TeamPCP struck first on March 19, force-pushing malware into 76 Trivy GitHub Action tags. Pipelines everywhere lit up with credential-stealing payloads, grabbing SSH keys, cloud tokens, secrets—no questions asked.
Zoom out: Twelve days. Four attacks. Millions of downloads compromised. Trivy, Checkmarx KICS, LiteLLM, axios. All via the build pipeline, that trusted heart of modern DevOps. And here’s the market dynamic screaming loud—open-source tools power 90% of CI/CD flows (per GitHub’s 2025 Octoverse), yet they’re soft targets in a $10B supply chain security market still chasing its tail.
But.
This wasn’t random chaos. TeamPCP chained exploits like pros, pivoting stolen creds from one victim to the next. My take? It’s SolarWinds 2.0, but faster, meaner—attackers now bet on pipeline trust, not just code. Without immutable pins, expect a 2027 spike: 10x incidents as AI tools balloon PyPI/npm traffic 300% (PyPI stats show it).
The Timeline That Shook DevOps
March 19: Trivy falls. Aquasecurity’s action and setup-trivy repos? Pwned via stolen creds. They drop v0.69.4 binary—CVE-2026-33634, CVSS 9.4, CISA KEV list. Malware slurps env vars from any pipeline running scans.
“The payload was credential-stealing malware that harvested environment variables, cloud tokens, SSH keys, and CI/CD secrets from every pipeline that ran a Trivy scan.”
TeamPCP doesn’t stop. March 23: KICS actions (ast-github-action, kics-github-action) get the same treatment. Four hours of silent exfil—API keys, DB pwds, gone.
LiteLLM next—95M monthly PyPI pulls. Backdoored 1.82.7/1.82.8 use base64 payloads and .pth tricks. Install? Boom, data to fake domain models.litellm.cloud.
Axios caps it: 100M+ weekly npm downloads. Versions 1.14.1, 0.30.4 inject RAT via fake [email protected]. Cross-platform, self-destructs post-run.
Bonus idiocy: Some npm package leaks 512K lines of AI coder source—flags, prompts, codenames—via bungled .npmignore.
Why Do Pipelines Bleed So Easily?
Trust. Blind, version-tag trust. Pipelines assume GitHub tags, PyPI versions, npm packs are golden. No sig checks, no SHA pins—execute with god-mode access to secrets.
Data point: 70% of GitHub Actions use tags over SHAs (Snyk 2025 report). Mutable tags = attacker paradise. Force-push, publish, done.
Three patterns: 1) Comp’d tools (Trivy/KICS/LiteLLM) flip security on its head. 2) Mutable refs let malware masquerade as updates. 3) Misconfigs ship artifacts/secrets.
GitLab pushes centralized policy—block unsigned images, enforce SHA pins, scan for secrets. Smart. But their note screams PR spin: “GitLab didn’t use compromised versions.” Duh—self-promo amid carnage feels tone-deaf when 80% of teams still hack pipelines sans policy engines (DevOps Research 2026).
Can Pinning and Policies Actually Stop This?
Yes—but only if enforced. Pin to SHAs/digests. Verify checksums pre-run. GitLab’s pipeline policies? Block untrusted actions, require sigs, quarantine fails.
Look at numbers: Teams pinning deps see 85% fewer supply chain hits (JFrog State of Pipelines 2025). Add SBOMs, sig verification—drop risk 95%.
Here’s the thing. LiteLLM’s own pipeline used Trivy—irony alert. Harvested creds fueled the PyPI push. Circular hell.
Prediction: Regs incoming. CISA’s KEV push means Biden-era EO mandates by Q4 2026. Firms ignoring pins? Fines, breaches, stock dips like XZ Utils 2024 (backdoored Linux util, nearly merged).
And that npm leak? Gabriel Anhaia nailed it:
“A single misconfigured .npmignore or files field in package.json can expose everything.”
Fix: Automate .npmignore scans, CI checks. Tools like GitLab Duo can flag—market’s ripe, $2B by 2028.
But skepticism reigns. GitLab’s “centralized enforcement” sounds great—until you hit multi-tool sprawl. Teams juggle GitHub Actions, Jenkins, CircleCI. One policy ring to rule ‘em? Dream on, unless vendors federate.
Real-World Fixes, Ranked by Impact
-
Pin everything. SHAs for actions/images. Checksums for pkgs. 90% efficacy.
-
Policy as code. GitLab-style: Block mutable tags, enforce cosign sigs.
-
Ephemeral runners. No persistent creds—secrets per-job.
-
SLSA frameworks. Supply chain levels—build provenance.
Market shift: Policy engines up 40% YoY (Gartner). GitLab, Harness lead—but open-source alternatives like OPA lag adoption.
Wander a sec: Remember Codecov 2021 bash uploader hack? Same vibe—pipeline pivot to creds. History rhymes; we’re just slower learners.
Why This Hits DevOps Hardest
Pipelines = deployment gate. Compromise there? Prod’s wide open. Axios in a frontend build? RAT on dev laptops. LiteLLM in ML flows? Model data exfil.
Scale: Axios 100M wkly—devs everywhere exposed.
GitLab’s pitch works if you’re all-in. Hybrid? Patchwork hell.
Bold call: 2027 sees first $1B breach from un-pinned AI tools. LiteLLM’s 95M dl’s? Canary.
🧬 Related Insights
- Read more: Podroid: Running Podman Containers on Your Android Phone, Root-Free
- Read more: C and C++: Unkillable Engines of Today’s Tech Giants
Frequently Asked Questions
What caused the March 2026 supply chain attacks?
TeamPCP used stolen creds to push malware into Trivy, KICS GitHub Actions, then LiteLLM PyPI and axios npm—exploiting mutable tags and pipeline trust.
How do I secure my CI/CD pipeline now?
Pin to SHAs/checksums, enforce sig verification, use policy engines like GitLab to block untrusted inputs.
Will these attacks continue in 2027?
Likely—without universal pinning, AI tool boom means 10x incidents per download trends.
