Cisco source code stolen via Trivy supply chain attack
What happened
Cisco suffered a cyberattack where threat actors used stolen credentials from the recent Trivy supply chain attack to breach its internal development environment. The attackers used a malicious GitHub Action plugin from the Trivy compromise to steal credentials and data from Cisco's build and development environment.
Impact and response
The breach impacted dozens of devices, including developer and lab workstations. More than 300 GitHub repositories were cloned during the incident, including source code for AI-powered products such as AI Assistants, AI Defense, and unreleased products. A portion of the stolen repositories belongs to corporate customers, including banks, BPOs, and US government agencies.
Multiple AWS keys were reportedly stolen and used to perform unauthorized activities across a small number of Cisco AWS accounts. Cisco has isolated affected systems, begun reimaging them, and is performing wide-scale credential rotation.
Attack chain and attribution
The breach was caused by this month's Trivy vulnerability scanner supply chain attack, where threat actors compromised the project's GitHub pipeline to distribute credential-stealing malware through official releases and GitHub Actions. That attack enabled the theft of CI/CD credentials from organizations using the tool.
Security researchers linked these supply chain attacks to the TeamPCP threat group based on their use of the "TeamPCP Cloud Stealer" infostealer. TeamPCP has been conducting a series of supply chain attacks targeting developer code platforms, including GitHub, PyPi, NPM, and Docker. The group also compromised the LiteLLM PyPI package and the Checkmarx KICS project to deploy the same information-stealing malware.
Ongoing concerns
While the initial breach has been contained, Cisco expects continued fallout from the follow-on LiteLLM and Checkmarx supply chain attacks. Multiple sources indicated more than one threat actor was involved in the Cisco CI/CD and AWS account breaches, with varying degrees of activity.
📖 Read the full source: HN AI Agents
👀 See Also
arifOS: A $15 MCP Governance Kernel for OpenClaw Tool Security
arifOS is a lightweight MCP server that intercepts OpenClaw tool calls, scores them 000-999, and blocks unsafe actions with 13 hard security floors before they reach filesystems, APIs, or databases.
IronClaw's Security-First Approach to AI Agent Safety
IronClaw addresses AI agent security concerns by implementing constrained execution, encrypted environments, and explicit permissions instead of relying on LLM intelligence for safe behavior.
Audit Your Claude Code Permissions: A Practical Guide to Scoping Tool Access
A Reddit user audited their Claude Code setup and found over-permissioned tools that could edit .env files and production configs. Practical steps: audit global vs. per-project tools, check CLAUDE.md for secrets, and scope file access per directory.
Stop Trusting AI More Than a Human — Apply the Same Access Controls
A Reddit discussion argues that AI coding agents should be treated like junior devs — no prod access, no direct writes, enforce CI/CD pipelines and role-based permissions.