DEV Community

Not Elon
Not Elon

Posted on

They Compromised the Security Scanners First. Then They Came for Your AI Tools.

#vibecoding #security #python #cybersecurity

On March 19, 2026, a threat actor called TeamPCP compromised Aqua Security's Trivy — one of the most widely used vulnerability scanners in the world.

On March 23, they compromised Checkmarx's KICS GitHub Actions. They even registered checkmarx[.]zone as a C2 domain, impersonating the legitimate security company.

On March 24, they poisoned LiteLLM on PyPI. 97 million downloads per month. Versions 1.82.7 and 1.82.8 shipped with a credential-stealing backdoor that activated on every Python process startup — even without importing the library.

The sequence matters. They didn't start with LiteLLM. They started with the security scanners.

Why This Attack Pattern Is Terrifying

Most supply chain attacks target popular packages directly. This one was different.

TeamPCP's strategy:

  1. Compromise the security tools first (Trivy, Checkmarx KICS) — these run in CI/CD pipelines with elevated permissions
  2. Harvest CI/CD credentials from the compromised scanner runs
  3. Use those credentials to poison downstream packages (LiteLLM on PyPI)

Wiz called it a "cascading supply chain collapse." Snyk documented the full chain. GitGuardian confirmed the campaign expanded from GitHub Actions to PyPI AND NPM.

The terrifying part: if your security scanner is compromised, it's not just failing to detect threats. It's actively participating in the attack.

The Three-Stage Payload

The LiteLLM backdoor wasn't simple. JFrog and Endor Labs documented three distinct stages:

Stage 1: Credential Harvester

  • SSH keys, AWS/GCP/Azure credentials, Kubernetes configs, crypto wallets, database passwords
  • Encrypted and exfiltrated via HTTP to attacker-controlled servers
  • Activated via a .pth file that runs on every Python startup (no import needed)

Stage 2: Kubernetes Lateral Movement

  • Deployed privileged pods on every cluster node
  • Used nsenter to escape container boundaries
  • Gave attackers root access to host machines

Stage 3: Persistent Backdoor

  • Installed as sysmon.service via systemd
  • Polled checkmarx[.]zone for commands
  • Survived reboots, container restarts, redeployments

BleepingComputer reported TeamPCP claims data from "hundreds of thousands of devices."

Update (March 25): The litellm GitHub issue discussing the compromise was closed as "not planned" and flooded by hundreds of bot accounts to dilute the discussion. Security Boulevard advises: "Any machine that had Python start with litellm 1.82.7 or 1.82.8 installed must be treated as fully compromised."

What This Means for Vibe Coders

The attack was discovered inside Cursor. An MCP plugin pulled LiteLLM as a transitive dependency. The developer never chose to install it. Never reviewed it. Never knew it was there.

This is the vibe coding problem in a single incident:

  • AI agents install packages without human review. You say "add LLM support," the agent picks a package. You don't review the dependency tree.
  • 63% of vibe coders are non-developers (Rethink Software survey). They can't audit dependencies they didn't know existed.
  • MCP plugins create invisible dependency chains. A plugin pulls a library that pulls a compromised package. Three layers deep, no human in the loop.

Escape.tech scanned 5,600 vibe-coded apps and found 2,000+ vulnerabilities and 400 exposed secrets. Those aren't theoretical. They're live on the internet right now.

The Fix Isn't "Be More Careful"

Karpathy's post about this reached 28+ million views. His advice: "yoink" code with LLMs instead of depending on packages. Good advice for senior engineers. Useless for the 63% of vibe coders who are non-developers.

Practical steps:

  1. Pin your dependencies. Never use latest or unpinned versions. LiteLLM's CI/CD pulled Trivy from apt without version pinning. That's how the attack got in.
  2. Audit your dependency tree. pip install litellm doesn't just install litellm. Run pip show litellm to see what else came along.
  3. Check for litellm specifically. If you've installed versions 1.82.7 or 1.82.8, rotate ALL credentials on those machines. Check with our free tool →
  4. Scan your app. VibeCheck catches the patterns that made this attack possible: hardcoded secrets, exposed API keys, missing security headers. Free. No signup.
  5. Don't trust your security scanner blindly. If TeamPCP can compromise Trivy and Checkmarx, they can compromise anything in your pipeline.

The Bigger Picture

The UK's NCSC CTO published a blog on the same day as the LiteLLM attack. The title? "Vibe Check."

His argument: AI-generated code "currently poses intolerable risks for many organizations." The NCSC CEO followed up at RSA Conference urging the industry to build safeguards now, before vibe coding becomes standard practice.

Two documented breaches already this year:

  • Baudr: Social network built with AI for €40, hacked within hours. Admin panel wide open. Thousands of users' data exposed.
  • Moltbook: Built entirely via vibe coding. Wiz discovered 1.5 million authentication tokens and 35,000 email addresses exposed to the public internet.

The supply chain attack on LiteLLM is the most sophisticated incident yet. But it won't be the last.

Full data: State of Vibe Coding Security 2026 — 18 statistics, 23 timeline events, 18 sources.

Free scanner: VibeCheck — scan your GitHub repo or live site for the vulnerabilities described above.

Fix guide: The Vibe Coding Security Playbook — 25+ copy-paste AI fix prompts, $19.

Top comments (0)