Cyber Incident Victim: Cisco

The Trivy vulnerability scanner supply chain attack compromised the project's GitHub pipeline to distribute credential-stealing malware through official releases and GitHub Actions. Attackers used stolen credentials from that Trivy compromise to breach Cisco's internal development environment. They deployed a malicious GitHub Action plugin to steal credentials and data from Cisco's build and development environment. The intrusion impacted dozens of devices, including developer and lab workstations. During the incident, more than 300 GitHub repositories were cloned. The cloned repositories included source code for Cisco's AI-powered products such as AI Assistants and AI Defense, as well as unreleased products. A portion of the stolen repositories allegedly belonged to corporate customers, including banks, business process outsourcing firms, and US government agencies. Multiple AWS keys were reportedly stolen and later used to perform unauthorized activities across a small number of Cisco AWS accounts.

Cisco's Unified Intelligence Center, CSIRT, and EOC teams contained the breach. The company isolated affected systems, begun reimaging them, and initiated wide-scale credential rotation. While the initial breach has been contained, Cisco expects continued fallout from follow-on supply chain attacks involving LiteLLM and Checkmarx. Multiple sources indicated that more than one threat actor was involved in the Cisco CI/CD and AWS account breaches, with varying degrees of activity. BleepingComputer contacted Cisco for comment regarding the incident but did not receive a reply to its emails.