SECURITYWEEK reports that TeamPCP has expanded its open-source software campaign from the Trivy supply-chain attack to NPM, Docker Hub, VS Code, and PyPI, with a likely monetisation collaboration with the Lapsus$ group. The Trivy incident began with an access token compromise in late February, and attackers started pushing malware to Trivy repositories on 19 March, ultimately evicting them after five days.
The attackers hijacked GitHub Action tags and published malicious Trivy Docker Hub images (v0.69.5 and v0.69.6), and subsequently targeted Checkmarx’s KICS Open-Source project by pushing malicious VS Code plugins and hijacking 35 GitHub Action version tags.
In the NPM campaign, CanisterWorm hit at least 64 packages and more than 140 package artifacts, using compromised tokens to propagate malicious code, while the PyPI operation injected the same information-stealing malware into LiteLLM versions 1.82.7 and 1.82.8, exfiltrating around 300GB from about 500,000 infected machines, according to EndorLabs and Sonatype. According to SANS Institute, the attack’s reach was broad, with the blast radius aided by a shared toolkit and token harvesting across multiple ecosystems.