AI Supply Chain Attack: When Your Security Scanner Becomes the Backdoor

The tools you trust to protect your code just became the weapons used against you. In March 2026, a single stolen credential from Trivy — one of the most widely used AI supply chain attack scanners — cascaded into a supply chain attack that weaponized five software ecosystems, compromised a package with 97 million monthly downloads, and planted backdoors in AI development infrastructure worldwide.

This is not a theoretical risk. It already happened.

TL;DR — Your AI dev tools got weaponized in March 2026.

• A single Trivy credential theft cascaded into 5 ecosystems (GitHub Actions, Docker Hub, npm, PyPI, Open VSX)
• LiteLLM (97M monthly downloads) was backdoored for 3 hours with a credential-stealing payload
• Immediate action: pin commit SHAs, rotate secrets, adopt SLSA attestation

The Trigger: A Security Scanner Turns Into a Weapon

Here is the uncomfortable truth about software supply chains: the tools designed to keep you safe are themselves AI supply chain attack surfaces. In late February 2026, a threat group called TeamPCP stole a single Personal Access Token (PAT) from Aqua Security’s Trivy — think of it as stealing the master key from the locksmith’s shop.

What followed was a domino effect across five interconnected software ecosystems. From that one stolen credential, TeamPCP compromised GitHub Actions, Docker Hub, npm (47+ packages), PyPI, and even the Open VSX marketplace used by Cursor and Windsurf IDEs. (The Hacker News, Socket)

The scale is staggering. LiteLLM, a Python package downloaded 97 million times per month — used by Stripe, Netflix, Google, and virtually every major AI framework including CrewAI, DSPy, and MLflow — was weaponized for approximately three hours. (Sonatype, CyberInsider)

Three hours does not sound like much. But at 3 million downloads per day, even a brief window can mean tens of thousands of infected installations silently harvesting credentials, spreading through Kubernetes clusters, and establishing persistent backdoors. (BleepingComputer)

This is the story of how this AI supply chain attack happened, what it means for the AI development ecosystem, and what you need to do right now.

How the AI Supply Chain Attack Domino Unfolded

TeamPCP’s attack followed a precise cascade. Each compromised system became the launchpad for the next. Understanding this kill chain is essential because traditional perimeter security is useless against it — the threat comes from inside your trusted dependencies. (SANS Institute)

Phase 1: Trivy GitHub Actions Tag Manipulation (March 19)

TeamPCP used the stolen PAT to force-push malicious commits to 75 out of 76 version tags. Force-pushing replaces the code a tag points to without changing the tag name — like swapping the medicine inside a pharmacy bottle while keeping the same label. Over 10,000 workflow files that referenced Trivy by tag were now pulling attacker-controlled code. (Socket, CrowdStrike)

The GitHub “Immutable Release” badge? It still showed green. Tags are not truly immutable in Git — they are just pointers that can be moved. This AI supply chain attack shattered a fundamental assumption that many CI/CD pipelines relied on. (Socket)

Phase 2: Docker Hub and npm Worm Deployment (March 20-22)

With control over Trivy’s build pipeline, TeamPCP pushed malicious Docker images (versions 0.69.4 through 0.69.6) to Docker Hub. Simultaneously, they deployed CanisterWorm — a self-replicating worm — across 47+ npm packages using stolen tokens. (The Hacker News)

CanisterWorm is particularly novel. It uses ICP blockchain canisters as a command-and-control (C2) dead-drop resolver. Think of it as leaving instructions on a bulletin board that cannot be taken down because it is stored on a decentralized blockchain — making traditional takedown efforts futile. (The Hacker News)

Phase 3-4: LiteLLM PyPI Backdoor (March 23-24)

TeamPCP hijacked 35 tags in Checkmarx’s KICS GitHub Actions on March 23, then struck LiteLLM on March 24. Versions 1.82.7 and 1.82.8 were published to PyPI with a .pth file — a Python path configuration file that executes automatically when the Python interpreter starts. No explicit import needed. Just installing the package was enough to trigger the payload. (Sonatype, Endor Labs)

The payload operated in three stages: (1) credential harvesting from environment variables, cloud metadata services, and config files; (2) lateral movement through Kubernetes clusters; (3) a systemd backdoor for persistent access. Data was exfiltrated to models.litellm[.]cloud using RSA encryption. (Endor Labs)

Phase 5: Telnyx WAV Steganography (March 27)

The latest evolution of this AI supply chain attack. TeamPCP compromised Telnyx SDK versions 4.87.1 and 4.87.2 (742K monthly downloads), but with a twist: the actual 332-line credential collector was hidden inside a WAV audio file using steganography, decoded via XOR + base64. This progression shows a threat actor actively evolving to evade EDR tools. (Trend Micro)

The AI Development Ecosystem’s Structural Weakness

The TeamPCP campaign exposed something deeper than a single group’s tactics: the AI development ecosystem has grown far faster than its security infrastructure can support.

Sources: Endor Labs, Socket, The Hacker News, Vulert

Look at the download numbers. LiteLLM alone serves 97 million monthly downloads. LangChain and LangGraph see over 52 million weekly downloads. These are not niche libraries — they are the foundational plumbing of the entire AI agent ecosystem. The same week TeamPCP was compromising LiteLLM, three separate CVEs dropped for LangChain and LangGraph: a path traversal vulnerability (CVSS 7.5), a deserialization flaw (CVSS 9.3), and a SQL injection bug (CVSS 7.3). (The Hacker News)

Meanwhile, the “Open Sesame” bug in Open VSX allowed malicious VS Code extensions to bypass security scanning entirely — meaning developers using Cursor or Windsurf IDEs could install compromised extensions that passed all marketplace checks. The pattern is clear: AI development tools are being adopted at breakneck speed, but the supply chain attack surface has expanded faster than defenses. (The Hacker News)

Inside TeamPCP: Motivations and Methods

TeamPCP operates under multiple aliases — DeadCatx3, PCPcat, ShellForce, CipherForce — and their motivations appear to be a mix of financial gain and geopolitical objectives. On the financial side, their payloads consistently target Solana validator keys, cryptocurrency wallet credentials, and cloud service tokens. (Kaspersky)

But there is a geopolitical dimension too. During the Trivy compromise, researchers discovered an Iran-targeted Kubernetes wiper — destructive malware specifically aimed at K8s clusters in Iranian infrastructure. Their C2 infrastructure follows a consistent pattern: typosquatted domains, dedicated exfiltration endpoints, and a YouTube kill switch mechanism. (Sonatype)

The sophistication is escalating. From direct inline payloads in early attacks to WAV steganography in the Telnyx compromise, TeamPCP is demonstrating rapid tactical evolution. Each AI supply chain attack iteration incorporates lessons from the previous one. (Trend Micro)

AI Supply Chain Attack Defense Playbook: What To Do Right Now

The good news: concrete defenses exist. The bad news: most organizations have not implemented them yet. Here is what the security community recommends, divided into immediate actions and structural changes. If you have been following our AI agent security governance analysis, you know that trust frameworks must come before features — and that principle applies to your entire dependency stack.

Immediate Actions (This Week)

Check your versions. If your projects use LiteLLM 1.82.7 or 1.82.8, Trivy Docker images 0.69.4-0.69.6, or Telnyx 4.87.1-4.87.2, assume compromise. Rotate all credentials, API keys, and tokens that were accessible to those environments. (LiteLLM Security Blog)

Scan for IoCs. Look for connections to models.litellm[.]cloud, checkmarx[.]zone, and scan[.]aquasecurtiy[.]org. Check for unexpected .pth files in your Python site-packages directories. Review systemd services for unfamiliar entries. (CrowdStrike, Microsoft)

Audit your GitHub Actions. If any workflow references Trivy or Checkmarx KICS by tag (e.g., @v1, @latest), you were in the blast radius. Switch to commit SHA pinning immediately. (Socket)

Structural Changes (This Quarter)

Pin by commit SHA, not tags. Tags can be moved; commit SHAs cannot. Instead of uses: aquasecurity/trivy-action@v1, use uses: aquasecurity/trivy-action@abc123def456. This is the single most impactful change you can make against AI supply chain attacks. (Socket, CrowdStrike)

Adopt PyPI Trusted Publishers. This OIDC-based mechanism ties package publishing to a specific CI/CD pipeline identity, making it significantly harder for attackers to publish from compromised maintainer accounts. Over 132,360 PyPI packages have already adopted this.

Use SLSA provenance attestation. SLSA (Supply-chain Levels for Software Artifacts) provides cryptographic proof of where and how a package was built. Think of it as a tamper-evident seal for software.

The Korea Angle: KISA Active Defense and the NSA 7-Nation Response

South Korea is not immune to the AI supply chain attack threat. KISA reported 2,383 cybersecurity incidents in 2025, a 26.3% year-over-year increase, with PyPI and npm explicitly identified as key attack vectors. The Ministry of Science and ICT is signaling a shift from reactive incident response to what they call “active defense” — proactive threat hunting and supply chain verification before incidents occur. (Daily Security)

On March 4, 2026, the NSA joined forces with intelligence agencies from six other countries — including South Korea’s National Intelligence Service — to publish a joint AI/ML supply chain risk mitigation guide. The document identifies six critical supply chain components and provides specific mitigation strategies for each. (NSA/DoD)

IBM’s 2026 X-Force Threat Intelligence Index paints the macro picture: large-scale supply chain and third-party breaches have quadrupled since 2020. For Korean enterprises running AI workloads — whether in fintech, manufacturing, or the rapidly growing AI agent market — the message is clear: your dependency tree is your attack surface. Every pip install, every npm install, every Docker pull is a trust decision. (IBM Newsroom)

AI Supply Chain Attack Impact on Your Career

If you work in tech, DevOps, or any role that touches software supply chains, this incident changes the conversation. Supply chain security is moving from a “nice to have” checkbox to a core competency. As we explored in our earlier analysis of how $81B in supply chain damage rewrote software trust, the structural risk has been building for years.

Gartner’s recent Market Guide for Guardian Agents highlights a new category: AI systems that monitor other AI systems for security anomalies. The irony is not lost — we now need AI guardians for our AI development tools. The kill chain concept itself is becoming obsolete when your AI agent — the tool doing the coding, testing, and deploying — is the threat. (The Hacker News)

Microsoft’s rapid publication of a Trivy-specific detection and investigation guide shows how seriously major vendors are taking this. When Microsoft publishes a dedicated response guide within 48 hours of a compromise, you know the blast radius is significant. (Microsoft Security Blog)

References

1. The Hacker News — “TeamPCP Backdoors LiteLLM Versions 1.82.7-1.82.8 on PyPI,” 2026-03-24
2. Sonatype — “Compromised litellm PyPI Package Delivers Multi-Stage Credential Stealer,” 2026-03-25
3. Endor Labs — “TeamPCP Isn’t Done: Telnyx, CanisterWorm, and Expanding Supply Chain Threat,” 2026-03-27
4. Socket — “Trivy Under Attack Again: GitHub Actions Tag Compromise,” 2026-03-24
5. CrowdStrike — “From Scanner to Stealer: Inside the Trivy Action Supply Chain Compromise,” 2026-03-24
6. Microsoft Security Blog — “Detecting, Investigating, and Defending Against Trivy Supply Chain Compromise,” 2026-03-24
7. Trend Micro — “TeamPCP Telnyx Attack Marks a Shift in Tactics,” 2026-03-27
8. CyberInsider — “New Supply Chain Attack Hits LiteLLM with 95M Monthly Downloads,” 2026-03-25
9. BleepingComputer — “Popular LiteLLM PyPI Package Compromised in TeamPCP Supply Chain Attack,” 2026-03-25
10. The Hacker News — “LangChain, LangGraph Flaws Expose Files, Secrets, Databases,” 2026-03-27
11. Arctic Wolf — “TeamPCP Cascading Supply Chain Attack,” 2026-03-25
12. SANS Institute — “When Security Scanner Became Weapon: Inside TeamPCP Campaign,” 2026-03-26
13. Kaspersky — “Trojanization of Trivy, LiteLLM, Checkmarx,” 2026-03-25
14. NSA/DoD — “NSA AI/ML Supply Chain Risks and Mitigations,” 2026-03-04
15. IBM Newsroom — “IBM 2026 X-Force Threat Intelligence Index,” 2026-02-25
16. Daily Security — “KISA 2026 Cybersecurity Report,” 2026-03-20
17. LiteLLM — “LiteLLM Security Update — March 2026,” 2026-03-25

This article is for informational purposes only and does not constitute investment or security advice. Organizations should consult qualified cybersecurity professionals for their specific environments. All data is sourced from publicly available reports as of March 31, 2026.

Bottom Line. The era of “trust but verify” in software dependencies is over. When your security scanner can become the backdoor, the only safe assumption is zero trust from package registry to production.

Career Takeaway. If you touch any part of the software supply chain — from writing code to deploying it — make commit SHA pinning and SLSA attestation part of your core skill set. AI supply chain attack literacy is becoming as essential as knowing how to write a unit test.