Act One: The Trivy Time Bomb

To understand how Cisco’s internal development environment was breached, you need to understand what Trivy is β€” and why attackers chose it as their entry point.

Trivy is an open-source vulnerability scanner built by Aqua Security. It’s wildly popular in the DevSecOps world: developers integrate it into their CI/CD pipelines to automatically scan containers, filesystems, and code repositories for known vulnerabilities. It’s trusted, it’s ubiquitous, and it runs with elevated permissions because it needs to access sensitive build artifacts and scan credentials during pipeline execution.

In other words: it’s exactly the kind of tool an attacker would want to compromise.

On March 19, 2026, the threat group known as TeamPCP executed a sophisticated supply chain attack against Trivy’s GitHub Action repositories. They force-pushed malicious commits to 76 out of 77 version tags β€” essentially overwriting the legitimate code associated with nearly every pinned version of Trivy’s GitHub Actions integration.

The malicious commits contained TeamPCP Cloud Stealer, an infostealer payload. Any organization running a CI/CD pipeline that invoked Trivy via GitHub Actions on that day was silently executing malware alongside their routine vulnerability scans. The scanner ran. The results looked normal. In the background, credentials were being harvested.

This is a textbook supply chain attack β€” exploiting trust in a shared component to reach a massive number of downstream victims simultaneously.

Cisco was one of those victims.

How Cisco Was Breached

The stolen CI/CD credentials harvested from Trivy’s compromise were used to gain entry to Cisco’s internal development environment. From there, the attackers were methodical:

  • 300+ GitHub repositories cloned, including source code for Cisco’s AI-powered product lines
  • Repositories containing code for Cisco AI Assistants and Cisco AI Defense were among those taken
  • Some repositories contained code for unreleased products β€” future product roadmaps effectively in attackers’ hands
  • Critically, some repositories belonged to Cisco’s corporate customers: banks, BPOs, and US government agencies had their code stored in Cisco’s environment
  • Multiple AWS access keys were stolen and used for unauthorized activity across Cisco’s AWS accounts

Cisco confirmed the incident. Their CSIRT (Computer Security Incident Response Team), Unified Intelligence Center, and Emergency Operations Center (EOC) all engaged. Affected systems were isolated, machines were reimaged, and a wide-scale credential rotation was initiated. Multiple threat actors were identified as having varying levels of access β€” suggesting the stolen credentials were shared or sold within criminal communities before or after the initial compromise.

The damage, however, was already done.

Act Two: ShinyHunters’ β€œFINAL WARNING”

While TeamPCP was quietly executing their supply chain operation, a separate attacker β€” or attacker cluster β€” was working Cisco from a completely different angle.

ShinyHunters, one of the most prolific data extortion groups operating today, posted a β€œFINAL WARNING” on their dark web leak site with a deadline of April 3, 2026. Their claim: over 3 million Salesforce records containing personally identifiable information (PII), harvested from Cisco’s Salesforce infrastructure.

The alleged data includes records tied to:

  • FBI (Federal Bureau of Investigation)
  • DHS (Department of Homeland Security)
  • DISA (Defense Information Systems Agency)
  • IRS (Internal Revenue Service)
  • NASA
  • Australian Ministry of Defense
  • Indian government agencies

If verified, the exposure of this data would represent a significant national security concern β€” not just a corporate embarrassment. Government contractors and agencies whose personnel data or operational records are stored in Cisco’s CRM would face serious risks.

How ShinyHunters Got In

ShinyHunters didn’t need a supply chain attack. They exploited something far more mundane: misconfigured Salesforce Experience Cloud (Aura) guest user access controls.

Salesforce Experience Cloud (formerly Community Cloud) allows organizations to create public-facing portals that external users β€” including unauthenticated guests β€” can access. When access controls are misconfigured, guest users can sometimes query data they shouldn’t be able to see. The attackers used AuraInspector, a browser developer tool designed for debugging Salesforce Lightning/Aura components, to enumerate and exploit these misconfigurations.

But the breach didn’t stop there. Two attacker clusters are believed to be involved:

UNC6040: Used vishing (voice phishing) attacks to call Cisco’s support staff, social-engineering them into granting OAuth token access to attacker-controlled applications. This attack vector completely bypasses multi-factor authentication β€” because the victim is granting legitimate OAuth access, not entering a stolen password. It’s not a vulnerability in MFA; it’s a vulnerability in human trust.

UNC6395: Armed with the OAuth tokens harvested by UNC6040, this cluster exfiltrated AWS keys, Snowflake tokens, and other secrets stored within Cisco’s Salesforce environment and connected cloud infrastructure.

The combination of technical exploitation (Aura misconfiguration) and social engineering (vishing + OAuth grant) created a multi-layered attack that defense tools alone couldn’t catch.

The Cascade Effect: Why Government Records Were There

One question that deserves attention: why does Cisco’s Salesforce instance contain FBI, DHS, and NASA records?

The answer is straightforward but uncomfortable. Cisco is one of the largest networking and communications vendors to US federal government agencies. When agencies purchase Cisco products and services, their procurement records, support tickets, contract details, and personnel contact information flow into Cisco’s CRM. Salesforce is Cisco’s CRM. Those government records were there because Cisco is the vendor β€” and vendors store customer data.

This is the cascade effect of enterprise breaches: attackers don’t just get the target company’s data. They get the data of everyone that company does business with. In Cisco’s case, that means some of the most sensitive government agencies in the United States.

The exposure of 3 million records tied to these agencies β€” even if that data is limited to names, emails, and contact details β€” creates a goldmine for spear-phishing operations targeting federal employees, supply-chain social engineering attacks against agency contractors, and foreign intelligence services mapping US government relationships.

A Pattern of Compromise

This breach didn’t happen in a vacuum. Cisco has been under sustained attack for over a year, and the escalation pattern is alarming.

October 2024: IntelBroker claimed to have exfiltrated 4.5 TB of data from Cisco’s DevHub developer portal. Cisco later clarified it was a configuration error that exposed some files β€” not a full production breach. But the incident revealed that Cisco’s developer infrastructure had publicly accessible areas it didn’t intend to expose.

August 2025: A separate CRM breach tied to ShinyHunters-linked actors. Social engineering via vishing was used to access customer relationship data. Sound familiar? The tactics being used against Cisco now mirror what worked then.

December 2025: Akira ransomware operators and nation-state actors were identified targeting Cisco’s infrastructure. The company confirmed it was responding to β€œsophisticated, persistent threat activity.”

March 2026: The Trivy supply chain attack pierces the development environment. ShinyHunters issues their final warning on Salesforce data. Source code for AI products β€” including unreleased ones β€” is in attacker hands.

Related: Cisco has been under sustained attack β€” see our December 2025 coverage: Cisco Under Siege: How Akira Ransomware and Nation-State Actors Are Exploiting America’s Most Critical Network Infrastructure

The progression suggests either that initial access established in earlier incidents was never fully remediated, or that Cisco’s size and complexity makes it a perpetual target that different groups continue to find new ways into. Possibly both.

What Was Actually Taken: The Real Stakes

Let’s be specific about the impact categories, because they vary significantly in severity.

Source Code Exposure

Source code for Cisco AI Assistants and AI Defense is the most strategically sensitive category of loss. AI Defense in particular is a product Cisco sells to enterprises and government agencies to protect their own AI deployments β€” it analyzes prompts, detects jailbreaks, and monitors for data exfiltration through AI systems. Having the source code for a security product means:

  1. Attackers can audit it for vulnerabilities before Cisco patches them
  2. Nation-state actors can understand exactly how the defensive tool works and build evasion techniques
  3. Competitors (or state-sponsored entities acting on behalf of competitors) gain an R&D advantage
  4. Unreleased product code reveals Cisco’s strategic direction, partnerships, and future capabilities

This isn’t just embarrassing β€” it’s a structural advantage handed to adversaries.

Customer Repository Exposure

The fact that corporate customer repositories were stored in Cisco’s environment and cloned by attackers compounds the damage significantly. Banks, business process outsourcers (BPOs), and US government agencies now have their code in unknown hands. Each of those organizations faces downstream risk β€” their proprietary logic, their integration code, their internal systems potentially exposed through no fault of their own.

AWS Credential Abuse

Multiple AWS access keys were stolen and used before Cisco completed its credential rotation. The scope of activity conducted with those keys β€” data accessed, compute resources used, configurations changed β€” is not fully public. AWS environment compromise can enable data exfiltration, backdoor installation, resource hijacking for cryptomining or botnet operations, and persistent access through IAM role manipulation.

Salesforce PII and Government Records

Three million records is a large dataset. Even if the data is primarily contact information, the value to threat actors for phishing, social engineering, and intelligence gathering is substantial. The presence of government agency data elevates this from a corporate breach to a potential national security issue.

TeamPCP: The Supply Chain Specialists

TeamPCP deserves specific attention because they represent a maturing threat that the security industry has been tracking across multiple incidents.

This is the same group responsible for:

  • LiteLLM npm compromise β€” which led to the breach of Mercor, an AI hiring platform
  • Checkmarx KICS β€” another developer security tool, same attack pattern
  • PyPI packages β€” including a Telnyx package using WAV steganography to hide malicious payloads
  • Docker and GitHub repository compromises

The pattern is consistent and deliberate: find a tool that developers trust and that runs with elevated CI/CD permissions, compromise it, harvest credentials from every organization running it, and monetize the access. The developer toolchain is their specialty.

Trivy was a high-value target because of its market penetration. A single GitHub Actions compromise ripples out to thousands of organizations simultaneously.

For developers: See our technical deep-dive on how to detect if your CI/CD pipeline was affected and how to harden against this class of attack: How the Trivy Supply Chain Attack Cracked Cisco: A Developer’s Guide to CI/CD Security

Cisco’s Response

Cisco confirmed the breach and indicated their response teams β€” CSIRT, Unified Intelligence Center, and EOC β€” engaged rapidly. Key response actions include:

  • Isolation of affected systems: Compromised development environment resources were quarantined
  • Reimaging: Affected machines are being rebuilt from clean images
  • Wide-scale credential rotation: All credentials potentially exposed through the Trivy compromise are being rotated
  • Multi-actor investigation: The involvement of multiple threat actors suggests credentials may have been shared or sold, complicating the scope determination

What Cisco has not yet specified publicly: the full scope of customer data affected, whether government agency customers have been individually notified, and what the total number of repositories cloned actually represents in terms of code volume.

The April 3 ShinyHunters deadline adds external pressure to Cisco’s response. Whether the company will negotiate, whether the data will drop regardless of any payment, and whether law enforcement has been engaged are all open questions.

What Organizations Should Do Right Now

If you run Cisco products or are a Cisco customer:

Immediate:

  • Rotate any credentials or API keys you’ve shared with Cisco in support tickets, integration documentation, or CRM interactions
  • Review OAuth applications connected to your Salesforce instance if you use Cisco’s Salesforce-connected tools
  • Check whether any of your code or infrastructure data was stored in Cisco-managed repositories

If you used Trivy GitHub Actions on or around March 19, 2026:

  • Audit your CI/CD pipeline logs for that date
  • Rotate all secrets, tokens, and credentials that were available to your pipeline environment
  • Check for unauthorized access to cloud accounts using credentials that were present in those pipelines
  • Review any AWS CloudTrail or equivalent logs for anomalous activity

General supply chain hygiene:

  • Pin GitHub Actions to specific commit SHAs rather than version tags (tags can be moved, as this attack demonstrated)
  • Implement OIDC for cloud provider authentication instead of long-lived access keys
  • Review what permissions your CI/CD jobs request and apply least-privilege principles

The Bigger Picture

The Cisco breach of March 2026 illustrates two distinct threat vectors that security teams must defend against simultaneously: supply chain compromise through developer tooling, and social engineering attacks that bypass technical controls entirely.

ShinyHunters’ vishing operation didn’t defeat any technical security measure. It called a human on the phone and asked them for access. The human complied. No firewall was breached. No vulnerability was exploited. The β€œattack” was a conversation.

TeamPCP’s Trivy operation was the opposite β€” pure technical execution. They didn’t need to talk to anyone at Cisco. They compromised a shared dependency, waited for Cisco’s automation to pull in the malicious version, and harvested what came back.

Both attacks worked.

The April 3 deadline comes and goes, but the effects of this breach will linger for months or years: in competitive intelligence that adversaries now hold, in the security debt created by exposed source code, and in the unanswered questions about what was done with Cisco’s stolen AWS access before the credentials were rotated.

Cisco is not uniquely at fault here. Any organization of sufficient size and complexity becomes a target of this caliber. But the pattern of recurring breaches β€” from IntelBroker in 2024 to ShinyHunters in 2025 to TeamPCP and ShinyHunters again in 2026 β€” raises legitimate questions about whether lessons from earlier incidents were fully absorbed and acted upon.

The networking giant’s security posture will be under scrutiny for some time to come.

Sources: BleepingComputer, CyberSecurityNews, AppOmni AO Labs