Trivy Open-Source Scanner Compromised Again in Supply Chain Attack
Aqua Security’s popular open-source vulnerability scanner, Trivy, was compromised for the second time in a month, leading to the distribution of malware designed to steal sensitive CI/CD secrets from GitHub Actions environments. The attack targeted two official GitHub Actions repositories aquasecurity/trivy-action and aquasecurity/setup-trivy which are widely used to scan Docker images and configure Trivy in workflows.
Security researcher Philipp Burckhardt of Socket revealed that attackers force-pushed 75 out of 76 version tags in the trivy-action repository, replacing legitimate code with a Python-based infostealer. The malware executes in GitHub Actions runners, harvesting credentials such as SSH keys, cloud provider tokens, database passwords, Kubernetes tokens, and cryptocurrency wallet details. A similar attack affected seven tags in the setup-trivy repository.
This marks the second supply chain breach involving Trivy in recent weeks. In late February and early March 2026, an autonomous bot (hackerbot-claw) exploited a pull_request_target workflow to steal a Personal Access Token (PAT), gaining control of the repository. The attackers then deleted release versions and pushed malicious updates to Trivy’s VS Code extension on Open VSX. The compromised version (0.69.4) executed both legitimate Trivy scans and a data-stealing payload, which:
- Scanned systems for environment variables and credentials.
- Exfiltrated data via HTTP POST requests to
scan.aquasecurtiy[.]org. - Established persistence via a systemd service (
sysmon.py) that fetched and executed additional payloads.
Aqua Security confirmed that the attackers abused compromised credentials to publish malicious releases. Unlike typical supply chain attacks, the adversaries rewrote existing tags rather than creating new releases, making detection harder. The exact credential used remains unclear, but the breach stemmed from incomplete containment of the earlier hackerbot-claw incident. Aqua Security acknowledged that token rotation was not atomic, allowing attackers to retain access.
The malware operates in three stages:
- Harvesting environment variables from memory and the filesystem.
- Encrypting the stolen data.
- Exfiltrating it to the attacker-controlled server or, if blocked, abusing the victim’s GitHub account to store data in a public repository named
tpcp-docs.
While attribution is unconfirmed, TeamPCP (also known as DeadCatx3, PCPcat, or ShellForce) is suspected due to code self-identification as the "TeamPCP Cloud stealer" and technical overlaps with the group’s known cloud-native theft operations. The focus on Solana validator keys and cryptocurrency wallets aligns with TeamPCP’s financial motivations, though the self-labeling could be a false flag.
Aqua Security has since locked down automated actions and tokens to prevent further abuse. The incident underscores risks in tag-based dependency management, as attackers exploited mutable version tags to distribute malware. Security researchers recommend pinning GitHub Actions to full SHA hashes to mitigate similar attacks.
Source: https://thehackernews.com/2026/03/trivy-security-scanner-github-actions.html
GitHub cybersecurity rating report: https://www.rankiteo.com/company/github
Chem-Aqua, Inc. cybersecurity rating report: https://www.rankiteo.com/company/chem-aqua
"id": "GITCHE1774031536",
"linkid": "github, chem-aqua",
"type": "Cyber Attack",
"date": "3/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Users of Trivy GitHub Actions '
'(`aquasecurity/trivy-action`, '
'`aquasecurity/setup-trivy`) and '
'Trivy VS Code extension '
'(version 0.69.4)',
'industry': 'Cybersecurity',
'name': 'Aqua Security',
'type': 'Cybersecurity Company'}],
'attack_vector': 'Compromised GitHub repositories (force-pushed version tags)',
'data_breach': {'data_encryption': 'Yes (stolen data was encrypted before '
'exfiltration)',
'data_exfiltration': 'Yes (HTTP POST to '
'`scan.aquasecurtiy[.]org` or GitHub '
'repository `tpcp-docs`)',
'personally_identifiable_information': 'Yes (credentials, '
'tokens, wallet '
'details)',
'sensitivity_of_data': 'High (credentials, PII, financial '
'data)',
'type_of_data_compromised': ['CI/CD secrets',
'SSH keys',
'Cloud provider tokens',
'Database passwords',
'Kubernetes tokens',
'Cryptocurrency wallet details',
'Environment variables']},
'description': 'Aqua Security’s popular open-source vulnerability scanner, '
'Trivy, was compromised for the second time in a month, '
'leading to the distribution of malware designed to steal '
'sensitive CI/CD secrets from GitHub Actions environments. The '
'attack targeted two official GitHub Actions repositories '
'`aquasecurity/trivy-action` and `aquasecurity/setup-trivy`, '
'replacing legitimate code with a Python-based infostealer '
'that harvested credentials such as SSH keys, cloud provider '
'tokens, database passwords, Kubernetes tokens, and '
'cryptocurrency wallet details.',
'impact': {'brand_reputation_impact': 'High (second breach in a month, '
'compromised open-source tool)',
'data_compromised': 'CI/CD secrets, SSH keys, cloud provider '
'tokens, database passwords, Kubernetes '
'tokens, cryptocurrency wallet details, '
'environment variables',
'identity_theft_risk': 'High (PII and credentials stolen)',
'operational_impact': 'Malware execution in CI/CD pipelines, '
'credential theft, potential lateral '
'movement in cloud environments',
'systems_affected': 'GitHub Actions runners, Trivy VS Code '
'extension (version 0.69.4), Trivy GitHub '
'Actions repositories '
'(`aquasecurity/trivy-action`, '
'`aquasecurity/setup-trivy`)'},
'initial_access_broker': {'backdoors_established': 'Systemd service '
'(`sysmon.py`) for '
'persistence',
'entry_point': 'Compromised Personal Access Token '
'(PAT) via `pull_request_target` '
'workflow',
'high_value_targets': 'CI/CD environments, cloud '
'credentials, cryptocurrency '
'wallets'},
'investigation_status': 'Ongoing (attribution unconfirmed)',
'lessons_learned': 'Risks of mutable version tags in dependency management, '
'importance of atomic token rotation, need to pin GitHub '
'Actions to full SHA hashes',
'motivation': 'Financial gain (cryptocurrency theft, credential harvesting)',
'post_incident_analysis': {'corrective_actions': ['Atomic token rotation',
'Locking down automated '
'actions',
'Pinning GitHub Actions to '
'full SHA hashes'],
'root_causes': ['Incomplete containment of earlier '
'breach (hackerbot-claw)',
'Non-atomic token rotation',
'Mutable version tags in GitHub '
'repositories']},
'recommendations': 'Pin GitHub Actions to full SHA hashes, implement atomic '
'token rotation, enhance monitoring of repository changes, '
'restrict `pull_request_target` workflows',
'references': [{'source': 'Socket (Philipp Burckhardt)'},
{'source': 'Aqua Security'}],
'response': {'containment_measures': 'Locked down automated actions and '
'tokens, removed malicious versions',
'remediation_measures': 'Atomic token rotation, pinning GitHub '
'Actions to full SHA hashes'},
'threat_actor': 'TeamPCP (suspected; also known as DeadCatx3, PCPcat, or '
'ShellForce)',
'title': 'Trivy Open-Source Scanner Compromised Again in Supply Chain Attack',
'type': 'Supply Chain Attack',
'vulnerability_exploited': 'Incomplete containment of earlier breach '
'(hackerbot-claw), non-atomic token rotation, '
'mutable version tags'}