Supply chain attack: Security scanner compromise leads to widespread infostealer and ransomware pivot

A coordinated supply-chain campaign by threat actor "TeamPCP" exploited a CI privilege escalation in the aquasecurity/trivy GitHub repository to inject malicious Trivy artifacts that harvested secrets and credentials; stolen credentials were then used to hijack PyPI and npm accounts (notably LiteLLM), distributing infostealer payloads (proxy_server.py, litellm_init.pth, sysmon.py) that establish persistence, exfiltrate vast ranges of secrets to typosquatted domains, and enable follow-on ransomware activity; the report includes technical analysis, IOCs (hashes, domains, commands, IPs), and mitigation recommendations.