1K+ cloud environments infected following Trivy supply chain attack

Summary

RSAC 2026 Thousands of organizations' cloud environments have been infected with secret-stealing malware as a result of the Trivy supply-chain attack last week, and now the crims that compromised the open source scanners are working with notorious extortion crews like Lapsus$. "We know of over 1,000 impacted SaaS environments right now that are actively dealing with this particular threat actor," Mandiant Consulting CTO Charles Carmakal said during a Google event on the outskirts of the annual RSA Conference in San Francisco. "That 1,000-plus downstream victims will probably expand into another 500, another 1,000, maybe another 10,000," he continued. "And we know that these actors are collaborating with a number of other actors right now." These criminals are primarily based in the US, UK, Canada and Western Europe, Carmakal said. They are "known for being exceptionally aggressive with their extortion," he added. "They're very loud, they're very aggressive, and so we're going to end up seeing the impact in the coming days, weeks, and months." According to Wiz, another Google-owned security shop, one of these groups is Lapsus$. "We are seeing a dangerous convergence between supply chain attackers and high-profile extortion groups like Lapsus$," Ben Read, a lead researcher at Wiz, told The Register via email on Tuesday. That 1,000-plus downstream victims will probably expand into another 500, another 1,000, maybe another 10,000 In addition to hitting Trivy and open source static analysis tool KICK, the supply chain attack has also trojanized liteLLM, a critical piece of AI middleware present in 36 percent of all cloud environments, according to Wiz. "By moving horizontally across the ecosystem - hitting tools like liteLLM that are present in over a third of cloud environments - they are creating a snowball effect," Reed said. "This isn't an isolated incident. It's a systemic campaign that requires security teams to take action and will likely continue to expand." Acco...