Sources
Snyk: How a Poisoned Trivy GitHub Action Became the Key to Backdooring LiteLLM's CI/CD Pipeline
Snyk published a detailed technical analysis of the TeamPCP campaign that compromised LiteLLM through a multi-stage supply chain attack: first poisoning the Trivy security scanner GitHub Action on March 19, then using stolen CI/CD credentials to inject a credential-stealing payload into LiteLLM's PyPI package. The same group also targeted Checkmarx and KICS GitHub Actions. The attack chain demonstrates how compromising a security tool itself becomes the most effective vector for downstream supply chain attacks — a pattern likely to accelerate as AI agent workflows increase CI/CD surface area.
Source
↳ Follow the thread