When the Security Scanner Became the Weapon: Inside the TeamPCP Supply Chain Attack

Read the Threat Intelligence Report, https://www.sans.org/blog/when-securi... The TeamPCP campaign marks a turning point in cloud security. Attackers are no longer bypassing defenses. They are weaponizing them. In this session, we break down how attackers compromised the widely used Trivy security scanner and used it to launch a cascading software supply chain attack across thousands of organizations. This attack shows how CI/CD pipelines have become a primary target and how trusted security tools can be turned into attack vectors. A vulnerability scanner used by more than 10,000 development teams was compromised to steal cloud credentials, exfiltrate sensitive data, and spread malware across software ecosystems. This is not an edge case. It highlights fundamental risks in modern cloud environments, including over-permissioned access, lack of trust boundaries in CI/CD pipelines, and the growing impact of software supply chain attacks. LEARNING OBJECTIVES: This webcast walks through the TeamPCP attack from start to finish, covering how it began, how it spread, the impact, and the key lessons for defenders. Presenters will break down the attack to show: Security tools can become attack vectors -- How trusted tools like Trivy, Checkmarx KICS, and LiteLLM were weaponized to steal credentials. CI/CD credential theft can have an exponential blast radius -- How a single compromised token cascaded across pipelines, packages, and multiple ecosystems. Active compromise can break standard credential rotation -- Why rotating credentials inside a compromised environment can enable re-compromise. GitHub Actions requires compensating controls -- Key architectural risks and the controls needed to secure CI/CD workflows. Self-propagating supply chain attacks are operational -- How automated worm-like behavior enabled rapid spread across software ecosystems. This session supports content and knowledge from SANS SEC510, SEC540, SEC588, and FOR509. To learn more, access free resources, and explore upcoming course runs within the SANS Cloud Security curriculum, visit www.sans.org/cloud-security Learn more about Kenneth G Hartman, https://www.sans.org/profiles/kenneth... and Eric Johnson, https://www.sans.org/profiles/eric-jo... Watch the full session and access the presentation slides, https://www.sans.org/webcasts/when-se... SANS Cloud Security focuses the deep resources of SANS on the growing threats to The Cloud by providing training, GIAC certification, research, and community initiatives to help security professionals build, deploy and manage secure cloud infrastructure, platforms, and applications. SANS Cloud Security Curriculum: www.sans.org/cloud-security GIAC Cloud Security Certifications: https://www.giac.org/focus-areas/clou... LinkedIn:   / sanscloudsec   Discord: www.sansurl.com/cloud-discord Twitter: @SANSCloudSec