Three hundred private repositories. AWS keys. Source code for AI products Cisco hadn't even announced yet. Three million Salesforce records containing data from the FBI, DHS, NASA, and the Australian Ministry of Defence. And a countdown that ends April third.
The question we left open
On March 19, TeamPCP rewrote 76 of 77 tags on trivy-action — the most widely deployed vulnerability scanner in the ecosystem. CVE-2026-33634. CVSS 9.4. Every CI/CD pipeline that ran Trivy that day silently executed a credential stealer that dumped runner memory: SSH keys, Kubernetes tokens, cloud credentials, environment variables. Packaged. Exfiltrated.
We documented the full campaign. Eight phases. Five registries. Thirty-three days. One group.
The question left open at the end of that piece: who was the biggest victim?
On March 31, BleepingComputer published the answer. Cisco Systems. The company that sells network security to the Fortune 500. The company whose flagship product line includes "AI Defense." The company whose 2026 tagline is literally "The bridge to possible."
The bridge collapsed.
What the scanner found
Cisco's CI/CD pipeline ran Trivy. On March 19, Trivy ran Cisco.
TeamPCP's credential stealer — documented by CrowdStrike as "TeamPCP Cloud Stealer" — dumped CI/CD runner memory. It didn't search for specific files. It harvested everything: processes, environment variables, ephemeral access keys. The digital equivalent of emptying an entire office into a garbage bag.
In Cisco's case, the bag was full.
Over 300 private GitHub repositories were cloned using credentials stolen from the pipeline. Source code for AI Assistants. Source code for AI Defense — the tool Cisco sells to protect AI infrastructure. Source code for products that hadn't been publicly announced.
Multiple AWS access keys were stolen and used for unauthorized activity across Cisco accounts. Dozens of developer and lab workstations compromised. And what makes this incident particularly corrosive: client source code — from banks, BPOs, and United States government agencies — stored in Cisco's repos as part of integration contracts.
Cisco didn't just lose its own secrets. It lost its customers' secrets.
ShinyHunters smells blood
As if TeamPCP weren't enough, another group noticed the wound.
ShinyHunters — also tracked as UNC6040 and UNC6395 — claimed three separate attack vectors against Cisco in the following weeks:
First: Salesforce CRM, via voice phishing. Phone calls to Cisco employees. Social engineering for OAuth tokens. Old and effective.
Second: Salesforce Aura — the Experience Cloud framework — via misconfigured guest user access controls. An open-source tool called AuraInspector was enough to enumerate exposed endpoints.
Third: AWS environments. This is where the two stories intersect. If AWS keys were stolen via Trivy on March 19, and ShinyHunters used AWS access in the following weeks — did they buy credentials from the same harvest? Did they find them in the 300GB of compressed credentials that Mandiant estimated were stolen in the TeamPCP campaign?
Nobody has confirmed the connection. But the timing is surgical.
The combined haul: over three million Salesforce records containing personally identifiable information for personnel from the FBI, DHS, DISA, IRS, NASA, the Australian Ministry of Defence, and Indian government agencies.
On March 31, ShinyHunters posted a "FINAL WARNING" on their leak site. Deadline: April 3, 2026. Cisco responds or the data goes public.
Cisco has not issued a public response.
The documented cascade
This is not speculation about supply chain risk. This is supply chain risk materialized into a textbook example.
A stolen PAT from a GitHub bot → 76 rewritten Trivy tags → globally poisoned CI/CD pipelines → exfiltrated Cisco credentials → 300+ cloned repos → stolen AI source code → compromised government client data. And possibly: credentials on the black market → ShinyHunters attacking Salesforce → three million records from federal agencies → public extortion.
From a single stolen token to FBI records.
GitGuardian documented the fan-out ratio for this campaign: 474 compromised public repos as a lower bound. Cisco proves that the upper bound — the private repos, the ones that don't show up in any GitHub search — is where the real damage lived.
And this is just one victim. Mandiant estimates between 1,000 and 10,000 SaaS environments were compromised. Cisco was big enough to make the news. How many smaller companies lost their repos, their keys, their client data — and still don't know?
The irony is the product
Cisco AI Defense is a product that monitors and protects AI applications against supply chain attacks, prompt injection, and model poisoning. Its marketing copy reads: "Secure AI by design."
The source code for that product was stolen because a vulnerability scanner in Cisco's CI/CD pipeline was compromised by a group operating from a Telegram channel.
The tool designed to protect AI was stolen by the exact class of attack it claims to prevent.
And this isn't the first time. In October 2024, IntelBroker downloaded 4.5 TB from Cisco's DevHub portal — source code for Catalyst, IOS, WebEx, SASE — because a data migration script was misconfigured. Cisco confirmed the data was authentic. Said the root cause was "a configuration error." Said it wouldn't enable future breaches.
Seventeen months later, a configuration — a mutable GitHub tag — enabled a larger one.
Blame in three layers
The perpetrators: TeamPCP. A criminal group that discovered security tools are the perfect attack vector because they run with maximum privileges and nobody audits them. ShinyHunters. An extortion group that found the door open — or bought the key.
The enablers: GitHub, whose mutable tag system still has no transparency log or cryptographic signing two months after CVE-2026-33634. Cisco, whose CI/CD pipeline didn't pin to SHA. And Cisco again, whose Salesforce instance had misconfigured guest access in 2026.
The system: A trust model where security tools receive total access to an organization's secrets as a functional requirement, and where integrity verification of those tools is optional. A model that trusts the scanner is safe because it's the scanner.
Cisco sells AI protection. Its AI was stolen by a compromised AI scanner, and its government clients' data is hours from publication by someone who may have purchased the keys at the same credential marketplace. The question isn't who protects the protectors. The question is why anyone still believes the protectors protect themselves.