What was the root cause of the Cisco data breach?

The breach was caused by a supply chain attack on the Trivy vulnerability scanner, where threat actors compromised the project's GitHub pipeline to distribute a malicious GitHub Action plugin.

Which threat actor is responsible for the Cisco attack?

Security researchers have attributed the attack to the TeamPCP threat group, known for using the 'TeamPCP Cloud Stealer' malware.

What specific data was stolen from Cisco?

Attackers cloned over 300 GitHub repositories containing source code for AI products and unreleased projects, and stole AWS access keys and proprietary code belonging to corporate customers.

How did the attackers move from the build environment to the cloud?

The attackers used a malicious GitHub Action to steal AWS access keys from developer workstations, which were then used to perform unauthorized activities in Cisco's AWS accounts.

What actions has Cisco taken to remediate the incident?

Cisco isolated affected systems, began reimaging compromised workstations, and initiated a wide-scale rotation of credentials and AWS keys.

Incident

Cisco Source Code and AWS Keys Stolen in Trivy Supply Chain Attack

published: April 1, 2026

Learn More

Cisco has experienced a cyberattack after threat actors used stolen credentials originating from the recent Trivy vulnerability scanner supply chain compromise to infiltrate the company's internal development environment.

The attackers exploited a malicious GitHub Action plugin introduced through the Trivy compromise to harvest credentials and data from Cisco's build and development environment, impacting dozens of devices, including developer and lab workstations.

Cisco's Unified Intelligence Center, CSIRT, and EOC teams were mobilized to contain the breach.

As part of the breach, the following data and assets were reportedly compromised:

Multiple AWS access keys, subsequently used for unauthorized activities across several Cisco AWS accounts
More than 300 GitHub repositories, including source code for AI-powered products such as AI Assistants, AI Defense, and unreleased products
Source code repositories belonging to corporate customers, including banks, business process outsourcing firms (BPOs), and US government agencies
CI/CD credentials and build environment data from developer and lab workstations

Multiple sources indicated that more than one threat actor was involved in the Cisco CI/CD and AWS account breaches, with varying degrees of activity.

The initial intrusion has been contained but the company expects continued fallout from the follow-on LiteLLM and Checkmarx supply chain attacks that were also attributed to TeamPCP.

The exact number of affected individuals, the full scope of customer data exposure, and whether any ransom demand was made remain undisclosed at this time.

Cisco has isolated affected systems, begun reimaging them, and is performing wide-scale credential rotation across impacted environments. The total number of affected individuals and the full monetary value of the stolen intellectual property have not been disclosed.

Cisco has not issued an official public statement regarding this specific Trivy-linked breach. BleepingComputer contacted Cisco with questions about the incident but did not receive a reply.

Cisco Source Code and AWS Keys Stolen in Trivy Supply Chain Attack

Read More
Vanta leaks customer data due to product code …
Effortless Office Files reports data breach
LectureNotes learning app leaks user data of more …
Russia warns of breach of major IT service …
Discord reports breach at third-party customer service provider …