CISCO’S internal development and build environment was breached in a Trivy supply chain incident, with attackers exploiting credentials exposed in the March 2026 Trivy compromise. According to the article, AWS keys were reportedly stolen and more than 300 GitHub repositories were cloned, while Trivy v0.69.4 was published by a threat actor in a malicious release and tampering occurred to trivy-action and setup-trivy.
The wider campaign has been attributed by multiple security teams to TeamPCP, and Checkmarx disclosed a March 2026 compromise affecting two GitHub Actions workflows. On 31 March 2026, ShinyHunters published an extortion post claiming the Cisco breach involved theft of over 3 million Salesforce records, GitHub repositories, AWS buckets and other assets, with an April 3 deadline.
Public evidence cited includes screenshots of AWS EC2 volumes and an S3 bucket list, with creation dates in March 2026, though these do not prove the full scope of the alleged breach. The article summarises a confirmed Trivy-linked Cisco breach alongside unverified wider leak claims from ShinyHunters.