Skip to content
Briefings are running a touch slower this week while we rebuild the foundations.See roadmap
Cybersecurity: Threats and Defences
7JUN

UNC6780 takes Cisco AI Defense source code

3 min read
10:08UTC

Google's Threat Intelligence Group named UNC6780 as the cluster that cloned more than 300 private Cisco GitHub repositories, including the source code of Cisco AI Defense, using SANDCLOCK-stolen credentials from the Trivy supply-chain compromise.

← Back to The 2024 patch that is breaking nowJump to analysis ↓
TechnologyDeveloping
Key takeaway

UNC6780 holds the source code of Cisco's flagship LLM-security product two months after the Google-Wiz close.

Google's Threat Intelligence Group (GTIG), the threat-research arm inside Google Cloud, named UNC6780 on Monday 11 May 2026 as the cluster behind the breach of more than 300 private Cisco GitHub repositories, including the source code of Cisco AI Defense and Cisco AI Assistant. The cluster, also tracked as TeamPCP, used the SANDCLOCK credential stealer to harvest GitHub tokens exfiltrated through the March 2026 Trivy supply-chain compromise (CVE-2026-33634). GitHub confirmed an ongoing investigation into the unauthorised access 1 2.

Cisco AI Defense is the vendor's flagship Large Language Model security product, sold to enterprises to protect AI deployments from prompt injection, model theft, and adversarial inputs. Cisco has not publicly confirmed the repository list or the scope of source-code loss; the attribution and the count of 300-plus repositories come from GTIG's published account. The timing matters: the disclosure landed two months after the $32 billion Google-Wiz close priced the LLM-security category as the largest pure-cybersecurity deal of the post-CrowdStrike era .

GTIG's blast-radius comparison places the 2020 SolarWinds Orion theft against this haul. SolarWinds touched roughly 18,000 downstream deployments on a single product line. UNC6780's haul spans AI Defense, AI Assistant, and unreleased work across Cisco's security portfolio. The product-line breadth is therefore an order of magnitude wider than the SolarWinds reference even before per-customer downstream counts are known. UNC6780 sits alongside the FIRESTARTER cluster that turned Cisco edge appliances into persistent federal footholds , now operating against the source-code supply chain rather than the deployed device.

Deep Analysis

In plain English

A hacking group stole the source code of Cisco's security software by first breaking into the scanning tool that Cisco's own developers use to check their code for problems, which handed over the passwords needed to access Cisco's private code libraries.

Deep Analysis
Root Causes

Trivy's role as a universal container-security scanner means it holds CI/CD credentials for the pipelines it audits. A single supply-chain compromise of the scanner yields credential access to every pipeline that trusts it, a structural concentration risk that neither Cisco nor the broader industry had treated as a primary threat surface before CVE-2026-33634.

UNC6780's SANDCLOCK tooling was already in circulation from prior TeamPCP campaigns against SAP npm packages; the March 2026 Trivy CVE gave the cluster a repeatable credential-harvest path into targets that had hardened their own developer endpoints but not their scanner dependencies.

Sources:Google Threat Intelligence Group·SANS Internet Storm Center
Mentions:Mandiant →Cisco →CVE-2023-50224 →YouTube →Google Cloud →FIRESTARTER →Google →SolarWinds →Microsoft →CrowdStrike →Google Threat Intelligence Group (GTIG) →Trivy →Aqua Security →UNC6780 →Cisco AI Assistant →Cisco AI Defense →SANDCLOCK →
First Reported In

Update #4 · AI joins the breach column on both sides

Google Threat Intelligence Group· 20 May 2026
Read original
Causes and effects
This Event
UNC6780 takes Cisco AI Defense source code
Cisco's flagship LLM-security product is now in attacker hands as source code. The breach gives a financially motivated cluster the internal architecture of the defensive portfolio a $32bn AI-security M&A market is built on.
Led to
Google closes $32bn Wiz deal; 38 M&A
UNC6780's theft of Cisco AI Defense source code validates the AI-security market risk that the Google-Wiz $32bn close was pricing, shifting diligence from hypothetical to named incident.
Occurred 1 Mar 2026
Read story →
FIRESTARTER implant survives every Cisco firewall patch
The Cisco AI Defense source-code theft by UNC6780 escalates the FIRESTARTER-era picture of Cisco network-edge exposure into the AI-security product stack itself.
Occurred 24 Apr 2026
Read story →
GitHub's own code cloned via add-on
UNC6780 escalated from cloning 300+ Cisco repositories to breaching GitHub's own internal estate, climbing the supply chain from a vendor's source to the registry operator itself.
Occurred 18 May 2026
Read story →
Different Perspectives
Australian Cyber Security Centre (ACSC)
Australian Cyber Security Centre (ACSC)
Australia's 18 of 95 May ransomware victims, nearly 19 per cent of global disclosed attacks against 0.3 per cent of global GDP, reflects end-of-life Windows Server concentration in healthcare, under-resourced national incident-response capacity, and time-zone isolation that slows vendor-assisted containment during peak attack windows.
Europol / international law enforcement
Europol / international law enforcement
Operation Saffron's 27-country coordination set a new geographic breadth record for criminal-infrastructure seizure. The absence of an arrest alongside the server seizures limits durable impact: VPNLab.net and DoubleVPN precedents show gangs reconstitute on alternative hosts within two to four weeks.
UK Parliament (Cyber Security and Resilience Bill)
UK Parliament (Cyber Security and Resilience Bill)
The Bill reaches Commons Report Stage on 10 June with penalties up to 4 per cent of global turnover. Qilin's NHS Synnovis attack in June 2024 and INC_RANSOM's Stuga Machinery posting on 5 June give the legislation a domestic evidence base connecting KEV-class exposure directly to UK CNI and supply-chain targeting.
German BSI / EU enterprise operator perspective
German BSI / EU enterprise operator perspective
The 17-month lag between Oracle's January 2024 WebLogic patch and active exploitation confirms that CVSS 7.5 keeps a flaw below emergency-patch thresholds in most programmes, even when T3/IIOP exploitation is a documented recurring chain. BSI's T3/IIOP disablement guidance offers a network-layer mitigation that survives Oracle's quarterly patch cycle without requiring unscheduled downtime.
ENISA / EU cybersecurity regulator
ENISA / EU cybersecurity regulator
NIS360's risk-zone designations for water and rail, following NCAF 2.0 in April, give member-state authorities a documented enforcement basis under NIS2. Fine ceilings at EUR 10 million cover essential entities; sub-threshold municipal water operators fall outside that scope, so designation without sector-level funding creates a perverse incentive to defer rather than remediate.
US federal CISO (FCEB agency)
US federal CISO (FCEB agency)
Four staggered June deadlines covered WebLogic middleware, Linux containers, Android device fleets and Magento storefronts in a single fortnight, forcing triage that exposes whichever stack ranks lowest. CISA's proposed $707 million budget cut alongside this enforcement acceleration creates a direct credibility gap: the mandate grows while the capacity to sustain it shrinks.