Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
4JUL

UNC6780 takes Cisco AI Defense source code

3 min read
11:00UTC

Google's Threat Intelligence Group named UNC6780 as the cluster that cloned more than 300 private Cisco GitHub repositories, including the source code of Cisco AI Defense, using SANDCLOCK-stolen credentials from the Trivy supply-chain compromise.

TechnologyDeveloping
Key takeaway

UNC6780 holds the source code of Cisco's flagship LLM-security product two months after the Google-Wiz close.

Google's Threat Intelligence Group (GTIG), the threat-research arm inside Google Cloud, named UNC6780 on Monday 11 May 2026 as the cluster behind the breach of more than 300 private Cisco GitHub repositories, including the source code of Cisco AI Defense and Cisco AI Assistant. The cluster, also tracked as TeamPCP, used the SANDCLOCK credential stealer to harvest GitHub tokens exfiltrated through the March 2026 Trivy supply-chain compromise (CVE-2026-33634). GitHub confirmed an ongoing investigation into the unauthorised access 1 2.

Cisco AI Defense is the vendor's flagship Large Language Model security product, sold to enterprises to protect AI deployments from prompt injection, model theft, and adversarial inputs. Cisco has not publicly confirmed the repository list or the scope of source-code loss; the attribution and the count of 300-plus repositories come from GTIG's published account. The timing matters: the disclosure landed two months after the $32 billion Google-Wiz close priced the LLM-security category as the largest pure-cybersecurity deal of the post-CrowdStrike era .

GTIG's blast-radius comparison places the 2020 SolarWinds Orion theft against this haul. SolarWinds touched roughly 18,000 downstream deployments on a single product line. UNC6780's haul spans AI Defense, AI Assistant, and unreleased work across Cisco's security portfolio. The product-line breadth is therefore an order of magnitude wider than the SolarWinds reference even before per-customer downstream counts are known. UNC6780 sits alongside the FIRESTARTER cluster that turned Cisco edge appliances into persistent federal footholds , now operating against the source-code supply chain rather than the deployed device.

Deep Analysis

In plain English

A hacking group stole the source code of Cisco's security software by first breaking into the scanning tool that Cisco's own developers use to check their code for problems, which handed over the passwords needed to access Cisco's private code libraries.

Deep Analysis
Root Causes

Trivy's role as a universal container-security scanner means it holds CI/CD credentials for the pipelines it audits. A single supply-chain compromise of the scanner yields credential access to every pipeline that trusts it, a structural concentration risk that neither Cisco nor the broader industry had treated as a primary threat surface before CVE-2026-33634.

UNC6780's SANDCLOCK tooling was already in circulation from prior TeamPCP campaigns against SAP npm packages; the March 2026 Trivy CVE gave the cluster a repeatable credential-harvest path into targets that had hardened their own developer endpoints but not their scanner dependencies.

First Reported In

Update #4 · AI joins the breach column on both sides

Google Threat Intelligence Group· 20 May 2026
Read original
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.