14JUN

UNC6780 takes Cisco AI Defense source code

3 min read

11:51UTC

Google's Threat Intelligence Group named UNC6780 as the cluster that cloned more than 300 private Cisco GitHub repositories, including the source code of Cisco AI Defense, using SANDCLOCK-stolen credentials from the Trivy supply-chain compromise.

← Back to VPN zero-day, no-patch KEV, late Exchange Jump to analysis ↓

TechnologyDeveloping

Key takeaway

UNC6780 holds the source code of Cisco's flagship LLM-security product two months after the Google-Wiz close.

Google's Threat Intelligence Group (GTIG), the threat-research arm inside Google Cloud, named UNC6780 on Monday 11 May 2026 as the cluster behind the breach of more than 300 private Cisco GitHub repositories, including the source code of Cisco AI Defense and Cisco AI Assistant. The cluster, also tracked as TeamPCP, used the SANDCLOCK credential stealer to harvest GitHub tokens exfiltrated through the March 2026 Trivy supply-chain compromise (CVE-2026-33634). GitHub confirmed an ongoing investigation into the unauthorised access ¹ ².

Cisco AI Defense is the vendor's flagship Large Language Model security product, sold to enterprises to protect AI deployments from prompt injection, model theft, and adversarial inputs. Cisco has not publicly confirmed the repository list or the scope of source-code loss; the attribution and the count of 300-plus repositories come from GTIG's published account. The timing matters: the disclosure landed two months after the $32 billion Google-Wiz close priced the LLM-security category as the largest pure-cybersecurity deal of the post-CrowdStrike era .

GTIG's blast-radius comparison places the 2020 SolarWinds Orion theft against this haul. SolarWinds touched roughly 18,000 downstream deployments on a single product line. UNC6780's haul spans AI Defense, AI Assistant, and unreleased work across Cisco's security portfolio. The product-line breadth is therefore an order of magnitude wider than the SolarWinds reference even before per-customer downstream counts are known. UNC6780 sits alongside the FIRESTARTER cluster that turned Cisco edge appliances into persistent federal footholds , now operating against the source-code supply chain rather than the deployed device.

Deep Analysis

In plain English

A hacking group stole the source code of Cisco's security software by first breaking into the scanning tool that Cisco's own developers use to check their code for problems, which handed over the passwords needed to access Cisco's private code libraries.

Deep Analysis

Root Causes

Trivy's role as a universal container-security scanner means it holds CI/CD credentials for the pipelines it audits. A single supply-chain compromise of the scanner yields credential access to every pipeline that trusts it, a structural concentration risk that neither Cisco nor the broader industry had treated as a primary threat surface before CVE-2026-33634.

UNC6780's SANDCLOCK tooling was already in circulation from prior TeamPCP campaigns against SAP npm packages; the March 2026 Trivy CVE gave the cluster a repeatable credential-harvest path into targets that had hardened their own developer endpoints but not their scanner dependencies.

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: The December 2020 SolarWinds SUNBURST operation , where UNC2452 compromised the Orion build pipeline and shipped a backdoored update to roughly 18,000 organisations. The structural mechanism matches: rather than attacking the end product, the actor seeded the tooling that built or audited it. SANDCLOCK's Trivy pivot follows the same upstream-injection logic.

Counter-parallel: Lapsus$'s March 2022 theft of Microsoft Bing and Cortana source code via a compromised contractor credential produced no known weaponised variant and had limited operational fallout. Large source-code hauls do not automatically translate into exploit capability, particularly for products where the detection logic runs on cloud infrastructure the attacker cannot access.

Consensus view: Google's Threat Intelligence Group and Mandiant assess that UNC6780's Trivy supply-chain pivot represents a maturation of TeamPCP operations: rather than targeting individual developer credentials, the cluster compromised the scanner tooling used to audit those credentials, achieving a second-order credential harvest across Cisco's entire CI pipeline.

Counter-view: Cisco has not publicly confirmed the full repository list or the volume of source-code loss, and the 300-plus figure comes from GTIG's own account rather than Cisco's disclosure. Security researchers at Aqua Security, who maintain Trivy, have not published their own scope assessment; the blast radius remains GTIG-attested rather than vendor-confirmed.

Key tension: Whether the source-code theft materially accelerates adversary capability against Cisco AI Defense deployments depends on how closely the product's on-premises detection logic mirrors its cloud-hosted equivalent, which Cisco has not disclosed.

Sources:Google Threat Intelligence Group·SANS Internet Storm Center

Mentions:Mandiant →Cisco →CVE-2023-50224 →YouTube →Google Cloud →FIRESTARTER →Google →SolarWinds →Microsoft →CrowdStrike →Google Threat Intelligence Group (GTIG) →Trivy →Aqua Security →Cisco AI Assistant →Cisco AI Defense →SANDCLOCK →UNC6780 →

First Reported In

Update #4 · AI joins the breach column on both sides

Google Threat Intelligence Group· 20 May 2026

Read original →

Causes and effects

This Event

UNC6780 takes Cisco AI Defense source code

Cisco's flagship LLM-security product is now in attacker hands as source code. The breach gives a financially motivated cluster the internal architecture of the defensive portfolio a $32bn AI-security M&A market is built on.

Led to

Google closes $32bn Wiz deal; 38 M&A

UNC6780's theft of Cisco AI Defense source code validates the AI-security market risk that the Google-Wiz $32bn close was pricing, shifting diligence from hypothetical to named incident.

Occurred 1 Mar 2026

Read story →

FIRESTARTER implant survives every Cisco firewall patch

The Cisco AI Defense source-code theft by UNC6780 escalates the FIRESTARTER-era picture of Cisco network-edge exposure into the AI-security product stack itself.

Occurred 24 Apr 2026

Read story →

GitHub's own code cloned via add-on

UNC6780 escalated from cloning 300+ Cisco repositories to breaching GitHub's own internal estate, climbing the supply chain from a vendor's source to the registry operator itself.

Occurred 18 May 2026

Read story →

Attack worm kit now open-sourced freely

UNC6780's 300-plus Cisco repository clone via SANDCLOCK credentials is the prior operation in the same cluster's arc; the Shai-Hulud open-source release commoditises the techniques developed in that campaign.

Occurred 3 Jun 2026

Read story →

Different Perspectives

Beijing-aligned attribution sceptics

CNCERT has noted that Western KEV ransomware-risk flags on DoS-only flaws such as Serv-U CVE-2026-28318 conflate disruption capability with breach capability, and that CJEU referrals for NIS2 non-transposition create compliance obligations that presuppose software-patchable architectures the Arista case shows are not universal.

Enterprise security buyers

Three successive KEV cycles in which federal deadlines precede, exceed or are refused by vendor patches require buyers to re-weight patch-SLA contractual terms: the KEV deadline is now the planning constraint, not the vendor advisory, and procurement due diligence must cover whether a hardware platform is even patchable in principle.

Check Point

Check Point disclosed CVE-2026-50751 and shipped a hotfix on 8 June, roughly 30 days after exploitation had begun, with a Qilin affiliate already inside at least one victim. Its delayed disclosure on a CVSS 9.3 perimeter bypass leaves customers to absorb a month-long pre-patch exposure window under CISA's three-day federal deadline.

European Commission and ENISA

NIS2 full personal-liability enforcement from 1 June and CJEU referrals against laggard member states represent the sharpest regulatory escalation in EU cyber history, backed by ENISA NIS360 sector-maturity evidence naming water, rail and waste water as the priority enforcement targets. NCAF 2.0 and NIS360 function as audit instruments rather than political signals.

UK NCSC

The NCSC issued the Dutch NCSC's imminent-abuse warning on the Check Point flaw in the same fortnight its sponsoring legislation cleared the Commons, widening incident-reporting duties to cover attacker pre-positioning. The payment-reporting gap left by the CS&R Bill means the NCSC continues to rely on voluntary Early Warning submissions for ransomware economics data.

US Federal CISO community

Federal CISOs face three active compliance obligations without a clean resolution: a three-day Check Point deadline met with a hotfix, a 23 June Arista deadline partially met with ACLs only, and a 16-day Exchange overrun still being fully remediated. BOD 22-01 is operating as an urgency signal but not as a vendor-cooperation mechanism.