Update: On March 24, the campaign moved to PyPI. The Litellm packages in versions 1.82.7 and 1.82.8 have been poisoned with the same infostealer malware as the one used in the original campaign, and later on NPM.
A new exfiltration endpoint is used: https://models.litellm[.]cloud/
Other IoCs stay the same.
On March 24, the campaign targeted Checkmarx KICS scanner and poisoned it with an infostealer.
The Trivy story is moving quickly, and the latest reporting makes one thing clear: this is no longer just a GitHub Actions tag hijack. What started as a compromise of trivy-action, setup-trivy, and the v0.69.4 release has expanded into malicious Docker Hub images, a suspected service-account compromise spanning Aqua's internal GitHub organization. Researchers tied the new artifacts to the same TeamPCP infostealer seen earlier in the campaign, and Aqua has said the March 19 incident reused credentials retained from the previous breach because remediation was not fully atomic.
