Cisco’s internal development environment was compromised through stolen credentials from the March 2026 Trivy vulnerability scanner supply chain attack, resulting in source code theft affecting both company and customer repositories, according to sources who spoke with BleepingComputer on March 31. The breach impacted dozens of devices including developer and lab workstations, with attackers cloning over 300 GitHub repositories containing AI product source code and unreleased project materials.
Sources told BleepingComputer that Cisco’s Unified Intelligence Center, CSIRT, and EOC teams contained the initial breach involving a malicious GitHub Action plugin from the Trivy compromise. Multiple AWS keys were reportedly stolen and used to perform unauthorized activities across a small number of Cisco AWS accounts before the company isolated affected systems and began large-scale credential rotation and device reimaging.
Trivy Supply Chain Attack Vector
The compromise originated from the TeamPCP threat group’s March 19-24 supply chain attack targeting Trivy, a widely used vulnerability scanner. Attackers compromised Trivy’s GitHub pipeline to distribute credential-stealing malware through official releases and GitHub Actions, enabling theft of CI/CD credentials from thousands of organizations using the tool in their development workflows.
The malicious GitHub Action deployed TeamPCP’s “TeamPCP Cloud Stealer” infostealer, which harvested credentials from build environments during normal development operations. Organizations running Trivy in automated pipelines unknowingly executed the compromised code, granting attackers access to AWS credentials, GitHub tokens, and other secrets used in continuous integration and deployment processes.
Stolen Data Scope and Customer Impact
The 300+ cloned repositories reportedly include source code for Cisco’s AI-powered products including AI Assistants, AI Defense, and unreleased products under development. A portion of the stolen repositories allegedly belongs to corporate customers, with sources indicating exposure of code belonging to banks, business process outsourcers, and US government agencies that use Cisco development platforms or services.
The breach demonstrates the cascading impact of supply chain compromises where a single vulnerability scanner attack propagates to downstream enterprise victims. Cisco customers who shared repositories or utilized Cisco’s development infrastructure now face potential intellectual property exposure and competitive intelligence risks from stolen proprietary code.
Multi-Actor Involvement and Ongoing Threats
Multiple sources told BleepingComputer that more than one threat actor participated in the Cisco CI/CD and AWS account breaches, with varying degrees of activity suggesting opportunistic exploitation by different groups who obtained credentials from the Trivy compromise. This pattern aligns with credential marketplaces where initial access brokers sell stolen CI/CD credentials to multiple buyers.
Sources indicated Cisco expects continued fallout from related TeamPCP supply chain attacks targeting LiteLLM and Checkmarx, which deployed identical credential-stealing malware. The LiteLLM PyPI package compromise impacted tens of thousands of devices, while the Checkmarx KICS project breach affected additional development environments, creating an ongoing credential exposure problem requiring comprehensive rotation across the development ecosystem.
TeamPCP Campaign Pattern
Security researchers attribute the coordinated March 2026 supply chain attacks to TeamPCP based on consistent use of their branded “TeamPCP Cloud Stealer” infostealer across multiple compromises. The group has conducted systematic attacks targeting developer platforms including GitHub, PyPI, NPM, and Docker, demonstrating focus on compromising software development supply chains rather than end-user systems.
TeamPCP previously compromised the backdoored Telnyx PyPI package to push malware hidden in WAV audio files, deployed Iran-targeted wipers in Kubernetes attacks via NPM packages, and spread credential stealers through compromised Docker repositories. The consistent targeting of developer tooling suggests either state-sponsored intellectual property theft objectives or preparation for downstream attacks against organizations using compromised development tools.
Remediation and Containment
Cisco isolated affected systems and initiated large-scale credential rotation across development environments following breach discovery. The company began reimaging compromised devices and revoking AWS keys used in unauthorized activities. However, the distributed nature of the credential theft across multiple TeamPCP campaigns creates challenges for comprehensive remediation as additional compromised tools may continue exposing credentials.
Organizations using Trivy, LiteLLM, or Checkmarx during the March 19-24 compromise window face similar exposure risks and should assume credential compromise, rotate all CI/CD secrets, audit AWS and cloud provider access logs for unauthorized activity, and review GitHub repository access patterns for anomalous cloning operations.
Corporate Response Status
Cisco has not issued a public statement confirming the breach or providing official incident details despite BleepingComputer’s requests for comment. The silence creates uncertainty for customers potentially affected by source code exposure and prevents downstream organizations from assessing their own risk exposure through Cisco development platform usage.
The lack of official disclosure follows a pattern where supply chain victims delay public notification while conducting internal investigations and customer impact assessments. However, the multi-week gap between the March 19-24 Trivy compromise and March 31 reporting suggests Cisco has had sufficient time to assess scope and notify affected parties.
