TeamPCP deploys CanisterWorm on NPM following Trivy compromise

A single threat actor - TeamPCP - compromised a chain of widely-used open source tools: Trivy, KICS, LiteLLM, and Telnyx. This post looks at the campaign and explores the question: once you've pinned your actions and hardened your runners, what actually detects credential exfiltration from a compromised CI/CD pipeline?

Unlucky in Cards

In March there was a particularly nasty supply chain attack targeting Aqua Security and their tools, including the widely used Trivy security scanner, which later spread to other projects. The attack was carried out by a threat actor named TeamPCP and began by exploiting an insecure GitHub Actions workflow that utilised the pull_request_target trigger – a type known to be dangerous and easily misused. Using this, they stole a Personal Access Token granting wider access to the aquasecurity org.

Breaking down the March 2026 Trivy supply chain attack. TeamPCP compromised trivy + trivy-action & setup-trivy GitHub Actions, deploying credential stealers.

Unlucky in Cards

Open Source Security Advisory Update: Wednesday, April 1, 2026 Boston, MA 10:00 AM ET Over the past week, we have nearly finalized our investigation and are now in the final stages of documentation and review. There continues to be no indication that Aqua’s commercial products have been affected. As part of this process, we identified …

On March 24 and 27, 2026, malicious PyPI releases of LiteLLM and Telnyx were published as part of the TeamPCP supply chain campaign. We trace the full campaign from Trivy through npm, Checkmarx, and into PyPI.