In early spring 2026, Cisco got hit hard. What started as a compromise of Trivy a a popular open-source tool developers use to scan containers for vulnerabilities turned into one of the worst intellectual property breaches the company has ever faced. A group called ShinyHunters, working alongside a lesser-known crew called TeamPCP, made off with over 300 private GitHub repositories, 3 million Salesforce records, and AWS credentials. This is the breakdown of how it happened and what it means.
March 31, 2026: The Ultimatum
The first public sign of trouble came when ShinyHunters updated their dark web blog. They claimed access to Cisco environments tied to UNC6040, Salesforce Aura, and the company’s AWS accounts and they had receipts. Screenshots showing the AWS Management Console for Cisco’s Crosswork Network Controller, complete with hundreds of internal storage volumes. Their deadline: April 3, 2026. Pay up or the data goes public.
How It Started: The Trivy Compromise
On March 19, 2026, attackers got into the Trivy GitHub pipeline and inserted a malicious GitHub Action plugin. From that point on, any organization that updated their CI/CD workflows during that window unknowingly pulled down a cloud credential stealer. A security tool became the attack vector.
The technical side of the operation is attributed to TeamPCP, who built and deployed the “TeamPCP Cloud Stealer” across developer platforms including GitHub, PyPI, NPM, and Docker. They also hit the LiteLLM PyPI package and Checkmarx KICS. Once those fell, the malware spread through trust relationships between tools and organizations. Cisco was the end target.
What Cisco Lost
Three things, roughly in order of how bad they are:
The Salesforce breach exposed 3 million records – employee PII, partner data, and likely some customer information. It points to a weak integration between Cisco’s internal CRM and its cloud applications.
The AWS breach gave attackers keys to a “small number” of Cisco accounts. The screenshots they leaked showed over 100 virtual storage drives, some with hundreds of gigabytes of data, with creation dates as recent as mid-March 2026. They weren’t just in; they’d been in for a while.
The GitHub repositories are probably the most damaging. BleepingComputer confirmed over 300 repos were cloned. Among them: the core code for Cisco’s AI Assistant, the algorithms behind AI Defense (their enterprise threat protection product), and blueprints for unreleased hardware and software. Some of those repos apparently belong to Cisco’s customers – banks, BPOs, US government agencies.
Why the AI Source Code Theft Is Especially Bad
Stealing the code for a defense tool is different from stealing other software. AI products depend on specific logic, training data, and decision heuristics. If you have the code for Cisco’s AI Defense, you can study exactly how it detects threats and build something designed to slip past it. That’s not a vulnerability you can patch. It requires rebuilding the underlying logic from scratch.
Who Is ShinyHunters?
They’ve been around since 2019. Past targets include Microsoft, Tokopedia, and Wattpad. Their playbook doesn’t change: steal a large volume of data, post proof on BreachForums or their own site, set a deadline, and wait. This looks like a financial play, not espionage though TeamPCP’s motivations are still unclear.
Cisco’s Response
The company is rotating credentials across developer environments, wiping and reimaging workstations suspected of infection, and isolating the affected AWS accounts. That’s the right response. But it doesn’t get the code back. Once a repository is cloned, it’s gone. The question now is what Cisco tells its customers and what comes next legally.
What People Are Asking
Was my personal data stolen? If you’re a Cisco employee or use their Salesforce-integrated services, there’s a reasonable chance your name and email were in those 3 million records.
Is Cisco hardware still safe? The breach hit development environments and cloud services. There’s no evidence yet that router or switch firmware was tampered with, but keep an eye on software updates.
What’s a supply chain attack? You compromise a tool everyone uses. Everyone who updates that tool brings the malware home themselves.
What happens after April 3? If Cisco doesn’t engage, ShinyHunters says they’ll release the data publicly.
What about the government? Cisco provides networking infrastructure to federal agencies. If those configurations were in the stolen repos, that’s a long-term problem that doesn’t have a simple fix.
The Takeaway
The way software gets built today – automated pipelines, shared open source tools, cloud-native everything which creates a lot of surface area that most organizations treat as an afterthought. A CI/CD pipeline that touches production credentials deserves the same security attention as the production environment itself. Trivy is a security tool. It scanned for vulnerabilities. And it became one.
Cisco will recover. The code, though, is out. The rest of the industry should be auditing their pipelines right now rather than waiting to see what ShinyHunters does with what they have.
Based on ongoing reporting. Cisco has not issued a public statement addressing the specific scope of the repository theft.
