In a concerning cybersecurity development, Cisco has experienced a major breach after threat actors exploited stolen credentials linked to the recent Trivy supply chain attack. As a result, attackers gained unauthorized access to Cisco’s internal development environment and exfiltrated sensitive source code belonging to both the company and its customers.
According to a source familiar with the matter, Cisco’s internal teams—including its Unified Intelligence Center, CSIRT, and EOC—acted quickly to contain the incident. The breach reportedly involved a malicious GitHub Action plugin introduced during the Trivy compromise, which served as the initial entry point for attackers.
Subsequently, the attackers leveraged this compromised plugin to extract credentials and sensitive data from Cisco’s development and build systems. This intrusion impacted dozens of devices, including developer machines and lab workstations, thereby expanding the scope of the attack.
Although Cisco has successfully contained the initial breach, the situation remains complex. Experts anticipate ongoing repercussions due to related supply chain attacks involving LiteLLM and Checkmarx, which are believed to be connected to the same threat campaign.
As part of the incident, attackers reportedly stole multiple AWS keys. They later used these keys to conduct unauthorized activities across a limited number of Cisco’s AWS accounts. In response, Cisco has taken swift remediation measures, including isolating affected systems, reimaging compromised machines, and initiating a large-scale credential rotation process to prevent further misuse.
Moreover, reports indicate that attackers cloned more than 300 GitHub repositories during the breach. Alarmingly, these repositories included source code for Cisco’s AI-powered solutions, such as AI Assistants, AI Defense, and even some unreleased products. In addition, a portion of the compromised data is believed to belong to enterprise customers, including financial institutions, BPOs, and U.S. government agencies.
Further complicating the situation, multiple sources suggest that more than one threat actor participated in the breach. Each actor appeared to have varying levels of involvement, which highlights the coordinated and sophisticated nature of the attack.
Cisco has not yet publicly responded to inquiries regarding the incident.
The root cause of the breach traces back to the Trivy supply chain attack, which targeted the widely used vulnerability scanning tool. During that attack, threat actors infiltrated the project’s GitHub pipeline and distributed credential-stealing malware through official releases and GitHub Actions.
This compromise allowed attackers to harvest CI/CD credentials from organizations using Trivy, thereby granting access to numerous internal development environments.
Security researchers have linked these attacks to the TeamPCP threat group, known for deploying its “TeamPCP Cloud Stealer” malware. The group has consistently targeted developer ecosystems, including platforms like GitHub, PyPI, NPM, and Docker.
Additionally, the attackers extended their campaign by compromising the LiteLLM PyPI package and the Checkmarx KICS project, spreading the same information-stealing malware across thousands of systems.
Overall, this incident underscores the growing risks associated with supply chain vulnerabilities. It also highlights the urgent need for organizations to strengthen their CI/CD security and continuously monitor third-party dependencies to prevent similar breaches in the future.
Recommended Cyber Technology News:
- Grafana Vulnerabilities Enable Remote Code Execution
- Pentera Appoints Hagit Ynon as CFO to Drive Global Expansion
- RapidScale Drives AI-Powered Growth for Barrett Financial Group
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
