The Story
A vulnerability scanner got hacked.
Then the hackers used it to poison one of the most popular AI libraries on the planet.
That happened last week.
Here's what went down:
March 19 — TeamPCP compromised Aqua Security's Trivy, one of the most trusted open-source vulnerability scanners in DevSecOps.
March 23 — Using stolen credentials, they compromised Checkmarx's KICS GitHub Actions and VS Code extensions.
March 24 — Those same credentials gave them access to LiteLLM's CI/CD pipeline.
What Is LiteLLM?
LiteLLM is the universal AI gateway used across 36% of all cloud environments. It averages 95 million downloads per month. It sits between applications and 100+ AI providers—holding API keys for OpenAI, Anthropic, AWS, and Azure in one place.
The attackers published two backdoored versions to PyPI.
What the Malware Did
In just three hours, the malware:
- Harvested SSH keys, cloud credentials, and Kubernetes secrets
- Deployed privileged pods to every node in Kubernetes clusters
- Installed a persistent backdoor polling for additional payloads
- Swept cryptocurrency wallets and
.envfiles
TeamPCP posted this on Telegram:
"These companies were built to protect your supply chains yet they can't even protect their own."
They also announced a partnership with LAPSUS$.
Let that land.
The Irony That Kills
| Victim | Their Job | What Happened |
|---|---|---|
| Aqua Trivy | Vulnerability scanner | Got hacked |
| Checkmarx KICS | Infrastructure as Code security | Got hacked |
| LiteLLM | AI gateway with 95M downloads | Got backdoored |
The companies selling supply chain security became the supply chain risk.
What This Means for Developers
If Trivy, KICS, and LiteLLM—with all their resources and visibility—can be compromised this way, what does that mean for the rest of us?
More importantly: What should we be asking our security tool providers right now?
I'm a cybersecurity student at UNIJOS, and I've been sitting with this question all week.
The Question I Keep Coming Back To
If you're using security tools in your workflow—scanners, CI/CD integrations, AI libraries—what's one thing you wish you knew about their security before you started using them?
Not asking for product pitches. Genuinely trying to understand how developers and security professionals are thinking about this.
Drop your thoughts in the comments. I'll read every single one.
A Quick Reflection
This attack reinforced something for me:
Firewalls aren't enough. Tools aren't enough. Even the tools built to protect us need to be secured.
If we're building on top of AI infrastructure, we have to start asking harder questions about the tools we trust—because right now, the attackers are asking the right questions.
Let's learn together.
If you found this helpful, consider sharing it with someone who's building on AI infrastructure. We need to have this conversation.
Top comments (0)