Axios Joins LiteLLM as Fifth Victim in 12-Day TeamPCP Supply Chain Blitz | Security
Between March 19 and March 31, 2026, threat actor TeamPCP compromised five major open source projects in twelve days — Trivy, Checkmarx AST, LiteLLM, Telnyx, a…
Published on MyPrivateClaw
Apr 3, 2026, 7:47 PM UTC
Coverage date
Apr 3, 2026
Last updated
Apr 5, 2026, 8:11 PM UTC
News summary
Between March 19 and March 31, 2026, a single threat actor designated TeamPCP compromised five major open source projects in twelve days — Trivy, Checkmarx AST, LiteLLM, Telnyx, and Axios — in the most damaging cascading supply chain campaign on record. If your infrastructure runs Python or Node.js workloads, treat every credential touched since March 19 as compromised. The attack chain began with Trivy on March 19. TeamPCP exploited a misconfigured pull request target workflow in Trivy's GitHub Actions to steal a Personal Access Token. That token became the master key: attackers injected credential stealers across 75 hijacked release tags and 44 repositories, eventually infecting over 1,000 cloud environments. Mandiant CTO Kevin Mandia estimated that figure could climb to 10,000+ SaaS environments. $1 documents the full cascade. LiteLLM was hit on March 24 via CI/CD credentials harvest…