The Supply Chain Is the New Battlefield: Trivy, TeamPCP, and the Expanding Attack Surface

Over the past decade, software supply chain attacks have evolved from isolated incidents into one of the most consequential threat vectors in modern cybersecurity. What began as dependency poisoning and typosquatting has now matured into something far more systemic: the compromise of the very infrastructure used to build, secure, and deploy software. The recent campaign attributed to the threat group known as TeamPCP illustrates this transition with unusual clarity. It is not simply another supply chain attack. It is a coordinated, multi-stage operation that targets trust at every layer of the development ecosystem.

According to detailed technical analysis published by Microsoft, the campaign demonstrates how attackers are increasingly targeting trusted developer tooling rather than applications themselves. This inversion of the security model transforms defensive tools into attack vectors, allowing malicious actors to operate with elevated privileges inside thousands of environment

The Trivy breach

At the center of this campaign is the compromise of Trivy, a widely used open-source vulnerability scanner embedded deeply in CI/CD pipelines. Developed by Aqua Security, Trivy plays a critical role in modern cloud-native security workflows. Its privileged position—scanning containers, interacting with build systems, and accessing configuration data—made it an especially high-value target.

However, Aqua Security’s own disclosure clarifies that the incident was not a sudden breach, but a staged intrusion that began weeks earlier. The initial compromise occurred in late February 2026, when attackers exploited a misconfigured GitHub Actions workflow to extract a Personal Access Token tied to automation processes. Although credentials were rotated after detection, Aqua confirmed that the rotation was not fully complete, leaving residual access that attackers were able to reuse later.

The critical phase of the attack took place on March 19. Contrary to early assumptions that focused on a single malicious release, Aqua confirmed that attackers performed tag tampering at scale. Instead of only publishing a new version, they force-updated existing Git tags to point to malicious commits, while also triggering a compromised release (v0.69.4). This distinction is crucial. Many CI/CD systems rely on tags rather than immutable commit hashes, meaning that previously trusted versions could silently become malicious without any visible version change.

This technique significantly increased the blast radius. Pipelines pulling “trusted” versions of Trivy unknowingly executed attacker-controlled code, without triggering traditional integrity checks. The attack did not exploit a vulnerability in Trivy’s scanning engine itself, but rather abused its distribution and trust model.

Once executed inside CI/CD pipelines, the malicious code gained access to sensitive runtime data. As observed in multiple analyses, it collected environment variables, cloud credentials, Kubernetes secrets, SSH keys, and API tokens, exfiltrating them in encrypted form. Because this activity occurred within legitimate pipeline execution, it blended into normal operations and was difficult to detect.

Importantly, Aqua emphasized that the compromise was limited to the open-source distribution pipeline and did not affect its commercial platform or core scanning functionality. The attack targeted how Trivy was delivered, not how it scanned.

The impact

The broader impact of this campaign became particularly visible in the incident involving the European Commission. According to reporting by The Record, attackers leveraged credentials obtained through the supply chain to access cloud-based systems associated with the Commission.

Technical analysis from CERT-EU confirms that the intrusion did not involve direct exploitation of infrastructure vulnerabilities. Instead, attackers authenticated using valid credentials, interacting with AWS resources as legitimate users would. This highlights a defining characteristic of modern supply chain attacks: they operate within trusted boundaries rather than breaking through them.

The same pattern extended to other impacted organizations. The breach of Cisco, for example, has been linked to the execution of compromised components within development workflows. By running tainted tools in build environments, attackers were able to access internal systems and extract source code and sensitive data.

Similarly, reports involving Mercor indicate that the intrusion vector was not an independent exploit, but rather downstream impact from the same supply chain compromise. In these cases, the entry point was the pipeline itself—specifically, environments that had executed compromised versions of Trivy or related components.

What makes this campaign particularly significant is not just its technical sophistication, but its systemic nature. The attack did not target individual organizations directly. Instead, it compromised a trusted component upstream and allowed the impact to cascade downstream across environments, pipelines, and cloud infrastructures.

The common denominator across all affected cases is trust. Modern development ecosystems depend heavily on automation, shared tooling, and credential-based access. CI/CD pipelines execute code automatically, often with elevated privileges. Security tools are granted broad visibility into systems. Cloud environments rely on identity rather than perimeter controls. When one trusted component is compromised, the effects propagate rapidly and silently.

The TeamPCP campaign demonstrates that attackers no longer need to exploit vulnerabilities in the traditional sense. They can operate within the system by leveraging legitimate access paths, making their activity appear indistinguishable from normal operations. This significantly reduces detection capabilities and increases dwell time.

The implications are far-reaching. Defending against this class of attack requires more than patching vulnerabilities. It requires validating trust. Organizations must ensure integrity at every stage of the supply chain, from source code to build pipelines to artifact distribution. They must assume that credentials exposed in CI/CD environments are compromised and act accordingly.

Ultimately, the most important shift is conceptual. The supply chain is no longer just a delivery mechanism—it is the attack surface itself. And in an ecosystem built on implicit trust, the most effective attack is not the one that breaks the system, but the one that becomes part of it.

‍

Summary

The scale of credential exposure in this campaign introduces a secondary, often overlooked risk: once credentials are compromised, traditional access controls lose their reliability. VPNs and ZTNA solutions fundamentally depend on the assumption that authenticated users and devices can be trusted. But when attackers possess valid cloud tokens, API keys, and identity credentials harvested directly from CI/CD pipelines, that assumption breaks down. Access is no longer something to be granted based on identity—it must be continuously verified based on behavior and context. This is where Zeroport’s approach becomes critical. By eliminating implicit trust and enforcing granular, hardware-based access controls that do not rely solely on credentials or network position, Zeroport reduces the blast radius of credential compromise and prevents attackers from turning stolen access into persistent footholds. In a world where the supply chain can leak secrets at scale, secure access must assume those secrets are already exposed.

‍