Methodology note. This analysis is based on public incident disclosures, GitHub audit logs, PyPI release history, and community reports published between February 27 and March 24, 2026. We have not independently reproduced the full attack chain in a lab environment. Sections marked with ⚠️ contain speculation based on available evidence.
TL;DR
- A
pull_request_targetmisconfiguration in Trivy’s CI (the Pwn Request pattern) gave an attacker write access to a trusted runner with access to organization secrets. - Non-atomic credential rotation left a residual access window that the attacker exploited.
- 76 GitHub Actions tags were force-pushed simultaneously to point to attacker-controlled commits.
- Runner.Worker process memory was scraped to extract masked secrets from environment variables.
- LiteLLM’s PyPI wheel was backdoored with a post-build injection; a Python
.pthfile provided system-wide persistence.
Background
The Pwn Request
Credential Rotation Failure
The 76-Tag Force Push
Runner Memory Scraping
PyPI Wheel Injection
Timeline
| Date | Event |
|---|---|
| 2026-02-27 | Initial Pwn Request submitted to Trivy repository |
| 2026-03-XX | Credential rotation attempt — non-atomic window exploited |
| 2026-03-XX | 76 GitHub Actions tags force-pushed |
| 2026-03-XX | LiteLLM PyPI wheel backdoor published |
| 2026-03-24 | Public disclosure |