UNC6780

UNC6780, also tracked as TeamPCP, emerged as the central actor of the 11 May 2026 GTIG threat report. The cluster used the SANDCLOCK credential stealer to harvest GitHub tokens and AWS keys exfiltrated through the March 2026 Trivy supply-chain compromise (CVE-2026-33634), then cloned more than 300 private Cisco GitHub repositories, including the source code of Cisco AI Defense and Cisco AI Assistant. GitHub confirmed an investigation into the unauthorised access. UNC6780 also exploited LiteLLM CVE-2026-42208 within 36 hours of CISA's KEV addition on 8 May 2026, compressing the typical enterprise patch window by roughly 85 per cent and pulling credentials from BerriAI's commercial infrastructure.

The cluster operates the SANDCLOCK credential-stealer toolchain, which had previously been used in attacks on SAP npm packages. The Trivy pivot is a second-order supply-chain technique: rather than targeting developer endpoints directly, UNC6780 compromised the scanner tooling that audited those endpoints, yielding credentials across Cisco's entire CI/CD pipeline. The same SANDCLOCK-stolen credentials served three distinct targets in weeks: Trivy, LiteLLM and BerriAI, and Cisco's GitHub estate.

UNC6780's haul gives a financially motivated cluster the internal architecture of Cisco's LLM-security product portfolio. The blast radius in product-line breadth is roughly 30 times the SolarWinds Orion reference before per-customer downstream counts are known. The cluster is distinct from the state-attributed Flax Typhoon and FIRESTARTER campaigns against Cisco edge devices, though the coincidence of source-code visibility into Cisco's defensive products and the active CVE exploitation cycle on Cisco SD-WAN raises an unanswered forward question about the next exploit generation.