TeamPCP Hits Trivy, Checkmarx, and LiteLLM in Credential Theft Campaign

Hackers compromised Trivy, Checkmarx, and LiteLLM in a supply chain attack, stealing cloud credentials, tokens, and crypto wallet data from developers.

A series of interconnected cyberattacks targeting several widely used software development tools has been reported by Wiz Research and Checkmarx, aimed at stealing sensitive digital keys and credentials from unsuspecting companies.

What Happened?

The trouble began on 19 March 2026, when a hacking group calling themselves TeamPCP managed to break into Trivy, a popular tool used by developers to scan their code for security vulnerabilities. This was a supply chain attack, which occurs when hackers sneak malicious code into a trusted product so it spreads automatically to everyone who uses that software.

In Trivy’s case, the hackers injected a credential stealer into the Trivy scanner and its related automated tasks on GitHub. By appearing as legitimate developers, the attackers launched poisoned updates designed to quietly steal passwords, cloud ...