20MAY

UNC6780 takes Cisco AI Defense source code

3 min read

09:58UTC

Google's Threat Intelligence Group named UNC6780 as the cluster that cloned more than 300 private Cisco GitHub repositories, including the source code of Cisco AI Defense, using SANDCLOCK-stolen credentials from the Trivy supply-chain compromise.

← Back to AI joins the breach column on both sides Jump to analysis ↓

TechnologyDeveloping

Key takeaway

UNC6780 holds the source code of Cisco's flagship LLM-security product two months after the Google-Wiz close.

Google's Threat Intelligence Group (GTIG), the threat-research arm inside Google Cloud, named UNC6780 on Monday 11 May 2026 as the cluster behind the breach of more than 300 private Cisco GitHub repositories, including the source code of Cisco AI Defense and Cisco AI Assistant. The cluster, also tracked as TeamPCP, used the SANDCLOCK credential stealer to harvest GitHub tokens exfiltrated through the March 2026 Trivy supply-chain compromise (CVE-2026-33634). GitHub confirmed an ongoing investigation into the unauthorised access ¹ ².

Cisco AI Defense is the vendor's flagship Large Language Model security product, sold to enterprises to protect AI deployments from prompt injection, model theft, and adversarial inputs. Cisco has not publicly confirmed the repository list or the scope of source-code loss; the attribution and the count of 300-plus repositories come from GTIG's published account. The timing matters: the disclosure landed two months after the $32 billion Google-Wiz close priced the LLM-security category as the largest pure-cybersecurity deal of the post-CrowdStrike era .

GTIG's blast-radius comparison places the 2020 SolarWinds Orion theft against this haul. SolarWinds touched roughly 18,000 downstream deployments on a single product line. UNC6780's haul spans AI Defense, AI Assistant, and unreleased work across Cisco's security portfolio. The product-line breadth is therefore an order of magnitude wider than the SolarWinds reference even before per-customer downstream counts are known. UNC6780 sits alongside the FIRESTARTER cluster that turned Cisco edge appliances into persistent federal footholds , now operating against the source-code supply chain rather than the deployed device.

Deep Analysis

In plain English

A hacking group stole the source code of Cisco's security software by first breaking into the scanning tool that Cisco's own developers use to check their code for problems, which handed over the passwords needed to access Cisco's private code libraries.

Deep Analysis

Root Causes

Trivy's role as a universal container-security scanner means it holds CI/CD credentials for the pipelines it audits. A single supply-chain compromise of the scanner yields credential access to every pipeline that trusts it, a structural concentration risk that neither Cisco nor the broader industry had treated as a primary threat surface before CVE-2026-33634.

UNC6780's SANDCLOCK tooling was already in circulation from prior TeamPCP campaigns against SAP npm packages ; the March 2026 Trivy CVE gave the cluster a repeatable credential-harvest path into targets that had hardened their own developer endpoints but not their scanner dependencies.

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: The December 2020 SolarWinds SUNBURST operation (ID:2912), where UNC2452 compromised the Orion build pipeline and shipped a backdoored update to roughly 18,000 organisations. The structural mechanism matches: rather than attacking the end product, the actor seeded the tooling that built or audited it. SANDCLOCK's Trivy pivot follows the same upstream-injection logic.

Counter-parallel: Lapsus$'s March 2022 theft of Microsoft Bing and Cortana source code via a compromised contractor credential produced no known weaponised variant and had limited operational fallout. Large source-code hauls do not automatically translate into exploit capability, particularly for products where the detection logic runs on cloud infrastructure the attacker cannot access.

Consensus view: Google's Threat Intelligence Group and Mandiant assess that UNC6780's Trivy supply-chain pivot represents a maturation of TeamPCP operations: rather than targeting individual developer credentials, the cluster compromised the scanner tooling used to audit those credentials, achieving a second-order credential harvest across Cisco's entire CI pipeline.

Counter-view: Cisco has not publicly confirmed the full repository list or the volume of source-code loss, and the 300-plus figure comes from GTIG's own account rather than Cisco's disclosure. Security researchers at Aqua Security, who maintain Trivy, have not published their own scope assessment; the blast radius remains GTIG-attested rather than vendor-confirmed.

Key tension: Whether the source-code theft materially accelerates adversary capability against Cisco AI Defense deployments depends on how closely the product's on-premises detection logic mirrors its cloud-hosted equivalent, which Cisco has not disclosed.

First Reported In

Update #4 · AI joins the breach column on both sides

Google Threat Intelligence Group· 20 May 2026

Read original →

Causes and effects

This Event

UNC6780 takes Cisco AI Defense source code

Cisco's flagship LLM-security product is now in attacker hands as source code. The breach gives a financially motivated cluster the internal architecture of the defensive portfolio a $32bn AI-security M&A market is built on.

Led to

Google closes $32bn Wiz deal; 38 M&A

UNC6780's theft of Cisco AI Defense source code validates the AI-security market risk that the Google-Wiz $32bn close was pricing, shifting diligence from hypothetical to named incident.

Occurred 1 Mar 2026

Read story →

FIRESTARTER implant survives every Cisco firewall patch

The Cisco AI Defense source-code theft by UNC6780 escalates the FIRESTARTER-era picture of Cisco network-edge exposure into the AI-security product stack itself.

Occurred 24 Apr 2026

Read story →

Different Perspectives

Tsinghua University Institute for International Strategic Studies

Beijing-aligned commentary rejects US attribution of PRC-nexus clusters (UNC2814, APT45, UAT-8616) as politically motivated framing, characterising the April sixteen-agency joint advisory as coordinated Western pressure rather than independent technical assessment.

Google Threat Intelligence Group

GTIG's 11 May report establishes AI-assisted offence and AI-infrastructure targeting as concurrent named-incident categories, not theoretical ones: UNC6780 attacked LiteLLM and Cisco AI Defense in parallel; state actors used Gemini operationally; CANFAIL and LONGSTREAM used LLM-generated queries to evade static analysis.

Cisco

Cisco has not confirmed the UNC6780 breach scope beyond the named AI Defense and AI Assistant projects; GitHub confirmed an investigation. CVE-2026-20182 is the sixth Cisco SD-WAN KEV entry in 2026, reaching that milestone the same week UNC6780's source-code visibility into the portfolio became public.

NCSC

The ICO's South Staffs Water fine applies NCSC PAM and monitoring guidance as the GDPR Article 32 enforcement baseline against a water-sector CNI operator, extending the Capita precedent before the CS&R Bill has reached Royal Assent. NCSC guidance now carries enforceable weight inside the existing statutory framework for CNI sectors processing personal data.

Microsoft Security Response Center

The Exchange Emergency Mitigation Service URL rewrite is the sole available mitigation for CVE-2026-42897; MSRC has not signalled an out-of-band patch timeline. The workaround breaks OWA calendar print, inline images, and Light mode, forcing CISOs to choose between user-experience breakage and active-exploitation exposure.

CISA

CISA's Exchange CVE-2026-42897 deadline of 29 May, set before Microsoft published a patch, repeats the PAN-OS posture from 6 May: exploitation velocity now overrides vendor release timelines. BOD 22-01 compliance against an unpatched flaw leaves federal CISOs with only mitigation documentation and mailbox-rule monitoring.