Full Report
Time to start dropping SBOMs FEATURE Two supply chain attacks in March infected open source tools with malware and used this access to steal secrets from tens of thousands – if not more – organizations. We won't know the full blast radius for months.…
Analysis Summary
# Incident Report: Multi-Stage Supply Chain Compromise of Open Source Security Tools
## Executive Summary
In March 2026, two significant supply chain attacks targeted popular open-source projects, specifically the **Trivy** vulnerability scanner and the **Axios** JavaScript library. The attacks, orchestrated by separate threat actors (TeamPCP and North Korean-linked groups), resulted in the infection of tools used by tens of thousands of organizations, leading to the theft of CI/CD secrets and cloud credentials. The incident highlights an evolving trend where attackers target security-focused developer tools to bypass traditional oversight.
## Incident Details
- **Discovery Date:** Late March 2026 (Detection typically within 12 hours of injection)
- **Incident Date:** Late February 2026 – March 2026
- **Affected Organization:** Aqua Security (Trivy), Checkmarx (KICS), and the Axios project
- **Sector:** Technology / Open Source Software
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** Late February 2026
- **Vector:** Exploitation of misconfigured APIs and social engineering.
- **Details:** **TeamPCP** compromised the Trivy maintainer environment, initially exploiting Docker/Kubernetes APIs and vulnerable React/Next.js applications.
### Lateral Movement
- **March 16, 2026:** Attackers injected malware into Trivy binaries, GitHub Actions, and container images.
- **March 23, 2026:** Using secrets stolen from Trivy, attackers moved laterally to compromise the **KICS** static analysis tool.
- **Late March 2026:** Attackers leveraged CI/CD access to push malicious versions of **Requests** and **Boto3** to PyPI.
### Data Exfiltration/Impact
- **Secrets Theft:** Malware harvested CI/CD secrets, cloud provider credentials, SSH keys, and Kubernetes config files.
- **Persistence:** Persistent backdoors were planted on developers' local machines who ran the infected versions of the tools.
### Detection & Response
- **Detection:** Security researchers (Flare, Wiz) identified the malicious injections within 12 hours of several stages.
- **Response:** Prompt removal of malicious packages and revocation of compromised CI/CD secrets.
## Attack Methodology
- **Initial Access:** Exploitation of misconfigured APIs (Docker, Kubernetes, Redis) and advanced social engineering.
- **Persistence:** Injection of malware into build binaries and container images; deployment of backdoors on developer endpoints.
- **Privilege Escalation:** Use of stolen cloud and CI/CD credentials to gain administrative access to repository environments.
- **Defense Evasion:** Targeting security tools (vulnerability scanners) which are often less scrutinized by internal security teams; use of blockchain-based C2.
- **Credential Access:** Automated harvesting of environment variables and configuration files containing secrets.
- **Discovery:** Reconnaissance of CI/CD pipelines to identify downstream dependencies.
- **Lateral Movement:** Using "poisoned" secrets from one project to authenticate to and compromise related projects (Trivy -> KICS -> PyPI).
- **Collection:** Bulk "smash-and-grab" exfiltration of configuration data.
- **Exfiltration:** Data sent to C2 infrastructure hidden behind distributed proxies.
- **Impact:** Potential for long-term "blast radius" as stolen secrets are leveraged for subsequent intrusions.
## Impact Assessment
- **Financial:** Not explicitly disclosed, though TeamPCP has a history of crypto-mining and extortion.
- **Data Breach:** Compromise of secrets for tens of thousands of organizations.
- **Operational:** Disruption of CI/CD pipelines and the need for widespread credential rotation.
- **Reputational:** High impact on the trust of foundational open-source security tools.
## Indicators of Compromise
- **Network indicators:** C2 traffic to domains containing Rickroll redirects or blockchain-based headers (Defanged: hxxp[://]teampcp[.]vibe).
- **File indicators:** Modified Trivy binaries; malicious `preinstall` or `postinstall` scripts in npm/PyPI packages.
- **Behavioral indicators:** Unusual outbound traffic from CI/CD runners to unknown IP addresses; unexpected edits to GitHub Action YAML files.
## Response Actions
- **Containment:** Removal of malicious versions from GitHub, PyPI, and container registries.
- **Eradication:** Revocation of all secrets potentially exposed in the CI/CD environments.
- **Recovery:** Re-imaging of developer machines suspected of running infected scanner versions.
## Lessons Learned
- **Security Tools are Targets:** Attackers are deliberately targeting "trusted" security tools (scanners/linters) because their behavior is often white-listed or ignored by SOC teams.
- **Speed of Detection:** While detection was fast (12 hours), the automated nature of CI/CD meant thousands were infected instantly.
- **Secret Hygiene:** Hardcoded secrets in pipelines remain a single point of failure that can lead to cascading supply chain collapses.
## Recommendations
- **Implement Version Delays:** Avoid "bleeding edge" updates; enforce a 24-hour delay before adopting new versions of open-source packages in production pipelines.
- **SBOM Adoption:** Maintain an updated Software Bill of Materials (SBOM) to quickly identify where compromised tools or libraries are running.
- **Isolated Build Environments:** Run security scanners and build processes in ephemeral, network-restricted environments with "least privilege" access to secrets.
- **Secret Management:** Use short-lived, dynamically generated credentials (like OIDC for GitHub Actions) rather than long-lived static keys.