The FBI Cyber Division has issued a critical alert following a massive supply chain attack orchestrated by the threat actor group TeamPCP.
The hackers successfully compromised two widely used developer tools, creating a cascading security incident for organizations building artificial intelligence software.
By exploiting weak credential management and leveraging AI-assisted coding, the group distributed malicious updates to millions of end-users.
The breach occurred in two distinct phases, originating with a popular security tool and moving to a major AI framework. TeamPCP first targeted Trivy, an open-source vulnerability scanner managed by Aqua Security.
According to Forbes, the attackers used an automated agent to trick the scanner into exposing its GitHub authentication keys.
With these credentials, they published infected versions of Trivy to the public repository. Aqua Security confirmed that only the open-source version was affected, leaving their commercial customer base secure.
The Trivy compromise directly enabled the second phase of the attack against LiteLLM. This open-source AI gateway connects applications to major large language models like GPT-5 and Claude.
Because the LiteLLM development environment utilized the compromised version of Trivy, TeamPCP was able to extract the publishing keys for the LiteLLM platform.
They subsequently pushed malicious code to a user base of nearly 95 million developers. The breach was only discovered when the infected software caused user systems to crash.
Beyond targeting AI tools, TeamPCP actively used AI to accelerate its offensive operations. A threat actor representing the group confirmed they used Anthropic’s Claude to write specific malware components to speed up their deployment.
Attack and Threat Actor Details
- Lateral movement: The group used Claude to generate scripts that helped the malware spread across infected network environments.
- Credential harvesting: Attackers automated the extraction of GitHub and publishing keys from the initial Trivy breach.
- Monetization strategy: TeamPCP operates as an initial access broker by selling network access to ransomware operators or extorting victims directly.
LiteLLM has engaged Google’s Mandiant to investigate the incident and secure its infrastructure.
Cybersecurity experts note that this attack highlights a critical vulnerability in the AI development pipeline.
Developers often unquestioningly trust open-source tools without conducting internal code audits or implementing strict secrets management.
To prevent similar supply chain compromises, organizations must secure their API keys and thoroughly verify all third-party software before deploying it into production environments.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
