TeamPCP Compromises Trivy And LiteLLM Ecosystem

A targeted supply-chain attack by TeamPCP compromised Trivy, Checkmarx artifacts and LiteLLM packages during March 19–24, 2026, injecting malware into GitHub Actions, container images and PyPI packages. The campaign, assigned CVE-2026-33634 with a CVSS4B score of 9.4, reportedly exfiltrated SSH keys, cloud tokens and Kubernetes secrets, affecting more than 20,000 repositories and claiming hundreds of gigabytes and over 500,000 accounts. Organizations must pin versions, rotate credentials and perform threat hunting.