The Trivy vulnerability scanner was compromised in a supply-chain assault by risk actors referred to as TeamPCP, which distributed credential-stealing malware by official releases and GitHub Actions.
Trivy is a well-liked safety scanner that helps establish vulnerabilities, misconfigurations, and uncovered secrets and techniques throughout containers, Kubernetes environments, code repositories, and cloud infrastructure. As a result of builders and safety groups generally use it, it’s a high-value goal for attackers to steal delicate authentication secrets and techniques.
The breach was first disclosed by safety researcher Paul McCarty, who warned that Trivy model 0.69.4 had been backdoored, with malicious container photos and GitHub releases revealed to customers.
Additional evaluation by Socket and later by Wiz decided that the assault affected a number of GitHub Actions, compromising practically all model tags of the trivy-action repository.
Researchers discovered that risk actors compromised Trivy’s GitHub construct course of, swapping the entrypoint.sh in GitHub Actions with a malicious model and publishing trojanized binaries within the Trivy v0.69.4 launch, each of which acted as infostealers throughout the primary scanner and associated GitHub Actions, together with trivy-action and setup-trivy.
The attackers abused a compromised credential with write entry to the repository, permitting them to publish malicious releases. These compromised credentials are from an earlier March breach, through which credentials had been exfiltrated from Trivy’s surroundings and never absolutely contained.
The risk actor force-pushed 75 out of 76 tags within the aquasecurity/trivy-action repository, redirecting them to malicious commits.
Because of this, any exterior workflows utilizing the affected tags robotically executed the malicious code earlier than working reputable Trivy scans, making the compromise tough to detect.
Socket reviews that the infostealer collected reconnaissance knowledge and scanned methods for a variety of recordsdata and areas recognized to retailer credentials and authentication secrets and techniques, together with:
- Reconnaissance knowledge: hostname, whoami, uname, community configuration, and surroundings variables
- SSH: personal and public keys and associated configuration recordsdata
- Cloud and infrastructure configs: Git, AWS, GCP, Azure, Kubernetes, and Docker credentials
- Atmosphere recordsdata: .env and associated variants
- Database credentials: configuration recordsdata for PostgreSQL, MySQL/MariaDB, MongoDB, and Redis
- Credential recordsdata: together with package deal supervisor and Vault-related authentication tokens
- CI/CD configurations: Terraform, Jenkins, GitLab CI, and related recordsdata
- TLS personal keys
- VPN configurations
- Webhooks: Slack and Discord tokens
- Shell historical past recordsdata
- System recordsdata: /and many others/passwd, /and many others/shadow, and authentication logs
- Cryptocurrency wallets
Supply: BleepingComputer
The malicious script would additionally scan reminiscence areas utilized by the GitHub Actions Runner.Employee course of for the JSON string “" ” to search out further authentication secrets and techniques.
On developer machines, the trojanized Trivy binary carried out related knowledge assortment, gathering surroundings variables, scanning native recordsdata for credentials, and enumerating community interfaces.
Collected knowledge was encrypted and saved in an archive named tpcp.tar.gz, which was then exfiltrated to a typosquatted command-and-control server at scan.aquasecurtiy[.]org.
If exfiltration failed, the malware created a public repository named tpcp-docs inside the sufferer’s GitHub account and uploaded the stolen knowledge there.
To persist on a compromised system, the malware would additionally drop a Python payload at ~/.config/systemd/consumer/sysmon.py and register it as a systemd service. This payload would examine a distant server for added payloads to drop, giving the risk actor persistent entry to the system.
The assault is believed to be linked to a risk actor referred to as TeamPCP, as one of many infostealer payloads used within the assault has a “TeamPCP Cloud stealer” remark because the final line of the Python script.
“The malware self-identifies as TeamPCP Cloud stealer in a Python touch upon the ultimate line of the embedded filesystem credential harvester. TeamPCP, additionally tracked as DeadCatx3, PCPcat, and ShellForce, is a documented cloud-native risk actor recognized for exploiting misconfigured Docker APIs, Kubernetes clusters, Ray dashboards, and Redis servers,” explains Socket.
Supply: BleepingComputer
Aqua Safety confirmed the incident, stating {that a} risk actor used compromised credentials from the sooner incident that was not correctly contained.
“This was a observe up from the latest incident (2026-03-01) which exfiltrated credentials. Our containment of the primary incident was incomplete,” defined Aqua Safety.
“We rotated secrets and techniques and tokens, however the course of wasn’t atomic and attackers might have been aware about refreshed tokens.”
The malicious Trivy launch (v0.69.4) was stay for roughly three hours, with compromised GitHub Actions tags remaining energetic for as much as 12 hours.
The attackers additionally tampered with the venture’s repository, deleting Aqua Safety’s preliminary disclosure of the sooner March incident.
Organizations that used affected variations through the incident ought to deal with their environments as absolutely compromised.
This contains rotating all secrets and techniques, comparable to cloud credentials, SSH keys, API tokens, and database passwords, and analyzing methods for added compromise.
Observe-up assault spreads CanisterWorm through npm
Researchers at Aikido have additionally linked the identical risk actor to a follow-up marketing campaign involving a brand new self-propagating worm named “CanisterWorm,” which targets npm packages.
The worm compromises packages, installs a persistent backdoor through a systemd consumer service, after which makes use of stolen npm tokens to publish malicious updates to different packages.
“Self-propagating worm. deploy.js takes npm tokens, resolves usernames, enumerates all publishable packages, bumps patch variations, and publishes the payload throughout your complete scope. 28 packages in underneath 60 seconds,” highlights Aikido.
The malware makes use of a decentralized command-and-control mechanism utilizing Web Pc (ICP) canisters, which act as a dead-drop resolver that gives URLs for added payloads.
Utilizing ICP canisters makes the operation extra immune to takedown, as solely the canister’s controller can take away it, and any try to cease it will require a governance proposal and community vote.
The worm additionally contains performance to reap npm authentication tokens from configuration recordsdata and surroundings variables, enabling it to unfold throughout developer environments and CI/CD pipelines.
On the time of research, a few of the secondary payload infrastructure was inactive or configured with innocent content material, however the researchers say this might change at any time.
Malware is getting smarter. The Pink Report 2026 reveals how new threats use math to detect sandboxes and conceal in plain sight.
Obtain our evaluation of 1.1 million malicious samples to uncover the highest 10 strategies and see in case your safety stack is blinded.
