GitGuardian conducted a quantitative analysis of the PCP Team supply chain attacks that compromised AquaSecurity's trivy-action GitHub Action and the Python litellm package. For trivy-action, they identified 474 repositories (from a sample of 30,353) that executed malicious code during the compromise window of March 19–20, 2026, affecting high-profile organizations including Canonical, Microsoft, and NASA. For litellm, they found 1,705 PyPI packages susceptible to pulling the malicious version, including popular packages like dspy (5M monthly downloads), and optionally google-cloud-aiplatform (181M monthly downloads). The analysis provides SHA256 digests of the malicious packages and emphasizes that even indirect or transitive dependencies pose serious risk, including from AI agents or developer experiments running compromised open-source tools.
Table of contents
AquaSecurity trivy-action CompromissionPython litellm CompromissionMeasuring What MattersSort: