Supply Chain Attack Steals Cisco Source Code via Compromised Trivy Scanner, TeamPCP (UNC6780) Linked to Google GTIG
What Happened – A fifth‑party security scanner (Trivy) was compromised and used by the TeamPCP (also tracked as UNC6780) threat group to exfiltrate proprietary Cisco source code. Google’s Global Threat Intelligence Group (GTIG) has correlated the activity to the UNC6780 actor, and the CISA Known Exploited Vulnerabilities (KEV) deadline passed without a dedicated advisory.
Why It Matters for TPRM –
- Source‑code theft can introduce hidden backdoors into downstream products that rely on Cisco components.
- Supply‑chain compromise of a widely‑used scanning tool demonstrates the risk of trusted third‑party utilities.
- Lack of a formal CISA advisory may delay detection and remediation for organizations that depend on Cisco hardware or software.
Who Is Affected – Technology and telecom providers, cloud‑infrastructure services, manufacturing firms using Cisco networking gear, and any SaaS vendors that embed Cisco SDKs or firmware.
Recommended Actions –
- Conduct an immediate inventory of Cisco assets and verify code integrity against trusted baselines.
- Review contracts and security clauses with any third‑party scanning or CI/CD tools.
- Engage Cisco’s security team for threat‑intel sharing and remediation guidance.
- Update supply‑chain risk assessments to include scanner‑related dependencies.
Technical Notes – The breach leveraged a malicious update to the open‑source Trivy scanner, turning a legitimate vulnerability‑assessment tool into a data‑exfiltration vector. No public CVE is associated with the scanner itself, but the incident underscores the danger of third‑party dependency exploitation. Stolen data includes Cisco IOS, NX‑OS, and related SDK source files. Source: SANS Internet Storm Center