Trivy Under Siege: Open-Source Vulnerability Scanner Compromised Twice in One Month

In a shocking turn of events that has sent shockwaves through the cybersecurity community, Trivy, the beloved open-source vulnerability scanner maintained by Aqua Security, has fallen victim to a double supply chain attack within the span of a single month. This isn’t just another security incident—it’s a wake-up call for the entire open-source ecosystem.

The Anatomy of a Sophisticated Attack

The latest compromise targeted two critical GitHub Actions: aquasecurity/trivy-action and aquasecurity/setup-trivy. These tools, trusted by thousands of developers worldwide to scan Docker container images and set up CI/CD workflows, were weaponized to distribute a sophisticated infostealer.

Socket security researcher Philipp Burckhardt revealed the chilling details: “We identified that an attacker force-pushed 75 out of 76 version tags in the aquasecurity/trivy-action repository. These tags were modified to serve a malicious payload, effectively turning trusted version references into a distribution mechanism for an infostealer.”

The Steal of the Century

This isn’t your average malware. The payload executes within GitHub Actions runners and systematically extracts valuable developer secrets from CI/CD environments. We’re talking SSH keys, cloud provider credentials, database access, Git configurations, Docker secrets, Kubernetes tokens, and even cryptocurrency wallets. The attackers left no stone unturned in their quest for sensitive information.

A Familiar Face Returns

What makes this attack particularly concerning is that it’s the second supply chain incident involving Trivy in just weeks. In late February and early March 2026, an autonomous bot called hackerbot-claw exploited a “pull_request_target” workflow to steal a Personal Access Token (PAT), which was then used to seize control of the GitHub repository.

The first signs of the latest compromise were flagged by security researcher Paul McCarty after a new compromised release (version 0.69.4) was published to the “aquasecurity/trivy” GitHub repository. This rogue version has since been removed, but not before it executed its malicious payload.

The Three-Stage Operation

According to Wiz, version 0.69.4 operates in a sophisticated three-stage process:

1. Data Theft: The malware scans the system for environmental variables and credentials, encrypts the data, and exfiltrates it via an HTTP POST request to scan.aquasecurtiy[.]org.

2. Persistence: After confirming it’s running on a developer machine, the malware sets up a systemd service that runs a Python script (“sysmon.py”) to continuously poll an external server for new commands.

3. Fallback Mechanism: If exfiltration fails, the malware abuses the victim’s own GitHub account to stage stolen data in a public repository named “tpcp-docs.”

The Credential Compromise

Aqua Security’s vice president of open source, Itay Shakury, confirmed that attackers abused compromised credentials to publish malicious releases. The attack was particularly insidious because it used force-pushes to modify version tags without creating new releases or pushing to branches—a technique that makes detection extremely difficult.

“The attacker didn’t need to exploit Git itself,” Burckhardt explained to The Hacker News. “They had valid credentials with sufficient privileges to push code and rewrite tags, which is what enabled the tag poisoning we observed.”

The TeamPCP Connection

Evidence points to TeamPCP, a notorious cloud-native cybercrime platform, as the likely culprit behind this sophisticated attack. The credential harvester self-identifies as “TeamPCP Cloud stealer” in the source code, and the technical overlap with prior TeamPCP tooling makes genuine attribution plausible.

TeamPCP, also known as DeadCatx3, PCPcat, PersyPCP, ShellForce, and CipherForce, is renowned for breaching modern cloud infrastructure to facilitate data theft and extortion. The heavy emphasis on Solana validator key pairs and cryptocurrency wallets aligns perfectly with the group’s known financial motivations.

Immediate Action Required

If you’re using Trivy, immediate action is required. Aqua Security has confirmed that the latest safe releases are available, but users need to ensure they’re running the correct versions. The compromised versions include:

• All versions of aquasecurity/trivy-action except v0.1.0
• All versions of aquasecurity/setup-trivy except v1.0.0

Critical Mitigation Steps

Security experts are recommending several critical mitigation steps:

1. Rotate All Secrets: If you suspect you were running a compromised version, treat all pipeline secrets as compromised and rotate immediately.

2. Block Exfiltration Domains: Block the exfiltration domain and the associated IP address (45.148.10.212) at the network level.

3. Check for Suspicious Repositories: Look for GitHub repositories named “tpcp-docs” in your accounts, which may indicate successful exfiltration.

4. Use SHA Hashes: Pin GitHub Actions to full SHA hashes, not version tags. Version tags can be moved to point at malicious commits, as demonstrated in this attack.

The Bigger Picture

This double compromise of Trivy highlights a critical vulnerability in the open-source supply chain. When widely-used tools become compromised, the ripple effects can be catastrophic across the entire software development ecosystem.

The fact that TeamPCP was able to exploit compromised credentials from a previous incident to launch this sophisticated attack demonstrates the importance of comprehensive incident response and the need for atomic credential rotation processes.

Looking Forward

As the cybersecurity community grapples with this latest incident, one thing is clear: the traditional approaches to software supply chain security are no longer sufficient. We need more robust verification mechanisms, better credential management practices, and a fundamental rethinking of how we trust open-source software.

This incident serves as a stark reminder that in the world of cybersecurity, complacency is the enemy. Whether you’re a developer, security professional, or just someone who uses software, the Trivy compromise should make you think twice about the tools you trust and the processes you rely on.

The question now is: how many more times will we need to learn this lesson before we implement the necessary changes to protect our digital infrastructure?

Tags: #Trivy #SupplyChainAttack #GitHubActions #Infostealer #TeamPCP #Cybersecurity #OpenSource #CI/CD #VulnerabilityScanner #AquaSecurity

Viral Phrases: “supply chain apocalypse,” “credential catastrophe,” “double compromise,” “infostealer nightmare,” “TeamPCP takedown,” “GitHub gone rogue,” “open-source under siege,” “CI/CD compromise,” “malware masquerade,” “security nightmare”

Viral Sentences: “The tools we trusted to protect us became the weapons that attacked us,” “Twice compromised in one month—Trivy’s nightmare continues,” “When open-source becomes open-season for attackers,” “The credential compromise that keeps on giving,” “TeamPCP strikes again, and this time they mean business,” “GitHub Actions turned into a malware distribution platform,” “The infostealer that stole the show,” “Security researchers sound the alarm on Trivy’s double trouble,” “From vulnerability scanner to vulnerability itself,” “The supply chain attack that proves we’re all connected”

,