Supply Chain Attack on Trivy Expands into Lapsus$-Linked Extortion Campaign, Compromising Over 1,000 SaaS Environments A sophisticated supply chain attack targeting Trivy, a widely used open-source security scanner, has escalated into a large-scale extortion campaign linked to the cybercriminal group Lapsus$, compromising over 1,000 enterprise SaaS environments. The attack, first detected in late February, involved the compromise of Trivy’s VS Code extension, GitHub Action, and Docker Hub artifacts, with malicious payloads distributed through manipulated version tags and cached mirror infrastructure. The threat actors, initially identified as the cloud-native group TeamPCP, gained persistent access to Aqua Security’s GitHub organization, defacing all 44 repositories with the message “TeamPCP Owns Aqua Security.” Mandiant’s investigation revealed that the attackers later funneled stolen access to broader criminal networks, including Lapsus$, known for aggressive extortion tactics. The attack leveraged stolen credentials likely obtained through a third-party breach to backdoor multiple components, including LiteLLM, an AI middleware library embedded in cloud environments. Security firms Wiz and Socket confirmed that the campaign expanded across the npm ecosystem, with over 29 malicious packages distributed using compromised publish tokens. Despite takedown efforts, cached copies of the malicious Trivy artifacts continued circulating via mirror infrastructure like mirror.gcr.io. Security experts warned that the attackers timed their escalation strategically, waiting until defenders were distracted by RSA Conference 2026 before launching follow-on attacks. Cory Michal (AppOmni) and Isaac Evans (Semgrep) emphasized that the incident highlights critical weaknesses in third-party code governance, with attackers exploiting implicit trust in supply chains and mutable version tags to scale their reach. Aqua Security confirmed that its commercial products remain unaffected due to architectural isolation, but credential revocation and rotation efforts are ongoing. Mandiant has yet to determine the initial source of the stolen credentials, suspecting a breach at a business process outsourcer or partner organization. As the fallout continues, the attackers have publicly signaled plans to target additional open-source projects, with security researchers warning that the 1,000+ downstream victims could expand significantly in the coming months. The incident underscores the growing threat of supply chain attacks, where a single compromise can cascade across thousands of organizations.