Author here. The point of this post is not “LiteLLM was compromised” since that was already covered on HN, but the chain behind it.
We tried to connect the February 27, 2026 Trivy CI compromise to the later Trivy release/tag issues, the trivy-action poisoning, the npm/Checkmarx follow-on activity, and finally the LiteLLM 1.82.7/1.82.8 package on March 24 2026!
What made it look like one campaign to us was the repeated overlap in operator attribution, payload structure, and artifacts like tpcp.tar.gz, plus the LiteLLM maintainer saying it appears to have come from Trivy in their CI/CD.
If anyone spots gaps or overreach in the timeline, I’d be interested in corrections.
We tried to connect the February 27, 2026 Trivy CI compromise to the later Trivy release/tag issues, the trivy-action poisoning, the npm/Checkmarx follow-on activity, and finally the LiteLLM 1.82.7/1.82.8 package on March 24 2026!
What made it look like one campaign to us was the repeated overlap in operator attribution, payload structure, and artifacts like tpcp.tar.gz, plus the LiteLLM maintainer saying it appears to have come from Trivy in their CI/CD.
If anyone spots gaps or overreach in the timeline, I’d be interested in corrections.