-checkmarx-and-litellm-solutions","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/03\/25\/trojanization-of-trivy-checkmarx-and-litellm-solutions\/","title":{"rendered":"Trojanization of Trivy, Checkmarx, and LiteLLM solutions"},"content":{"rendered":"

Trojanization of Trivy, Checkmarx, and LiteLLM solutions<\/a><\/p>\n

https:\/\/www.kaspersky.com\/blog\/critical-supply-chain-attack-trivy-litellm-checkmarx-teampcp\/55510\/<\/a><\/p>\n

Publish Date: 2026-03-25 12:29:00<\/a><\/p>\n

Source Domain: www.kaspersky.com<\/a><\/p>\n

Author: <\/a><\/p>\n

Using an unordered list, summarize the following article with between 4 and 8 key points.
\n\t\t\t\t\t\t\tMillions of automated software development pipelines rely on security tools, such as Trivy and Checkmarx AST, integrated into the build process. It is precisely these trusted solutions recently became the entry point for one of the largest and most dangerous supply chain attacks in modern history. In this post we discuss how to audit automated workflows and secure corporate cloud infrastructure.
\nTimeline of the attack and known consequences
\nOn March 19, a successful targeted supply chain attack was carried out via Trivy, an open-source vulnerability scanning tool widely used in CI\/CD pipelines. The attackers, a group known as TeamPCP, managed to inject malware into official GitHub Actions workflows and Docker images associated with Trivy. As a result, every automated pipeline scan made triggered malware that stole SSH keys, cloud access tokens, cryptocurrency wallets, and other valuable data from compromised systems. Given the critical nature of the incident, it was assigned the identifier CVE-2026-33634 with a near-maximum CVSS4B score of 9.4.
\nLater that same day, the Trivy team detected the attack and removed malicious artifacts from the distribution channels, halting this phase of the attack. However, the attackers had already gained access to the environments of many Trivy users.
\nOn March 23, a similar incident was discovered in another application security tool: a GitHub Action for Checkmarx KICS, as well as Checkmarx AST.\u00a0 Three hours later, the malicious code was removed from there as well. TeamPCP also managed to compromise OpenVSX extensions supported by Checkmarx: cx-dev-assist 1.7.0 and ast-results. Reports on when this part of the incident was resolved vary.
\nOn March 24, a popular project using Trivy\u2019s code scanning \u2014 the LiteLLM AI gateway, a universal library for access to various LLM providers \u2014 was attacked. Versions 1.82.7 and 1.82.8, uploaded to PyPI repository, were compromised. These versions were publicly available for about 5 hours.
\nBut the fact that the attack lasted only a few hours is no reason to dismiss it. Given the popularity of the affected projects, the malicious code could have been executed thousands of times, including within the infrastructures of very large companies.
\nThis allowed attackers to deploy persistent backdoors in Kubernetes clusters, as well as launch the self-replicating CanisterWorm worm across the JavaScript npm ecosystem.
\nThe attackers\u2019 code has destructive capabilities that wipe out a Kubernetes cluster and all its nodes if it detects Farsi as the primary language or the Tehran time zone on the compromised system. In other regions, the malware simply steals data using CanisterWorm.
\nAccording to experts, more than 20,000 repositories are considered potentially vulnerable. The attackers claim to have stolen hundreds of gigabytes of data and more than 500,000 accounts.
\nHow Trivy Was Attacked
\nTo compromise Trivy, the attackers used credentials stolen in a previous incident. The previous Trivy compromise, which occurred in late February, was likely not fully contained, and the attackers \u2014 the TeamPCP group \u2014 returned with a new attack. \u00a0Trivy\u2019s developers, Aqua Security, speculate that because credentials were being phased out gradually following the previous incident, the attackers were able to generate new access tokens for themselves before compromised old ones had been revoked.
\nAs a result, TeamPCP was able to compromise GitHub Actions used in CI\/CD pipelines. Using credentials with tag-writing privileges, the attackers forcibly overrode 76 out of 77 version tags in aquasecurity\/trivy-action and all 7 tags in aquasecurity\/setup-trivy, redirecting existing trusted versions to malicious commits. This resembles tactics observed in the Shai-Hulud 2.0 campaign. \u00a0As a result, workflows throughout the pipeline began executing the attackers\u2019 code, while the release metadata showed no visible changes.
\nAt the same time, the attackers published an infected Trivy binary (v0.69.4) to official distribution channels, including GitHub Releases and container registries.
\nLiteLLM Compromise
\nThe compromise of the popular language model access tool LiteLLM could itself trigger a major wave of attacks across the chain of projects that use it. The attack took place on March 24, 2026, when TeamPCP directly published malicious versions of the library (1.82.7 and 1.82.8) on PyPI. Between 10:39 UTC and 16:00 UTC, these compromised packages contained a malware that stole credentials. It was embedded in the proxy_server.py file, and version 1.82.8 also contained a malicious litellm_init file. The stolen data was exfiltrated to the server models.litellm[.]cloud.
\nCustomers using LiteLLM Cloud or the official LiteLLM Proxy Docker image were not affected due to strict version locking, whereas developers and downstream projects that installed unpinned versions via pip during the specified time window were compromised.
\nWithin 3 hours, the malicious packages were removed from PyPI repository, and the LiteLLM team suspended new releases, rotated credentials, and engaged an external incident response process. Teams that use LiteLLM in their projects are advised to immediately check for the litellm_init.pth compromise indicator and routinely rotate all potentially compromised secrets.
\nFeatures of the TeamPCP Cloud Stealer malware
\nAttackers added new logic to GitHub Actions and the Trivy executable while preserving the original functionality. Vulnerability scan results via Trivy appeared normal, but at the same time, valuable data was being searched for and extracted. Malicious code was:<\/p>\n

performing reconnaissance (collected network data and environment variables);
\nsearching for tokens and credentials to access AWS and GCP cloud environments;
\nscanning memory (\/proc\/*\/mem) to extract secrets stored in the memory of Runner.Worker and Runner.Listener processes;
\nextracting Kubernetes secrets (\/run\/secrets\/kubernetes.io\/serviceaccount);
\ncollecting data for connecting to database servers (MySQL, PostgreSQL, MongoDB, Redis, Vault);
\ncollecting any other API keys and secrets from environment files and CI\/CD configuration files (.env, .json, .yml);
\nsearching for webhooks for Slack and Discord channels;
\nsearching for data related to crypto wallets (variables related to the Solana blockchain, as well as rpcuser and rpcpassword data).<\/p>\n

The collected data was encrypted and uploaded to a server with a name similar to the name of the Trivy\u2019s developers (scan.aquasecurtiy[.]org). As a backup mechanism, the attackers provided a way for uploading data to a repository named docs-tpcp.
\nThe attack on CheckMarx and LiteLLM used a similar tactic with other typosquatting domains: models.litellm[.]cloud and checkmarx[.]zone.
\nResponse and Defense Strategies for CVE-2026-33634
\nExisting signature-based checks and dependency scanning in public registries are no longer sufficient, as the malicious code was injected directly into trusted, signed actions and evaded detection until behavioral monitoring was applied. CI\/CD pipelines have become the \u201cnew perimeter\u201d of security.
\nImmediate Actions. \u00a0Ensure that all workflows use secure versions (Trivy binary 0.69.3, trivy-action 0.35.0, setup-trivy 0.2.6).
\nCI\/CD pipeline administrators and security teams should immediately review their dependances to Checkmarx (kics-github-action, ast-github-action) and Trivy (setup-trivy and trivy-action) solutions. If workflows referenced a version tag rather than a specific SHA hash, carefully review your workflow execution logs for the duration of the active supply chain attack.
\nYou should also check your network logs for traffic to the domains scan.aquasecurtiy[.]org, checkmarx[.]zone, and models.litellm[.]cloud. The presence of such traffic indicates that sensitive data has been successfully exfiltrated.
\nIf a repository named docs-tpcp has appeared on organization\u2019s GitHub, this may also indicate a successful data breach.
\nIn any case, a proactive threat hunting should be conducted, assuming that the systems have been successfully compromised and that the attackers have rapidly advanced within the affected systems.
\nIt is recommended to restore the affected environments from verified backups.
\nDependency pinning and secret management. Ensure that exact dependency versions are pinned using cryptographic hashes in all pipelines and Dockerfiles. We advise transition from long-lived tokens to short-lived credentials by using a secrets manager tool and implementing OIDC integrations where they are supported. Minimize the injection of secrets into the runtime environment \u2014 do so only when it is absolutely necessary. Ensure that secrets are not stored on disk or in temporary files, and are not reused across different processes.
\nOther security measures. Allow only GitHub Actions from a list approved by the organization; block new and unverified processes. Configure GITHUB_TOKEN and other access keys in accordance with the principle of least privilege. Do not grant write permissions unless absolutely necessary.
\nTo enhance the security of GitHub Actions, there are several open-source tools available:<\/p>\n

zizmor \u2014 a tool for static analysis and detection of configuration errors in GitHub Actions;
\ngato and Gato-X \u2014 two versions of a tool that helps identify structurally vulnerable pipelines;
\nallstar \u2014 a GitHub application developed by OpenSSF to configure and enforce security policies in GitHub organizations and repositories.<\/p>\n

\u00a0
\nIf you want to learn more about supply chain attacks, we invite you to look at our analytical report\u00a0Supply chain reaction: securing the global digital ecosystem in an age of interdependence. It\u2019s based on insights from technical experts and reveals how often organizations face supply chain and trusted relationship risks, where protection gaps remain, and what strategies to employ to\u00a0improve resilience against this kind of threats.<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

Trojanization of Trivy, Checkmarx, and LiteLLM solutions https:\/\/www.kaspersky.com\/blog\/critical-supply-chain-attack-trivy-litellm-checkmarx-teampcp\/55510\/ Publish Date: 2026-03-25 12:29:00 Source Domain: www.kaspersky.com…<\/p>\n","protected":false},"author":1,"featured_media":199148,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2026\/03\/25122750\/critical-supply-chain-attack-trivy-litellm-checkmarx-teampcp-Featured.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26,30,17,32,27],"class_list":["post-199147","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai","tag-breach","tag-llm","tag-malware","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/199147"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=199147"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/199147\/revisions"}],"predecessor-version":[{"id":199149,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/199147\/revisions\/199149"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/199148"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=199147"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=199147"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=199147"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}