Following a recent supply chain security incident affecting the Aqua Security-maintained Trivy project, Checkmarx disclosed that unauthorized parties modified a version of Keeping Infrastructure as Code Secure (KICS), its open-source static code analysis project.
Threat actors gained unauthorized access to the KICS GitHub Action—a tool organizations use to run security scans within CI/CD pipelines—and introduced unauthorized code into multiple software versions. Checkmarx noted that any organization with automated pipelines configured to run this action during a four-hour window on the morning of March 23 could be affected.
That same day, unauthorized versions of two Checkmarx VS Code plug-ins appeared on the OpenVSX registry, where they remained available for download for approximately three hours.
This disclosure follows closely behind Aqua Security's report of a related incident. In that case, a threat actor used previously stolen privileged credentials to insert an infostealer into 76 previously released versions of Trivy's GitHub Action. The actor also used a compromised automated service account to publish two unauthorized Docker images.
Security researchers attribute the malware in both incidents to TeamPCP, a threat group known for automated credential theft targeting cloud infrastructure.
Expanding scope across software registries
The campaign has since expanded to other package ecosystems. GitGuardian researchers reported that the same threat actor introduced the infostealer into the PyPI software registry, affecting versions 1.82.7 and 1.82.8 of the Litellm package. PyPI maintainers have since removed the affected files.
The infostealer is designed to exfiltrate a wide range of sensitive data, including SSH keys, cloud credentials, API tokens, Docker configurations, and cryptocurrency wallet information. Because many organizations rely on Litellm to build AI-powered applications, the potential scope of impact is significant. Guillaume Valadon, a cybersecurity researcher at GitGuardian, noted that Litellm receives millions of downloads daily, elevating the priority of the incident.
Valadon emphasizes that threat actors are actively pursuing developer secrets. To mitigate this risk, security teams should maintain a real-time inventory of their secrets, enabling rapid revocation during an incident before lateral movement can occur.
Recommended actions for security teams
Checkmarx is currently investigating the incident and actively working to ensure all malicious artifacts are permanently removed from OpenVSX. While the company has not publicly detailed the exact mechanism of the unauthorized code, the behavior aligns with an infostealer.
Checkmarx strongly recommends that any organization whose automated build pipelines may have interacted with the affected plug-ins immediately rotate all access keys, personal access tokens (PATs), and login credentials.
Shared indicators and ongoing threat activity
Security researchers confirm that the Trivy, Checkmarx, and Litellm incidents share operational links. Valadon pointed out common indicators of compromise (IoCs) across the events, including the public key used for data exfiltration, the specific targeted services, and the persistence techniques employed.
Wiz Research, which is independently tracking the campaign, corroborated the TeamPCP attribution. Ben Read, a lead researcher at Wiz, stated that their telemetry indicates a common actor across the compromises. Wiz researchers estimate that liteLLM is present in 36% of modern cloud environments.
By targeting security scanners and AI development tools, these threat actors aim to establish a presence in highly sensitive stages of the software development life cycle. Wiz also noted indications that TeamPCP may be collaborating with the LAPSUS$ extortion group to expand their operations.
The threat actors left a link to the Queen song "The Show Must Go On" in their deployment, and public Telegram messages from the group reference a "snowball effect" alongside future targets across popular open-source projects, indicating that organizations should remain vigilant and proactively rotate exposed credentials.