Security tools themselves hacked
Attackers are now compromising the very security solutions organizations rely on—researchers flagged a supply‑chain campaign that exploited security tools to disrupt ports and vehicle systems this week. The breach pattern shows attackers moving upstream to undermine detection and response at scale, raising systemic risk across logistics networks. (s-rminform.com)
On March 19, researchers traced a supply‑chain compromise that manipulated Trivy’s CI/CD distribution by force‑pushing 76 of 77 version tags in aquasecurity/trivy-action and all seven tags in aquasecurity/setup-trivy to redirect trusted references to malicious commits. (microsoft.com)) Malicious LiteLLM versions 1.82.7 and 1.82.8 were published to PyPI on March 24 after attackers used stolen CI/CD credentials from the Trivy compromise. (snyk.io)) Those LiteLLM builds contained a three‑stage payload that harvested credentials, deployed a Kubernetes lateral‑movement toolkit, and used a Python.pth startup hook for stealthy persistence. (endorlabs.com)) Security teams say the adversary, tracked as TeamPCP, chained compromises across Trivy, Checkmarx KICS GitHub Actions, npm, Docker Hub, OpenVSX and PyPI in a four‑wave campaign between March 19–24. (labs.cloudsecurityalliance.org)) Mandiant Consulting CTO Charles Carmakal told a public briefing that more than 1,000 SaaS environments were actively dealing with fallout from the campaign as of March 24. (theregister.com)) Analysts reported mass exfiltration of cloud credentials, SSH keys and Kubernetes secrets from affected CI/CD environments during the operation. (snyk.io)) Independent reporting estimates investigators recovered evidence pointing to more than 300GB of stolen data tied to the broader campaign. (securityweek.com)) PyPI and package maintainers moved quickly: the malicious LiteLLM uploads were quarantined and deleted within hours of publication, and affected maintainers rotated GitHub and PyPI keys to invalidate attacker access. (snyk.io)) Separately this month Spain’s Port of Vigo detected a ransomware incident on March 24 that forced port operators to isolate servers and revert cargo‑management operations to manual processes while the IT team rebuilt affected systems. (aboutdfir.com)) A separate cyber incident beginning March 14 hit ignition‑interlock vendor Intoxalock, leaving customers across 46 states temporarily unable to start vehicles; the company says it serves roughly 150,000 drivers per year and later reported service restoration while waiving some fees tied to the outage. (upguard.com))
