Cisco Hit by Major Cyberattack Linked to Supply Chain Breach
Cisco is responding to a significant cybersecurity incident after threat actors breached its internal development networks, stealing sensitive source code and corporate data. The attack, claimed by the hacking group ShinyHunters, also allegedly impacted Salesforce, Aura, and AWS storage buckets.
The breach originated from a supply chain attack involving Trivy, a widely used vulnerability scanner. Attackers exploited a malicious GitHub Action plugin tied to the Trivy compromise, allowing them to steal credentials and infiltrate Cisco’s build environments. Once inside, they compromised dozens of devices, including lab workstations and developer systems, gaining access to highly sensitive data.
The stolen material includes AWS keys, which were used to perform unauthorized actions in Cisco’s cloud accounts, and over 300 private GitHub repositories. These repositories contain unreleased product source code, including AI Assistants and AI Defense technologies, as well as data belonging to corporate clients, such as major banks, BPO firms, and U.S. government agencies.
Cisco’s security teams including the Unified Intelligence Center, CSIRT, and EOC moved quickly to contain the breach by isolating affected systems, wiping compromised machines, and enforcing a mass credential reset. However, the company has not yet issued a public statement, and internal sources suggest ongoing complications from the incident.
While ShinyHunters has taken credit for the data theft, security researchers link the underlying Trivy supply chain attack to TeamPCP, a separate group known for deploying custom malware ("TeamPCP Cloud Stealer") to hijack developer platforms like Docker, NPM, and PyPi. TeamPCP has also been tied to recent breaches of LiteLLM and Checkmarx, raising concerns about secondary attacks stemming from related vulnerabilities.
Source: https://gbhackers.com/cisco-data-leak-as-shinyhunters-claims-responsibility/
Aqua Security cybersecurity rating report: https://www.rankiteo.com/company/aquasecteam
Vendrive cybersecurity rating report: https://www.rankiteo.com/company/useaura
Amazon Web Services (AWS) cybersecurity rating report: https://www.rankiteo.com/company/amazon-web-services
Salesforce cybersecurity rating report: https://www.rankiteo.com/company/salesforce
Cisco cybersecurity rating report: https://www.rankiteo.com/company/cisco
"id": "AQUUSEAMASALCIS1775046662",
"linkid": "aquasecteam, useaura, amazon-web-services, salesforce, cisco",
"type": "Vulnerability",
"date": "4/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Major banks, BPO firms, U.S. '
'government agencies',
'industry': 'Technology/Networking',
'name': 'Cisco',
'type': 'Corporation'},
{'industry': 'Cloud Computing/Software',
'name': 'Salesforce',
'type': 'Corporation'},
{'name': 'Aura', 'type': 'Corporation'},
{'industry': 'Cloud Computing',
'name': 'AWS',
'type': 'Cloud Service Provider'}],
'attack_vector': 'Malicious GitHub Action plugin (Trivy vulnerability '
'scanner)',
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': 'Over 300 private GitHub '
'repositories',
'sensitivity_of_data': 'High (unreleased product source code, '
'AI Assistants, AI Defense '
'technologies, corporate client data)',
'type_of_data_compromised': ['Source code',
'Corporate data',
'AWS keys',
'AI technologies',
'Client data']},
'description': 'Cisco is responding to a significant cybersecurity incident '
'after threat actors breached its internal development '
'networks, stealing sensitive source code and corporate data. '
'The attack, claimed by the hacking group ShinyHunters, also '
'allegedly impacted Salesforce, Aura, and AWS storage buckets. '
'The breach originated from a supply chain attack involving '
'Trivy, a widely used vulnerability scanner. Attackers '
'exploited a malicious GitHub Action plugin tied to the Trivy '
'compromise, allowing them to steal credentials and infiltrate '
'Cisco’s build environments. Once inside, they compromised '
'dozens of devices, including lab workstations and developer '
'systems, gaining access to highly sensitive data.',
'impact': {'data_compromised': 'AWS keys, over 300 private GitHub '
'repositories (unreleased product source code, '
'AI Assistants, AI Defense technologies, '
'corporate client data)',
'operational_impact': 'Isolation of affected systems, mass '
'credential reset, ongoing complications',
'systems_affected': 'Dozens of devices (lab workstations, '
'developer systems, build environments)'},
'initial_access_broker': {'entry_point': 'Malicious GitHub Action plugin '
'(Trivy supply chain compromise)',
'high_value_targets': 'AWS keys, private GitHub '
'repositories, developer '
'systems'},
'investigation_status': 'Ongoing',
'post_incident_analysis': {'root_causes': 'Supply chain attack (Trivy), '
'credential theft, malicious GitHub '
'Action plugin'},
'response': {'communication_strategy': 'No public statement issued yet',
'containment_measures': 'Isolated affected systems, wiped '
'compromised machines, mass credential '
'reset',
'incident_response_plan_activated': True},
'threat_actor': ['ShinyHunters', 'TeamPCP'],
'title': 'Cisco Hit by Major Cyberattack Linked to Supply Chain Breach',
'type': 'Supply Chain Attack, Data Breach',
'vulnerability_exploited': 'Supply chain compromise (Trivy), credential theft'}