Cisco Source Code Stolen in Trivy-Linked Development Environment Breach

What happened

A Cisco development environment breach led to the theft of source code after threat actors used stolen credentials from the recent Trivy supply chain attack to access internal build and development systems. According to the report, attackers used a malicious GitHub Action plugin tied to the Trivy compromise to steal credentials and data from Cisco’s build environment, affecting dozens of devices, including some developer and lab workstations. Multiple AWS keys were also reportedly stolen and then used for unauthorized activity across a small number of Cisco cloud accounts. The company has reportedly isolated affected systems, started reimaging them, and begun broad credential rotation. More than 300 GitHub repositories were allegedly cloned during the incident, including source code tied to Cisco AI products and unreleased offerings. 

Who is affected

The direct exposure affects Cisco and the source code stored in the repositories cloned during the breach. The report also says a portion of the stolen repositories allegedly belonged to corporate customers, including banks, BPOs, and U.S. government agencies, extending the potential impact beyond Cisco’s own internal codebase. 

Why CISOs should care

This incident matters because it shows how a supply chain compromise in a developer security tool can turn into follow-on access to internal CI/CD environments, cloud accounts, and source code repositories. It is also significant because the reported breach involved stolen credentials, unauthorized AWS activity, and code tied to customer environments as well as Cisco AI products and unreleased projects. 

3 practical actions

1. Treat build-system credentials as high-impact assets: Prioritize protection and rotation of CI/CD and cloud credentials, since the reported intrusion path relied on credential theft from a compromised development workflow. 
2. Scope source code exposure beyond internal products: Determine whether cloned repositories include customer-linked code, unreleased products, or sensitive development assets that expand the impact beyond a single engineering environment. 
3. Watch the wider supply chain fallout: Review exposure to the related Trivy, LiteLLM, and Checkmarx incidents, since the report says Cisco expects continued fallout from those linked supply chain attacks. 

For more news about software and developer toolchain compromise, click Cyberattack to read more.