Threat actors used stolen credentials from the Trivy supply chain compromise to breach Ciscoβs internal development environment and exfiltrate source code from more than 300 GitHub repositories, including AI product code and some customer repositories. Cisco has isolated affected systems, begun reimaging and wide-scale credential rotation, and expects continued fallout linked to follow-on LiteLLM and Checkmarx supply chain attacks. #Cisco #Trivy
Keypoints
- Attackers delivered a malicious GitHub Action from the Trivy compromise to steal CI/CD credentials and data.
- More than 300 GitHub repositories were cloned, including source code for AI Assistants, AI Defense, and unreleased products.
- Multiple AWS keys were stolen and used to perform unauthorized activities across a small number of Cisco AWS accounts.
- Cisco has isolated affected systems, started reimaging, and is performing wide-scale credential rotation to contain the breach.
- Security researchers link the supply chain attacks to the TeamPCP group, which also compromised LiteLLM and Checkmarx projects.