GoKawiilCisco has suffered a cyberattack after threat actors used stolen credentials from the recent Trivy supply chain attack to breach its internal development environment and steal source code belonging to the company and its customers.
A source, who asked to remain anonymous, told BleepingComputer that Cisco's Unified Intelligence Center, CSIRT, and EOC teams contained the breach involving a malicious "GitHub Action plugin" from the recent Trivy compromise.
The attackers used the malicious GitHub Action to steal credentials and data from the company's build and development environment, impacting dozens of devices, including some developer and lab workstations.
While the initial breach has been contained, BleepingComputer was told that the company expects continued fallout from the follow-on LiteLLM and Checkmarx supply chain attacks.
As part of the breach, multiple AWS keys were reportedly stolen and later used to perform unauthorized activities across a small number of Cisco AWS accounts. Cisco has isolated affected systems, begun reimaging them, and is performing wide-scale credential rotation.
BleepingComputer has learned that more than 300 GitHub repositories were also cloned during the incident, including source code for its AI-powered products, such as AI Assistants, AI Defense, and unreleased products.
A portion of the stolen repositories allegedly belongs to corporate customers, including banks, BPOs, and US government agencies.
Multiple sources told BleepingComputer that more than one threat actor was involved in the Cisco CI/CD and AWS account breaches, with varying degrees of activity.
BleepingComputer contacted Cisco with questions regarding the breach, but has not received a reply to our emails.
The Trivy supply chain attack
... continue reading