What started as a supply chain attack on Trivy, a widely used security scanner, has become a Lapsus$-linked extortion campaign, with more than 1,000 enterprise SaaS environments already compromised.
Charles Carmakal, CTO of Mandiant Consulting, made the assessment at a Google-hosted threat briefing held alongside the RSA Conference 2026 in San Francisco on Tuesday.
“We know of over 1,000 impacted SaaS environments right now that are actively dealing with this particular threat campaign,” he said at the event, reported CyberScoop. “That thousand-plus downstream victims will probably expand into another 500, another 1,000, maybe another 10,000.”
He, according to the report, warned that widespread breach disclosures and follow-on attacks would play out over the coming months.
The criminal collaboration behind the attack has also widened. Where the initial breach was attributed to a cloud-native threat group called TeamPCP, Mandiant’s response work has revealed that those actors are now channeling stolen access to broader criminal networks with Lapsus$, a group known for high-profile and aggressive extortion, among confirmed collaborators, the report added.
Katie Paxton-Fear, staff security advocate at cybersecurity firm Semgrep, warned the group may already be positioned for further strikes. “The attackers may be sitting on many more compromises across the open-source ecosystem, waiting for guards to go down before launching the next,” she said.
Cloud security company Wiz and supply chain security firm Socket have also documented that expansion across multiple fronts.
Widening blast radius
Wiz, in its technical analysis of the attack, found that attackers extended their reach to LiteLLM, a widely used AI middleware library embedded across a significant portion of cloud environments, using credentials stolen during the initial Trivy breach.
Socket, meanwhile, identified a self-replicating worm dubbed CanisterWorm that leveraged stolen npm publish tokens from the same breach to backdoor more than 29 packages across the npm ecosystem.
The attackers have also publicly stated their intent to target additional open-source projects, with Socket reporting messages posted by the group on Telegram taunting the security industry and signaling plans to expand the campaign.
Paxton-Fear noted that the timing of the escalation appeared calculated. “The attackers first gained access to LiteLLM during their attack last week on Trivy, but they didn’t rush to attack while defenders were already on high alert,” she said. “Instead, they sat on their access, waiting until defenders were busy with a major security conference.”
Socket’s threat research team also identified further compromised Trivy artifacts on Docker Hub over the weekend — versions 0.69.5 and 0.69.6 — published without corresponding GitHub releases and carrying the same infostealer payload. Even after removal, Socket found cached copies continued to circulate through the mirror infrastructure, including mirror.gcr.io.
The firm also found that the attackers had defaced Aqua Security’s GitHub organization, renaming all 44 repositories with descriptions reading “TeamPCP Owns Aqua Security,” based on archived snapshots it analyzed.
“The presence of these repositories indicates a deeper level of control over the GitHub organization during the compromise,” Socket wrote in the analysis.
A pattern of persistent access
This is the second compromise affecting the Trivy ecosystem within roughly a month. Socket identified compromised Aqua Trivy VS Code extension releases on OpenVSX in late February, and now trivy-action, Trivy’s official GitHub Action for running scans in CI/CD workflows, has been abused through manipulated version tags to distribute malicious code across pipelines.
“Repeated compromises of the same vendor in a short period suggest a persistent weakness,” said Cory Michal, CSO of SaaS security management company AppOmni. He said the method reflects a broader pattern. Rather than targeting victims individually, attackers compromised the organization behind a trusted supply-chain component and used its GitHub repository and mutable version tags to reach downstream users at scale.
“Many organizations still allow build systems and developers to automatically pull in third-party code from the internet with limited review and too much implicit trust,” Michal said. “Convenience and speed in modern software delivery have outpaced governance.”
Isaac Evans, founder and CEO of Semgrep, said the incident shows how easily broken pipeline trust can be re-exploited. “Defenders need to adopt the same mindset as attackers — continuously probing their own surface and verifying the integrity of their pipelines, rather than relying on static controls or assumed trust,” he said.
As the fallout continues to unfold, Aqua Security and Mandiant are still working to fully contain the damage.
Where things stand
In a Tuesday update, Aqua Security said it has engaged incident response firm Sygnia. Credential revocation and rotation across all environments remains ongoing. The company maintained that its commercial products are architecturally isolated from the compromised open-source environment and remain unaffected.
According to CyberScoop, Mandiant said it has not yet determined how the original credentials were first stolen, and believes the initial theft likely occurred outside the direct victim’s environment, possibly through a business process outsourcer or partner organization.
For AppOmni’s Michal, the incident is a warning that the industry’s approach to third-party code needs to fundamentally change. “Organizations need stronger controls around what external code they allow, how it is approved, how it is pinned, and how changes are monitored before that code is trusted inside production or SaaS-connected environments,” he said.