29MAY

UNC6780 takes Cisco AI Defense source code

3 min read

14:17UTC

Google's Threat Intelligence Group named UNC6780 as the cluster that cloned more than 300 private Cisco GitHub repositories, including the source code of Cisco AI Defense, using SANDCLOCK-stolen credentials from the Trivy supply-chain compromise.

← Back to GitHub's own code cloned via VS Code add-on Jump to analysis ↓

TechnologyDeveloping

Key takeaway

UNC6780 holds the source code of Cisco's flagship LLM-security product two months after the Google-Wiz close.

Google's Threat Intelligence Group (GTIG), the threat-research arm inside Google Cloud, named UNC6780 on Monday 11 May 2026 as the cluster behind the breach of more than 300 private Cisco GitHub repositories, including the source code of Cisco AI Defense and Cisco AI Assistant. The cluster, also tracked as TeamPCP, used the SANDCLOCK credential stealer to harvest GitHub tokens exfiltrated through the March 2026 Trivy supply-chain compromise (CVE-2026-33634). GitHub confirmed an ongoing investigation into the unauthorised access ¹ ².

Cisco AI Defense is the vendor's flagship Large Language Model security product, sold to enterprises to protect AI deployments from prompt injection, model theft, and adversarial inputs. Cisco has not publicly confirmed the repository list or the scope of source-code loss; the attribution and the count of 300-plus repositories come from GTIG's published account. The timing matters: the disclosure landed two months after the $32 billion Google-Wiz close priced the LLM-security category as the largest pure-cybersecurity deal of the post-CrowdStrike era .

GTIG's blast-radius comparison places the 2020 SolarWinds Orion theft against this haul. SolarWinds touched roughly 18,000 downstream deployments on a single product line. UNC6780's haul spans AI Defense, AI Assistant, and unreleased work across Cisco's security portfolio. The product-line breadth is therefore an order of magnitude wider than the SolarWinds reference even before per-customer downstream counts are known. UNC6780 sits alongside the FIRESTARTER cluster that turned Cisco edge appliances into persistent federal footholds , now operating against the source-code supply chain rather than the deployed device.

Deep Analysis

In plain English

A hacking group stole the source code of Cisco's security software by first breaking into the scanning tool that Cisco's own developers use to check their code for problems, which handed over the passwords needed to access Cisco's private code libraries.

Deep Analysis

Root Causes

Trivy's role as a universal container-security scanner means it holds CI/CD credentials for the pipelines it audits. A single supply-chain compromise of the scanner yields credential access to every pipeline that trusts it, a structural concentration risk that neither Cisco nor the broader industry had treated as a primary threat surface before CVE-2026-33634.

UNC6780's SANDCLOCK tooling was already in circulation from prior TeamPCP campaigns against SAP npm packages ; the March 2026 Trivy CVE gave the cluster a repeatable credential-harvest path into targets that had hardened their own developer endpoints but not their scanner dependencies.

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: The December 2020 SolarWinds SUNBURST operation (ID:2912), where UNC2452 compromised the Orion build pipeline and shipped a backdoored update to roughly 18,000 organisations. The structural mechanism matches: rather than attacking the end product, the actor seeded the tooling that built or audited it. SANDCLOCK's Trivy pivot follows the same upstream-injection logic.

Counter-parallel: Lapsus$'s March 2022 theft of Microsoft Bing and Cortana source code via a compromised contractor credential produced no known weaponised variant and had limited operational fallout. Large source-code hauls do not automatically translate into exploit capability, particularly for products where the detection logic runs on cloud infrastructure the attacker cannot access.

Consensus view: Google's Threat Intelligence Group and Mandiant assess that UNC6780's Trivy supply-chain pivot represents a maturation of TeamPCP operations: rather than targeting individual developer credentials, the cluster compromised the scanner tooling used to audit those credentials, achieving a second-order credential harvest across Cisco's entire CI pipeline.

Counter-view: Cisco has not publicly confirmed the full repository list or the volume of source-code loss, and the 300-plus figure comes from GTIG's own account rather than Cisco's disclosure. Security researchers at Aqua Security, who maintain Trivy, have not published their own scope assessment; the blast radius remains GTIG-attested rather than vendor-confirmed.

Key tension: Whether the source-code theft materially accelerates adversary capability against Cisco AI Defense deployments depends on how closely the product's on-premises detection logic mirrors its cloud-hosted equivalent, which Cisco has not disclosed.

Sources:Google Threat Intelligence Group·SANS Internet Storm Center

Mentions:Mandiant →Cisco →CVE-2023-50224 →YouTube →Google Cloud →FIRESTARTER →Google →SolarWinds →Microsoft →CrowdStrike →Google Threat Intelligence Group (GTIG) →Trivy →Aqua Security →UNC6780 →Cisco AI Assistant →Cisco AI Defense →SANDCLOCK →

First Reported In

Update #4 · AI joins the breach column on both sides

Google Threat Intelligence Group· 20 May 2026

Read original →

Causes and effects

This Event

UNC6780 takes Cisco AI Defense source code

Cisco's flagship LLM-security product is now in attacker hands as source code. The breach gives a financially motivated cluster the internal architecture of the defensive portfolio a $32bn AI-security M&A market is built on.

Led to

Google closes $32bn Wiz deal; 38 M&A

UNC6780's theft of Cisco AI Defense source code validates the AI-security market risk that the Google-Wiz $32bn close was pricing, shifting diligence from hypothetical to named incident.

Occurred 1 Mar 2026

Read story →

FIRESTARTER implant survives every Cisco firewall patch

The Cisco AI Defense source-code theft by UNC6780 escalates the FIRESTARTER-era picture of Cisco network-edge exposure into the AI-security product stack itself.

Occurred 24 Apr 2026

Read story →

GitHub's own code cloned via add-on

UNC6780 escalated from cloning 300+ Cisco repositories to breaching GitHub's own internal estate, climbing the supply chain from a vendor's source to the registry operator itself.

Occurred 18 May 2026

Read story →

Different Perspectives

Google Threat Intelligence Group

GTIG's attribution of the GitHub breach extends UNC6780's documented arc from SAP npm through Cisco AI Defense to GitHub's own estate; its 36-hour LiteLLM exploitation set the speed benchmark CISA AA26-148A is designed to address. GTIG's published tracking gives defenders the actor profile needed to assess their own developer-toolchain exposure.

Enterprise security buyers / CISO community

For enterprise security leaders, two KEV AI-orchestration entries in three weeks (LiteLLM 8 May, Langflow 21 May) convert shadow AI tooling from a governance risk to a confirmed attack surface requiring immediate software asset inventory. The 65 per cent gap in enterprise AI tool inventories documented by Wiz Research is now a liability rather than a compliance footnote.

DSIT / UK Government

DSIT framed the £14.7 billion sector figure and the Cyber Resilience Pledge as a paired signal: commercial strength alongside supply-chain accountability, with £90 million targeting the NHS supplier exposure this briefing's threat events directly illustrate. The voluntary Pledge's enforceability gap, prior to the Cyber Security and Resilience Bill reaching Royal Assent, is the question its launch does not answer.

GitHub / Microsoft

GitHub confirmed that no customer repositories or user data were affected by the Nx Console breach, but acknowledged approximately 3,800 internal repositories were cloned and referred to CISA Alert AA26-148A's allow-listing guidance. The incident puts Microsoft in the position of operating a marketplace whose publisher-verification gap is now a documented attack vector in a federal advisory.

Tsinghua University Institute for International Strategic Studies

Beijing-aligned commentary rejects US attribution of PRC-nexus clusters (UNC2814, APT45, UAT-8616) as politically motivated framing, characterising the April sixteen-agency joint advisory as coordinated Western pressure rather than independent technical assessment.

Cisco

Cisco has not confirmed the UNC6780 breach scope beyond the named AI Defense and AI Assistant projects; GitHub confirmed an investigation. CVE-2026-20182 is the sixth Cisco SD-WAN KEV entry in 2026, reaching that milestone the same week UNC6780's source-code visibility into the portfolio became public.