Your CI pipeline runs Trivy. It scans containers, scans IaC, flags vulnerable dependencies. It’s the canary. It’s trusted. It runs early in the pipeline with elevated access to secrets because that’s what security tooling needs to function. You gave it the keys because it’s supposed to find the problems.

In March 2026, TeamPCP turned that logic into a weapon.

On March 19th, Trivy was compromised. The most widely deployed open-source container and infrastructure vulnerability scanner — the thing millions of CI pipelines use to detect supply chain attacks — was turned into credential exfiltration infrastructure. The scanner became the payload. Whatever comes after in your pipeline is irrelevant; the exfiltration already happened in step two.

This is either extremely clever or extremely arrogant. It doesn’t matter which. The outcome is the same.

TeamPCP ran an aggressive campaign through late February and March. One new target every one to three days. They weren’t opportunistic — they were working a list.

The timeline:

  • March 19: Trivy. The scanner.
  • March 20–22: CanisterWorm campaign — an npm worm component. Different surface, same operation.
  • March 23: Checkmarx KICS. The infrastructure-as-code security scanner. If you weren’t already understanding the pattern, here it was again.
  • March 24: LiteLLM. PyPI packages 1.82.7 and 1.82.8. The AI gateway.
  • March 27: Telnyx Python SDK. Versions 4.87.1 and 4.87.2.

The attack mechanism was consistent: hijack PyPI and GitHub publishing credentials, inject infostealer payloads into GitHub Actions workflows and package releases. The payload behavior was consistent too — harvest cloud credentials, SSH keys, Kubernetes configs, CI/CD secrets, encrypt them, exfiltrate to attacker infrastructure. Clean, efficient, repeatable.

Unit 42, Kaspersky, Datadog, Akamai, and Arctic Wolf were all reporting on different pieces of this. The pieces fit together.

The Checkmarx KICS compromise four days after Trivy wasn’t a coincidence — it was a doubling down. KICS (Keeping Infrastructure as Code Secure) is exactly what it sounds like: you run it to find misconfigured Terraform, CloudFormation, Kubernetes manifests, Dockerfiles. It runs with access to your infra definitions. Compromising the tool that audits your infrastructure is a clean way to map what you’re about to attack.

Two security scanners in five days. TeamPCP wasn’t going after the soft targets first. They were going after the tools that watch the soft targets.

The LiteLLM inclusion deserves its own attention. LiteLLM is an AI gateway — it proxies requests to OpenAI, Anthropic, Azure, Bedrock, and whatever else you’re routing through it. It runs in production at meaningful scale at a lot of organizations right now. It often holds API keys for multiple cloud providers, multiple AI services, and frequently has access to databases.

It is, functionally, a credential aggregation point. It wasn’t designed to be one, but that’s what it is. Three years ago this attack surface didn’t exist. Nobody built their threat models around it because there was nothing to model. Now there is, and the threat models still haven’t caught up.

Compromising LiteLLM versions 1.82.7 and 1.82.8 on PyPI means anyone who pip-installed the AI gateway infrastructure while those versions were live handed over keys to a large fraction of their production environment. Not because they were careless — because they updated a dependency.

The coda to all of this landed shortly after the campaign concluded: ransomware group Vect announced a partnership with TeamPCP.

This is the logical next step. You’ve run a disciplined credential harvesting operation across an aggressive timeline. You’ve compromised the security tooling, so incident responders are working partially blind. You’ve collected credentials from organizations running Trivy — which is everyone. Now Vect monetizes the harvest.

The credential theft to ransomware pipeline is not new. What’s new is the velocity. TeamPCP harvested at scale in a matter of days. Incident response teams work in days to weeks. The rotation of secrets — if it happens at all — happens even slower. By the time an organization understands what happened, Vect has already worked through the list.

I’ve watched supply chain attacks evolve since before the infrastructure to run them at scale existed. The pattern has always been: find something trusted, compromise the trust, harvest what trust buys you. What’s changed is the attack surface keeps growing faster than the threat models update.

Security tooling is now a high-value target precisely because it’s treated as trusted infrastructure. It runs in privileged positions. It gets broad access. Organizations grant it what it asks for because it’s supposed to be on their side. That’s the bet TeamPCP made in March, and based on what was deployed and when Vect announced the partnership, it paid out.

The organizations that got hit by this ran the same CI security scanning everyone runs. The problem isn’t that they didn’t scan. The problem is they trusted the scanner.

There’s a version of this you can defend against: pin your tool versions, verify checksums, run security tooling in isolated environments with scoped access, treat scanner updates the same way you treat dependency updates. None of that is novel advice. None of it is hard. Most shops aren’t doing it.

TeamPCP knew that. That’s why they started with Trivy.

PGP signature: teampcp-they-came-for-the-scanners.md.asc — Key fingerprint: 5FD2 1B4F E7E4 A3CA 7971 CB09 DE66 3978 8E09 1026