What if the tool meant to guard your code became the backdoor to your entire empire?
That’s the brutal reality of the TeamPCP Supply Chain Campaign, now in update 007, where a Trivy vulnerability flipped security scanners into weapons. Cisco just learned that the hard way—over 300 private GitHub repos cloned, source code for unreleased AI products gone, customer data from banks and U.S. government agencies in the wind.
BleepingComputer broke it first: attackers used creds snatched via CVE-2026-33634 in Trivy to punch into Cisco’s build systems and dev workstations. A malicious GitHub Action plugin did the rest.
Cisco’s Dev Hell: Multiple Hackers, Stolen AWS Keys, and ShinyHunters’ Wild Claims
Scope? Massive. Private repos for AI gear and unreleased stuff. Customer code from BPOs, banks, Uncle Sam agencies. AWS keys hijacked for joyrides across cloud accounts. And get this—multiple threat actors rummaging around, some busier than others.
ShinyHunters piled on, bragging about 3 million Salesforce records, more GitHub hauls, S3 buckets. They tossed in FBI, DHS, IRS, NASA names— even Aussie and Indian gov ties. Unverified, sure, but the deadline came April 3. Nothing dumped by April 8. Cisco? Silent on the extortion.
“The attackers gained access to build systems and developer workstations through a malicious GitHub Action plugin.”
That’s BleepingComputer, nailing the entry point. No spin, just facts.
Here’s my take—and it’s sharper than Cisco’s PR dodge. This reeks of SolarWinds 2.0, but sloppier, with credential bazaars turning one vuln into a free-for-all. Back in 2020, nation-states played solo; now, eCrime crews share logins like candy. Prediction: that ‘friction’—CipherForce outage, no dumps—spells infighting. Watch for rogue leaks from sidelined actors. Monetization’s stumbling; data’s too hot, or partners are bailing.
Organizations leaning on Cisco AI or hosting code there? Call them yesterday. Downstream risks for banks and feds are nightmare fuel—secondary disclosures incoming.
Why Is Google Calling TeamPCP UNC6780 Now?
Medium heat, but telling: Google’s GTIG slaps UNC6780 on TeamPCP. Came in their axios npm breakdown, splitting it from North Korea’s UNC1069. Trivy, Checkmarx, LiteLLM, Telnyx—all UNC6780. Credential stealer? SANDCLOCK.
Why matters. Google sees a persistent crew, not one-offs. UNC tag means no state sponsor yet—pure cash grab. Standardizes intel sharing; Mandiant, Wiz, Unit 42, all syncing up. Cloud Threat Horizons H1 2026 flags them top-tier financial threat.
Search Chronicle, VirusTotal, Mandiant for UNC6780. SANDCLOCK rules? Write ‘em.
But look deeper. Google’s move isn’t just taxonomy—it’s market signal. With 1,000+ SaaS pops (Mandiant count), UNC6780’s scale rivals ransomware barons. DevOps market? $12B and climbing, per Gartner. One supply chain volley like Trivy shakes trust harder than any zero-day.
No CISA KEV Advisory—Deadline Who?
CISA’s KEV deadline hit, no standalone advisory. Trivy’s in, but campaign-wide? Crickets. CERT-EU spilled on their breach last update; Sportradar details emerged. ShinyHunters confirmed cred shares.
CipherForce leak site? Dark. Second sign of pipeline clogs.
This campaign’s no flash mob. v3.0 report from March nails it: scanners as weapons. But hype alert—ShinyHunters’ fed claims smell like bid-up. Real value’s the code theft; repos rebuild trust slowest.
Does This Kill Supply Chain Security Hype?
Short answer: not yet, but it’s a gut punch. Trivy’s open-source cred made it a darling—ironic twist. Market dynamics shift fast; expect Trivy forks, paid scanners surging. Aqua Security? Up 20% post-SolarWinds. Who’s next?
Unique angle: TeamPCP’s playbook echoes NotPetya economics—max chaos, skim profits. But UNC6780’s SaaS sprawl (1,000+) hints at broker model. They’re not dumping; they’re auctioning slices. Bold call: by Q3, we’ll see ‘PCPLeaks’ markets on dark web forums, splintered sales.
Actionable? Patch Trivy yesterday. Audit GitHub Actions. creds rotation mandatory. Cisco partners—inventory exposure.
Financial motive rules, but scale feels state-adjacent. Google’s UNC watchlist? Insurance for when DPRK whispers start.
And that stalled extortion. Deadlines miss when hauls are this juicy—or when feds lean in quiet.
🧬 Related Insights
- Read more: CrowdStrike’s Flex for Services: Flexible Fix or Sticky Upsell?
- Read more: Leaked US iPhone Hack Tool Turns Your Phone into a Spy in Seconds
Frequently Asked Questions
What is the TeamPCP Supply Chain Campaign?
Crew behind Trivy, Checkmarx compromises—stealing creds to hit dev pipes. Now UNC6780 per Google.
How did hackers breach Cisco with Trivy?
Snagged creds via CVE-2026-33634, used malicious GitHub Action for dev access. 300+ repos out.
Is Cisco source code from US agencies really stolen?
ShinyHunters claims yes; Cisco silent. Customer repos confirmed exfiltrated—check with them.
Will UNC6780 data get dumped soon?
Deadlines passed, sites down. Friction suggests delays, possible infighting.
