Attackers allegedly exploited a malicious GitHub Action to breach Cisco, steal credentials, clone repositories, and access customer-linked AWS systems.

Cisco reportedly suffered a cyberattack after threat actors breached the company's internal development environment and stole source code associated with both Cisco and its customers. Recent information claims that after malicious activity was linked to a compromised GitHub Action plugin related to the Trivy incident, Cisco's Unified Intelligence Center, CSIRT and EOC teams were able to contain the breach.

According to claims, the attackers stole credentials and data from Cisco's build and development systems via the malicious GitHub Action. Numerous devices, including lab workstations and development systems, were allegedly impacted by the hack. The incident apparently involved the theft of several AWS keys, which were then used to perform unauthorized actions on a small number of Cisco AWS accounts. In response, Cisco reportedly separated vulnerable systems, began reimaging impacted devices and launched a widespread credential rotation operation.

More than 300 GitHub repositories were cloned during the incident, according to the report. Source code for Cisco's AI-powered products, including AI Assistants, AI Defense and other unreleased products, was allegedly included in these repositories. Code from Cisco's enterprise customers, such as financial institutions, BPOs and US government agencies, is also thought to be included in some of the pilfered repositories.

The breach is thought to be related to the larger Trivy supply chain attack, in which threat actors gained access to the project's GitHub pipeline and used GitHub Actions and official releases to spread malware that steals credentials. The TeamPCP threat group, which has also been connected to attacks involving GitHub, PyPI, NPM, Docker, LiteLLM and Checkmarx, has been linked by researchers to the larger campaign.

Thus, Business Fortune is of the view that the breach highlights the rising risk of software supply chain attacks.