Cisco has become the latest high-profile victim of the cascading Trivy supply chain attack, with threat actors leveraging stolen credentials to breach the company's internal development environment. The attackers made off with source code from more than 300 GitHub repositories — including code for unreleased AI products — as well as AWS keys used to conduct unauthorized activity across a number of Cisco cloud accounts. The incident underscores how a single upstream compromise in the software supply chain can ripple downstream into enterprise environments with devastating effect.

How the Breach Unfolded

According to sources familiar with the matter who spoke to BleepingComputer, the intrusion began through a malicious GitHub Action plugin introduced as part of the wider Trivy supply chain compromise. Cisco's Unified Intelligence Center, CSIRT, and EOC teams were involved in containing the breach after it was discovered.

The malicious GitHub Action was used to harvest credentials and sensitive data directly from Cisco's build and continuous integration pipelines. The attack impacted dozens of assets, including developer workstations and internal lab environments. While the initial breach has been contained — with Cisco isolating affected systems, reimaging them, and rotating credentials at scale — the company reportedly anticipates continued fallout from follow-on supply chain attacks involving LiteLLM and Checkmarx.

What Was Stolen

The scope of the theft is significant. Investigators found that more than 300 GitHub repositories were cloned during the incident. These repositories contained source code for several of Cisco's AI-powered products, including:

• AI Assistants — Cisco's conversational AI tooling for enterprise use cases
• AI Defense — security tooling built around artificial intelligence
• Multiple unreleased products still in development

Perhaps most alarming is the reported exfiltration of repositories belonging to Cisco's corporate customers, a list that allegedly includes banks, business process outsourcers (BPOs), and agencies within the US federal government. The theft of customer source code turns a vendor breach into a multi-party incident with potential regulatory and national security implications.

Additionally, multiple AWS access keys were stolen and subsequently used to perform unauthorized operations across a small number of Cisco AWS accounts, raising questions about what cloud-hosted data or services may have been accessed or exfiltrated.

Multiple Threat Actors Involved

Sources indicate that more than one threat actor participated in the CI/CD and AWS account breaches, with each group exhibiting varying levels of activity and sophistication. This multi-actor dynamic complicates attribution and incident response, as defenders must account for potentially diverging objectives, tactics, and exfiltration destinations.

Cisco has not publicly commented on the incident. BleepingComputer reports that emails to the company went unanswered at the time of publication.

The Trivy Supply Chain Attack Explained

Cisco's breach traces back to a compromise of Trivy, a widely used open-source vulnerability scanner maintained under the Aqua Security umbrella. In the attack, threat actors infiltrated Trivy's GitHub pipeline and embedded credential-stealing malware into the project's official releases and associated GitHub Actions.

Because Trivy is deeply integrated into CI/CD workflows across thousands of organizations, the compromise gave attackers a scalable mechanism to harvest internal build credentials — effectively turning a trusted security tool into an attack vector against the very pipelines it was meant to protect.

TeamPCP: The Threat Group Behind the Campaign

Security researchers have attributed this cluster of supply chain attacks to a threat group known as TeamPCP. The group deploys a custom infostealer dubbed the "TeamPCP Cloud Stealer", which is purpose-built to harvest credentials from cloud-native developer environments.

TeamPCP has been running an aggressive, multi-platform supply chain campaign targeting:

• GitHub — via malicious Actions and compromised pipelines
• PyPI — including the widely-used LiteLLM package, impacting tens of thousands of devices
• NPM — targeting JavaScript ecosystems
• Docker — injecting malicious images or layers into container workflows
• Checkmarx KICS — a popular infrastructure-as-code scanning project, weaponized to deliver the same stealer

The group's strategy is clear: infiltrate tools that developers inherently trust — security scanners, package managers, and build automation utilities — and use that trust to silently extract credentials from the environments where those tools run.

Implications for Enterprise Security Teams

The Cisco incident is a sharp reminder that CI/CD pipelines are high-value attack surfaces. Build environments often hold privileged credentials — cloud provider keys, code signing certificates, API tokens — with little of the monitoring and access control applied to production systems. When a trusted open-source tool is compromised upstream, every organization using it in an automated workflow becomes a potential target.

Security teams should treat this incident as a forcing function to audit their pipeline security posture:

• Review and pin GitHub Actions to specific commit SHAs rather than floating version tags
• Implement secrets scanning and rotate any credentials that may have transited compromised workflows
• Apply least-privilege IAM policies to cloud credentials used in build systems
• Monitor for anomalous repository cloning activity, especially at scale
• Audit all third-party tools integrated into your CI/CD pipeline, particularly those with network access or credential access

Conclusion

The breach of Cisco's development environment is one of the most consequential downstream effects of the Trivy supply chain attack to date. With over 300 repositories stolen — including customer code tied to banks and government agencies — and cloud credentials weaponized against AWS infrastructure, the incident illustrates precisely why software supply chain security has become a board-level concern. As TeamPCP continues to expand its campaign across GitHub, PyPI, NPM, and Docker, organizations must move beyond perimeter defenses and invest in securing the developer toolchains and pipelines that underpin modern software delivery.