Supply Chain Attack on Trivy Expands into Lapsus$-Linked Extortion Campaign, Compromising Over 1,000 SaaS Environments
A sophisticated supply chain attack targeting Trivy, a widely used open-source security scanner, has escalated into a large-scale extortion campaign linked to the cybercriminal group Lapsus$, compromising over 1,000 enterprise SaaS environments. The attack, first detected in late February, involved the compromise of Trivy’s VS Code extension, GitHub Action, and Docker Hub artifacts, with malicious payloads distributed through manipulated version tags and cached mirror infrastructure.
The threat actors, initially identified as the cloud-native group TeamPCP, gained persistent access to Aqua Security’s GitHub organization, defacing all 44 repositories with the message “TeamPCP Owns Aqua Security.” Mandiant’s investigation revealed that the attackers later funneled stolen access to broader criminal networks, including Lapsus$, known for aggressive extortion tactics.
The attack leveraged stolen credentials likely obtained through a third-party breach to backdoor multiple components, including LiteLLM, an AI middleware library embedded in cloud environments. Security firms Wiz and Socket confirmed that the campaign expanded across the npm ecosystem, with over 29 malicious packages distributed using compromised publish tokens. Despite takedown efforts, cached copies of the malicious Trivy artifacts continued circulating via mirror infrastructure like mirror.gcr.io.
Security experts warned that the attackers timed their escalation strategically, waiting until defenders were distracted by RSA Conference 2026 before launching follow-on attacks. Cory Michal (AppOmni) and Isaac Evans (Semgrep) emphasized that the incident highlights critical weaknesses in third-party code governance, with attackers exploiting implicit trust in supply chains and mutable version tags to scale their reach.
Aqua Security confirmed that its commercial products remain unaffected due to architectural isolation, but credential revocation and rotation efforts are ongoing. Mandiant has yet to determine the initial source of the stolen credentials, suspecting a breach at a business process outsourcer or partner organization.
As the fallout continues, the attackers have publicly signaled plans to target additional open-source projects, with security researchers warning that the 1,000+ downstream victims could expand significantly in the coming months. The incident underscores the growing threat of supply chain attacks, where a single compromise can cascade across thousands of organizations.
Aqua Security cybersecurity rating report: https://www.rankiteo.com/company/aquasecteam
"id": "AQU1774441468",
"linkid": "aquasecteam",
"type": "Cyber Attack",
"date": "3/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '1,000+ downstream victims',
'industry': 'Cybersecurity',
'name': 'Aqua Security',
'type': 'Cybersecurity Company'},
{'customers_affected': '1,000+ enterprise SaaS '
'environments',
'industry': 'Software Development',
'name': 'Trivy (Open-Source Project)',
'type': 'Open-Source Security Scanner'},
{'industry': 'Artificial Intelligence',
'name': 'LiteLLM',
'type': 'AI Middleware Library'}],
'attack_vector': ['Compromised VS Code extension',
'GitHub Action',
'Docker Hub artifacts',
'Malicious npm packages',
'Stolen credentials'],
'data_breach': {'sensitivity_of_data': 'High (potential access to enterprise '
'SaaS environments)',
'type_of_data_compromised': ['Stolen credentials',
'Access tokens']},
'date_detected': '2026-02-01',
'description': 'A sophisticated supply chain attack targeting Trivy, a widely '
'used open-source security scanner, has escalated into a '
'large-scale extortion campaign linked to the cybercriminal '
'group Lapsus$, compromising over 1,000 enterprise SaaS '
'environments. The attack involved the compromise of Trivy’s '
'VS Code extension, GitHub Action, and Docker Hub artifacts, '
'with malicious payloads distributed through manipulated '
'version tags and cached mirror infrastructure. The threat '
'actors gained persistent access to Aqua Security’s GitHub '
'organization, defacing all 44 repositories. The attack '
'leveraged stolen credentials to backdoor multiple components, '
'including LiteLLM, and expanded across the npm ecosystem with '
'over 29 malicious packages. The incident highlights critical '
'weaknesses in third-party code governance and supply chain '
'security.',
'impact': {'brand_reputation_impact': 'Defacement of Aqua Security’s GitHub '
'repositories',
'data_compromised': True,
'operational_impact': 'Credential revocation and rotation efforts '
'ongoing',
'systems_affected': ['1,000+ enterprise SaaS environments',
'GitHub repositories',
'npm ecosystem']},
'initial_access_broker': {'backdoors_established': ['GitHub repositories',
'npm packages'],
'entry_point': ['Stolen credentials',
'Third-party breach'],
'high_value_targets': ['Enterprise SaaS '
'environments']},
'investigation_status': 'Ongoing',
'lessons_learned': 'The incident underscores critical weaknesses in '
'third-party code governance, implicit trust in supply '
'chains, and the risks of mutable version tags in '
'open-source projects.',
'motivation': ['Extortion', 'Data theft', 'Supply chain disruption'],
'post_incident_analysis': {'corrective_actions': ['Credential rotation',
'Architectural isolation of '
'commercial products',
'Enhanced monitoring of '
'supply chain dependencies'],
'root_causes': ['Stolen credentials from a '
'third-party breach',
'Exploitation of implicit trust in '
'supply chains',
'Mutable version tags in '
'open-source projects']},
'recommendations': ['Strengthen third-party code governance',
'Monitor and secure supply chain dependencies',
'Implement stricter access controls for open-source '
'projects',
'Enhance credential management and rotation policies'],
'references': [{'source': 'Mandiant Investigation'},
{'source': 'Wiz and Socket Confirmation'},
{'source': 'Aqua Security Statement'}],
'response': {'containment_measures': ['Credential revocation',
'Takedown of malicious packages'],
'remediation_measures': ['Rotation of compromised credentials',
'Architectural isolation of commercial '
'products'],
'third_party_assistance': ['Mandiant', 'Wiz', 'Socket']},
'threat_actor': ['TeamPCP', 'Lapsus$'],
'title': 'Supply Chain Attack on Trivy Expands into Lapsus$-Linked Extortion '
'Campaign, Compromising Over 1,000 SaaS Environments',
'type': 'Supply Chain Attack, Extortion Campaign',
'vulnerability_exploited': ['Mutable version tags',
'Implicit trust in supply chains',
'Third-party breaches']}