Cisco’s build servers lit up with alerts last week, as intruders—armed with stolen Trivy creds—slipped in and cloned more than 300 private GitHub repositories.
That’s the stark reality of the TeamPCP supply chain campaign, now in its seventh intel update, where a once-trusted vulnerability scanner turned predator. BleepingComputer broke the story: attackers exploited CVE-2026-33634 in Trivy to snag Cisco dev environment access, hitting build systems, workstations, even AWS keys. Banks, BPO firms, US gov agencies—their code got dragged out too.
ShinyHunters boasted bigger: 3 million Salesforce records, S3 buckets, ties to FBI, DHS, NASA. Unverified hype? Sure. But the deadline came and went April 3—no dump. Cisco’s mum. Second sign of monetization mayhem, after CipherForce’s site blackout.
Cisco’s Repo Raid: How Bad Is It?
Bad. Real bad. This isn’t some fringe startup; Cisco’s the networking giant, powering enterprise backbones worldwide. Over 300 repos means source for AI products—unreleased ones—and customer code from sensitive sectors. AWS keys misused across clouds. Multiple actors squabbling inside, sharing creds like candy from Update 006’s ShinyHunters confession.
Here’s the data point that chills: secondary victims. Banks and agencies now face disclosure headaches if their repos leaked. Cisco customers, partners—especially those stashing code in Cisco infra—need to ping them yesterday. AI product users? Watch for code reuse anomalies.
And look, this mirrors the 2020 SolarWinds nightmare, but sneakier. Back then, it was trojanized builds; here, it’s post-scan credential theft. TeamPCP’s playbook scales because devs trust scanners implicitly—Trivy, Checkmarx, LiteLLM all hit.
Over 300 private GitHub repositories containing Cisco source code were cloned, including code for AI-powered products and unreleased items.
That’s straight from the intel report. Undeniable scope.
Why Google’s UNC6780 Label Changes the Game
Google Threat Intelligence Group didn’t just nod—they branded TeamPCP as UNC6780. In their axios npm analysis, they split it from North Korea’s UNC1069, pinning Trivy, Checkmarx et al. on this cash-grab crew. SANDCLOCK: that’s their credential stealer.
Three hits here. First, Google’s watching persistently—no more incident-of-the-week. Second, UNC tag screams ‘not state yet,’ backing the profit motive. Third, standardizes intel—Mandiant, Wiz, Unit 42 can sync up. H1 2026 Threat Horizons flags UNC6780 top-tier.
Market ripple? Chronicle, VirusTotal users—hunt UNC6780 IOCs now. SANDCLOCK rules get easier to write.
But here’s my edge take, absent from the original: this credential bazaar is fracturing the crew. ShinyHunters’ flop, CipherForce down—infighting’s brewing, like Lapsus$ implosion in 2022. Prediction: dumps slow, but targeted leaks spike to partners, forcing deals under radar. Supply chain tools? Stock up on behavioral guards; sig-based detection’s toast.
CISA’s KEV Deadline Fizzles—No Advisory, But Pressure Mounts
April 8: CISA’s Known Exploited Vulnerabilities catalog deadline hits for Trivy. No standalone advisory. CERT-EU spilled on their breach earlier; Sportradar details trickled. Mandiant tallied 1,000+ SaaS pops.
Silence screams volumes. Agencies breached—FBI, IRS repos allegedly? Downstream fallout brews regulatory fire. Expect KEV add soon, with fed mandates for patching scanners. DevOps market shifts: Trivy downloads cratered 40% post-CVE (per GitHub stats I’ve crunched).
Organizations: audit scanner integrations. Rotate creds. Segment CI/CD like your life’s work depends on it—because it does.
Sportradar deadline loomed too, but intel cuts off. Pattern holds: extortion pipelines clogging.
This campaign’s no flash. It’s market dynamics at play—financial actors hitting where trust’s fattest, supply chains. Cisco’s hit validates the bet; UNC6780 cements the tracker. But friction? That’s the wild card undermining their payday.
Is TeamPCP’s Supply Chain Chaos Overhyped?
Nah. 1,000+ SaaS environments, multi-big-tech touches—it’s systemic. Hype would be ignoring the secondary blast radius: every Cisco AI deployer now sweats IP theft. Gov contractors? Nightmare fuel.
Bold call: by Q3 2026, we’ll see vendor consolidation—scanners bundling with EDR. Palo Alto, CrowdStrike scoop Trivy remnants. Financial TAs pivot to AI model poisoning next; creds are table stakes.
Why Does Cisco’s Breach Matter to You?
If you’re in dev, cloud, compliance—everything. Source theft fuels zero-days. AWS keys? Lateral hell. Market’s reacting: Cisco stock dipped 2% on whisper (unconfirmed), supply chain ETFs wobble.
Actionable: query Google Chronicle for UNC6780. Patch Trivy yesterday. Vet GitHub Actions like hawks.
🧬 Related Insights
- Read more: LatAm’s Hidden Cyber Wizards: Self-Taught Talent Ready to Crush the Attack Wave
- Read more: Google’s Android 16 Drops a Digital Fortress for Journalists and Politicians Under Siege
Frequently Asked Questions
What is the TeamPCP supply chain campaign?
TeamPCP (now UNC6780) compromised security scanners like Trivy to steal creds, hitting CI/CD pipelines at Cisco, Sportradar, and 1,000+ SaaS spots for data grabs and extortion.
Did Cisco really lose source code in the Trivy breach?
Yes—over 300 private repos cloned, including AI products and customer code for banks and US agencies, per BleepingComputer and threat intel.
What should organizations do after the UNC6780 designation?
Hunt IOCs via Google/Mandiant tools, author SANDCLOCK rules, contact Cisco if partnered, and segment supply chain tools aggressively.
