They Compromised the Security Scanners First. Then They Came for Your AI Tools.

On March 19, 2026, a threat actor called TeamPCP compromised Aqua Security's Trivy — one of the most widely used vulnerability scanners in the world. On March 23, they compromised Checkmarx's KICS GitHub Actions. They even registered checkmarx[.]zone as a C2 domain, impersonating the legitimate security company. On March 24, they poisoned LiteLLM on PyPI. 97 million downloads per month. Versions 1.82.7 and 1.82.8 shipped with a credential-stealing backdoor that activated on every Python process startup — even without importing the library. The sequence matters. They didn't start with LiteLLM. They started with the security scanners. Why This Attack Pattern Is Terrifying Most supply chain attacks target popular packages directly. This one was different. TeamPCP's strategy: Compromise the security tools first (Trivy, Checkmarx KICS) — these run in CI/CD pipelines with elevated permissions Harvest CI/CD credentials from the compromised scanner runs Use those credentials to poison downstre