TeamPCP is the likely cyber threat actor behind attacks on Trivy, Checkmarx's KICS and VS Code plug-ins, and the LiteLLM AI library and all signs point to more attacks to come
Hard on the heels of a broad supply chain attack that impacted the Aqua Security-maintained Trivy open source security-scanner project, Checkmarx on Tuesday disclosed that attackers had compromised a version of Keeping Infrastructure as Code Secure (KICS), the open source static code analysis project that it develops and maintains.
Specifically, the cybercriminals infiltrated KICS GitHub Action, which organizations use to run KICS scans within their CI/CD pipelines, and poisoned multiple versions of the software. Any organization that had its automated CI/CD pipelines configured to run the KICS GitHub Action during a four-hour window on the morning of March 23 could potentially be impacted, Checkmarx said.
The same day, threat actors also published malicious versions of two of the Checkmarx VS Code plug-ins to the OpenVSX registry, where they were available for download for a period of about three hours on March 23.
News of the attacks follow just days after Aqua Security first reported an attack where a threat actor used a previously stolen privileged access credentials to poison 76 of 77 previously released versions of Trivy's GitHub Action with an infostealer. The same threat actor also exploited a compromised automated service account to publish two compromised Docker Images.
At least one security vendor has attributed the malware used in the Trivy and the Checkmarx attacks to TeamPCP, a threat actor that is gaining attention for its automated attacks on cloud infrastructure, many of which involve credential theft. And there appear to be other supply chain targets as well.
The infostealer in the poisoned versions of Litellm, which the maintainers of PyPI have now removed, enables a full range of credential theft, including lifting SSH keys and cloud credentials, API tokens, Docker configurations, information tied to crypto wallets, and more, GitGuardian said.
Many organizations use Litellm to build AI-powered applications, so the potential impact could be wide.
"Litellm is downloaded millions of times a day and it is highly likely that the blast radius is significant, despite PyPI’s quick response in removing the malicious package," Guillaume Valadon, cybersecurity researcher at GitGuardian, tells Dark Reading.
For organizations, the message is clear, Valadon says: "Attackers are after your secrets. When it comes to incident response, the key now is to have a real-time inventory of compromised secrets so you can revoke them in an instant, thereby neutralizing the threat posed by these supply chain attacks using infostealers."
In response to a Dark Reading request, a Checkmarx spokesman said via email that the company has already communicated details of the incident to customers in addition to its public disclosure. "[Checkmarx is] in the process of adding an update that the malicious artifacts have been removed from Open VSX. We continue our active investigation and will share more as we have it," the statement read.
According to GitGuardian's Valadon, there is little doubt that the attacks involving Aqua's Trivy, Checkpoint's VS Code plug-ins, KICS GitHub Action, and Litellm are all related. "They share similar indicators of compromise (IoCs), such as the public key used for exfiltration, the targeted services and files, as well as the persistence technique," he says.
Meanwhile, a message left by the attackers, which is a link to the Queen video "The Show Must Go On," "suggests that this is only the beginning."
"This isn't just credential stealing; it’s an ecosystem-wide 'cascade' targeting the modern cloud-native and AI stack," Ben Read, a lead researcher at Wiz, said in a statement. Wiz's researcher has shown liteLLM is present in 36% of all cloud environments, he said.
"By targeting security scanners and AI tools, this campaign gains a foothold in the most sensitive parts of the development life cycle," he explained. "Public Telegram messages from the actors warn of a 'snowball effect' and future targets across favorite open-source projects."
In separate comments to Dark Reading, Read says the attack involving OpenVSX plug-ins were also part of the same campaign because they involve the use of the same code and public key: "The actors have said they are partnering with different organizations, likely to carry out extortions, but we have not confirmed that this has happened yet."
Hard on the heels of a broad supply chain attack that impacted the Aqua Security-maintained Trivy open source security-scanner project, Checkmarx on Tuesday disclosed that attackers had compromised a version of Keeping Infrastructure as Code Secure (KICS), the open source static code analysis project that it develops and maintains.
Specifically, the cybercriminals infiltrated KICS GitHub Action, which organizations use to run KICS scans within their CI/CD pipelines, and poisoned multiple versions of the software. Any organization that had its automated CI/CD pipelines configured to run the KICS GitHub Action during a four-hour window on the morning of March 23 could potentially be impacted, Checkmarx said.
The same day, threat actors also published malicious versions of two of the Checkmarx VS Code plug-ins to the OpenVSX registry, where they were available for download for a period of about three hours on March 23.
News of the attacks follow just days after Aqua Security first reported an attack where a threat actor used a previously stolen privileged access credentials to poison 76 of 77 previously released versions of Trivy's GitHub Action with an infostealer. The same threat actor also exploited a compromised automated service account to publish two compromised Docker Images.
At least one security vendor has attributed the malware used in the Trivy and the Checkmarx attacks to TeamPCP, a threat actor that is gaining attention for its automated attacks on cloud infrastructure, many of which involve credential theft. And there appear to be other supply chain targets as well.
A Broadening Supply Chain Attack
GitGuardian on Tuesday reported that the campaign had spread to the PyPI software registry, where the threat actor it identifies as TeamPCP had infected Litellm packages versions 1.82.7 and 1.82.8 with the same infostealer malware used in the Trivy campaign.The infostealer in the poisoned versions of Litellm, which the maintainers of PyPI have now removed, enables a full range of credential theft, including lifting SSH keys and cloud credentials, API tokens, Docker configurations, information tied to crypto wallets, and more, GitGuardian said.
Many organizations use Litellm to build AI-powered applications, so the potential impact could be wide.
"Litellm is downloaded millions of times a day and it is highly likely that the blast radius is significant, despite PyPI’s quick response in removing the malicious package," Guillaume Valadon, cybersecurity researcher at GitGuardian, tells Dark Reading.
For organizations, the message is clear, Valadon says: "Attackers are after your secrets. When it comes to incident response, the key now is to have a real-time inventory of compromised secrets so you can revoke them in an instant, thereby neutralizing the threat posed by these supply chain attacks using infostealers."
Attackers Are After Developer Secrets
Checkmarx has so far not disclosed full details of the compromise involving the two malicious VS Code plug-ins or the one involving KICS GitHub Action, beyond saying they're linked. The company has not, for instance, provided details on the malicious payload. But its recommendation that automated build pipelines, which might have touched the infected plug-ins, immediately rotate all credentials, access keys, and login credentials, suggests the payload is an infostealer.In response to a Dark Reading request, a Checkmarx spokesman said via email that the company has already communicated details of the incident to customers in addition to its public disclosure. "[Checkmarx is] in the process of adding an update that the malicious artifacts have been removed from Open VSX. We continue our active investigation and will share more as we have it," the statement read.
According to GitGuardian's Valadon, there is little doubt that the attacks involving Aqua's Trivy, Checkpoint's VS Code plug-ins, KICS GitHub Action, and Litellm are all related. "They share similar indicators of compromise (IoCs), such as the public key used for exfiltration, the targeted services and files, as well as the persistence technique," he says.
Meanwhile, a message left by the attackers, which is a link to the Queen video "The Show Must Go On," "suggests that this is only the beginning."
The TeamPCP Cyber Threat Set to Grow
Wiz Research, which is independently tracking the campaign, has also attributed the activity to TeamPCP, saying its telemetry also points to a common threat actor behind the Trivy, Checkmarx, and LiteLLM compromises. The company believes that TeamPCP has begun collaborating with the notorious LAPSUS$ extortion group to "perpetuate the chaos.""This isn't just credential stealing; it’s an ecosystem-wide 'cascade' targeting the modern cloud-native and AI stack," Ben Read, a lead researcher at Wiz, said in a statement. Wiz's researcher has shown liteLLM is present in 36% of all cloud environments, he said.
"By targeting security scanners and AI tools, this campaign gains a foothold in the most sensitive parts of the development life cycle," he explained. "Public Telegram messages from the actors warn of a 'snowball effect' and future targets across favorite open-source projects."
In separate comments to Dark Reading, Read says the attack involving OpenVSX plug-ins were also part of the same campaign because they involve the use of the same code and public key: "The actors have said they are partnering with different organizations, likely to carry out extortions, but we have not confirmed that this has happened yet."