{
"$type": "site.standard.document",
"bskyPostRef": {
"cid": "bafyreich2swomfmxhxdmkl7xf6uxncjkzpvku6izo6zjy3ungku6sr3hzi",
"uri": "at://did:plc:rrwxywdlrz5fkwj5g4u4jnrk/app.bsky.feed.post/3mhw4stqhqn52"
},
"coverImage": {
"$type": "blob",
"ref": {
"$link": "bafkreifzyvttx5agj3ilargdxhyohskkt4to4jm2zzuapozbxdpwy2zz7i"
},
"mimeType": "image/jpeg",
"size": 3050225
},
"path": "/article/4149938/trivy-supply-chain-breach-compromises-over-1000-saas-environments-lapsus-joins-the-extortion-wave.html",
"publishedAt": "2026-03-25T12:04:10.000Z",
"site": "https://www.csoonline.com",
"tags": [
"Cybercrime, Malware, Security",
"reported CyberScoop",
"the attack",
"technical analysis",
"LiteLLM",
"CanisterWorm",
"reporting messages posted by the group on Telegram",
"identified",
"Tuesday update"
],
"textContent": "What started as a supply chain attack on Trivy, a widely used security scanner, has become a Lapsus$-linked extortion campaign, with more than 1,000 enterprise SaaS environments already compromised.\n\nCharles Carmakal, CTO of Mandiant Consulting, made the assessment at a Google-hosted threat briefing held alongside the RSA Conference 2026 in San Francisco on Tuesday.\n\n“We know of over 1,000 impacted SaaS environments right now that are actively dealing with this particular threat campaign,” he said at the event, reported CyberScoop. “That thousand-plus downstream victims will probably expand into another 500, another 1,000, maybe another 10,000.”\n\nHe, according to the report, warned that widespread breach disclosures and follow-on attacks would play out over the coming months.\n\nThe criminal collaboration behind the attack has also widened. Where the initial breach was attributed to a cloud-native threat group called TeamPCP, Mandiant’s response work has revealed that those actors are now channeling stolen access to broader criminal networks with Lapsus$, a group known for high-profile and aggressive extortion, among confirmed collaborators, the report added.\n\nKatie Paxton-Fear, staff security advocate at cybersecurity firm Semgrep, warned the group may already be positioned for further strikes. “The attackers may be sitting on many more compromises across the open-source ecosystem, waiting for guards to go down before launching the next,” she said.\n\nCloud security company Wiz and supply chain security firm Socket have also documented that expansion across multiple fronts.\n\n## Widening blast radius\n\nWiz, in its technical analysis of the attack, found that attackers extended their reach to LiteLLM, a widely used AI middleware library embedded across a significant portion of cloud environments, using credentials stolen during the initial Trivy breach.\n\nSocket, meanwhile, identified a self-replicating worm dubbed CanisterWorm that leveraged stolen npm publish tokens from the same breach to backdoor more than 29 packages across the npm ecosystem.\n\nThe attackers have also publicly stated their intent to target additional open-source projects, with Socket reporting messages posted by the group on Telegram taunting the security industry and signaling plans to expand the campaign.\n\nPaxton-Fear noted that the timing of the escalation appeared calculated. “The attackers first gained access to LiteLLM during their attack last week on Trivy, but they didn’t rush to attack while defenders were already on high alert,” she said. “Instead, they sat on their access, waiting until defenders were busy with a major security conference.”\n\nSocket’s threat research team also identified further compromised Trivy artifacts on Docker Hub over the weekend — versions 0.69.5 and 0.69.6 — published without corresponding GitHub releases and carrying the same infostealer payload. Even after removal, Socket found cached copies continued to circulate through the mirror infrastructure, including mirror.gcr.io.\n\nThe firm also found that the attackers had defaced Aqua Security’s GitHub organization, renaming all 44 repositories with descriptions reading “TeamPCP Owns Aqua Security,” based on archived snapshots it analyzed.\n\n“The presence of these repositories indicates a deeper level of control over the GitHub organization during the compromise,” Socket wrote in the analysis.\n\n## A pattern of persistent access\n\nThis is the second compromise affecting the Trivy ecosystem within roughly a month. Socket identified compromised Aqua Trivy VS Code extension releases on OpenVSX in late February, and now trivy-action, Trivy’s official GitHub Action for running scans in CI/CD workflows, has been abused through manipulated version tags to distribute malicious code across pipelines.\n\n“Repeated compromises of the same vendor in a short period suggest a persistent weakness,” said Cory Michal, CSO of SaaS security management company AppOmni. He said the method reflects a broader pattern. Rather than targeting victims individually, attackers compromised the organization behind a trusted supply-chain component and used its GitHub repository and mutable version tags to reach downstream users at scale.\n\n“Many organizations still allow build systems and developers to automatically pull in third-party code from the internet with limited review and too much implicit trust,” Michal said. “Convenience and speed in modern software delivery have outpaced governance.”\n\nIsaac Evans, founder and CEO of Semgrep, said the incident shows how easily broken pipeline trust can be re-exploited. “Defenders need to adopt the same mindset as attackers — continuously probing their own surface and verifying the integrity of their pipelines, rather than relying on static controls or assumed trust,” he said.\n\nAs the fallout continues to unfold, Aqua Security and Mandiant are still working to fully contain the damage.\n\n## Where things stand\n\nIn a Tuesday update, Aqua Security said it has engaged incident response firm Sygnia. Credential revocation and rotation across all environments remains ongoing. The company maintained that its commercial products are architecturally isolated from the compromised open-source environment and remain unaffected.\n\nAccording to CyberScoop, Mandiant said it has not yet determined how the original credentials were first stolen, and believes the initial theft likely occurred outside the direct victim’s environment, possibly through a business process outsourcer or partner organization.\n\nFor AppOmni’s Michal, the incident is a warning that the industry’s approach to third-party code needs to fundamentally change. “Organizations need stronger controls around what external code they allow, how it is approved, how it is pinned, and how changes are monitored before that code is trusted inside production or SaaS-connected environments,” he said.",
"title": "Trivy supply chain breach compromises over 1,000 SaaS environments, Lapsus$ joins the extortion wave"
}