Cisco Faces Alleged Data Leak as ShinyHunters Claims Responsibility

Cisco is actively dealing with a major cybersecurity incident after threat actors breached its internal development networks.

The notorious hacking group ShinyHunters has claimed responsibility for the attack, alleging they stole sensitive source code and data affecting Cisco, Salesforce, Aura, and various AWS storage buckets.

The breach stems from a recent supply chain attack involving Trivy, a popular vulnerability scanner.

Hackers used a malicious GitHub Action plugin tied to the Trivy compromise to steal credentials. This allowed them to bypass security and enter Cisco’s internal build environments.

Once inside, the attackers compromised dozens of devices, including lab workstations and developer computers.

This initial foothold gave them direct access to highly sensitive corporate and customer data.

Stolen AWS Keys and Source Code

The impact of this data leak is severe and far-reaching. The attackers successfully stole multiple Amazon Web Services (AWS) keys, using them to perform unauthorized actions within Cisco’s cloud accounts, as reported by Alvieri D.

Furthermore, the hackers cloned over 300 of Cisco’s private GitHub repositories. These stolen files contain source code for unreleased tools and cutting-edge products, including the company’s AI Assistants and AI Defense technologies.

Worse, some of the stolen repositories allegedly belong to Cisco’s corporate clients, potentially exposing sensitive data from major banks, business process outsourcing (BPO) firms, and United States government agencies.

Warning (Source: Twitter)
Warning (Source: Twitter)

Cisco’s internal security teams, including its Unified Intelligence Center, CSIRT, and EOC—quickly stepped in to contain the initial intrusion.

The company isolated the affected systems, started wiping and reinstalling compromised machines, and enforced a massive reset of employee credentials to lock the attackers out.

Despite these rapid containment efforts, the company has not yet released a public statement regarding the breach.

Internal sources indicate that Cisco expects continued complications from this incident.

Multiple threat actors were involved in this breach, with varying levels of access.

While ShinyHunters is loudly claiming the spotlight for the data theft, security researchers have linked the underlying Trivy supply chain attack to a separate group known as TeamPCP.

This group uses custom malware called “TeamPCP Cloud Stealer” to hijack developer platforms like Docker, NPM, and PyPi.

Because TeamPCP is also responsible for recent breaches involving the LiteLLM and Checkmarx projects, Cisco is actively preparing for potential secondary attacks stemming from these related vulnerabilities.

Related Articles

Back to top button