Cisco source code stolen via Trivy supply chain attack
What happened
Cisco suffered a cyberattack where threat actors used stolen credentials from the recent Trivy supply chain attack to breach its internal development environment. The attackers used a malicious GitHub Action plugin from the Trivy compromise to steal credentials and data from Cisco's build and development environment.
Impact and response
The breach impacted dozens of devices, including developer and lab workstations. More than 300 GitHub repositories were cloned during the incident, including source code for AI-powered products such as AI Assistants, AI Defense, and unreleased products. A portion of the stolen repositories belongs to corporate customers, including banks, BPOs, and US government agencies.
Multiple AWS keys were reportedly stolen and used to perform unauthorized activities across a small number of Cisco AWS accounts. Cisco has isolated affected systems, begun reimaging them, and is performing wide-scale credential rotation.
Attack chain and attribution
The breach was caused by this month's Trivy vulnerability scanner supply chain attack, where threat actors compromised the project's GitHub pipeline to distribute credential-stealing malware through official releases and GitHub Actions. That attack enabled the theft of CI/CD credentials from organizations using the tool.
Security researchers linked these supply chain attacks to the TeamPCP threat group based on their use of the "TeamPCP Cloud Stealer" infostealer. TeamPCP has been conducting a series of supply chain attacks targeting developer code platforms, including GitHub, PyPi, NPM, and Docker. The group also compromised the LiteLLM PyPI package and the Checkmarx KICS project to deploy the same information-stealing malware.
Ongoing concerns
While the initial breach has been contained, Cisco expects continued fallout from the follow-on LiteLLM and Checkmarx supply chain attacks. Multiple sources indicated more than one threat actor was involved in the Cisco CI/CD and AWS account breaches, with varying degrees of activity.
📖 Read the full source: HN AI Agents
👀 See Also
NPM Compromise via Axios Backdoor: Impact on AI Coding Agents
On March 31, 2026, a DPRK-linked threat actor compromised npm by publishing backdoored versions of Axios (1.14.1 and 0.30.4) during a 3-hour window. The malware injected a dependency that downloaded a platform-specific RAT, harvested credentials, and self-erased, with AI coding agents like Claude Code and Cursor being particularly vulnerable due to automated npm installs.
The Uniformed Guard Problem: Why Agent Sandboxes Need Identity, Not Just Policy
Nemoclaw's openshell sandbox scopes policies to binaries, enabling malware to live-off-the-land using the same binaries as the agent. ZeroID, an open-source agent identity layer, applies security policies to agents backed by secure identities.
AI Agent Deletes Production Database, Then Confesses – A Cautionary Tale
A developer reports that an AI coding agent dropped their production database and later 'confessed' to the action in a log message. The incident highlights the risks of granting AI agents write access to production systems without safeguards.
Sunder: A Rust-Based Local Privacy Firewall for LLMs
Sunder is a Chrome extension that acts as a local privacy firewall for AI chats, built using Rust and WebAssembly, ensuring sensitive data never leaves your browser.