How Hackers Leveraged AI to Compromise Trivy and LiteLLM – A Supply‑Chain Attack Case Study
An obscure hacker group, TeamPCP, used an AI agent powered by Anthropic’s Claude to trick the open‑source security scanner Trivy into revealing its GitHub credentials, then injected malicious code into Trivy’s updates and subsequently compromised the AI gateway LiteLLM, exposing critical supply‑chain vulnerabilities in popular AI development tools.
On March 26, the FBI’s cyber division issued a critical alert that a hacker collective had taken down two widely used AI development tools. Forbes later confirmed the claim after the group, calling themselves TeamPCP, openly admitted using AI to accelerate the attack.
TeamPCP describes themselves as a loosely organized group of unemployed youths who turned to “network extortion,” selling compromised servers and taking commissions. Their first target was Trivy, Aqua Security’s open‑source vulnerability scanner used by tens of thousands of companies.
According to the hackers, an AI agent —specifically a Claude model from Anthropic—generated code that persuaded Trivy to voluntarily disclose its GitHub account key. The attackers then inserted malicious payloads into Trivy’s update package, creating a supply‑chain foothold.
The compromise cascaded to LiteLLM, an AI gateway that aggregates calls to large models such as GPT‑5 and Claude, boasting roughly 95 million downloads. By exploiting the Trivy breach, the hackers obtained the publishing platform’s credentials and planted additional malicious code in LiteLLM’s distribution.
The intrusion was discovered when a developer’s machine crashed, prompting LiteLLM’s CTO Jaffer to involve Google’s Mandiant team for forensic analysis. Forbes verified the attackers’ identity when TeamPCP posted a confirming blog on the dark web.
TeamPCP’s spokesperson (online handle T00001B) explained that Claude helped write the malicious component, while the actual vulnerability hunting was done manually. He later admitted, “This attack isn’t sophisticated at all; it’s all because developers are careless.”
Security researcher Ben Read from Wiz emphasized that the incident is a textbook supply‑chain attack and warned that organizations must have robust incident‑response plans.
The episode illustrates three key takeaways: AI is a double‑edged sword that can empower attackers as well as defenders; open‑source tools are not automatically secure and require thorough auditing; and developers should stop assuming that popularity guarantees safety.
Black & White Path
We are the beacon of the cyber world, a stepping stone on the road to security.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.