The Trivy vulnerability scanner was compromised in a supply-chain assault by risk actors often known as TeamPCP, which distributed credential-stealing malware by means of official releases and GitHub Actions.
Trivy is a well-liked safety scanner that helps determine vulnerabilities, misconfigurations, and uncovered secrets and techniques throughout containers, Kubernetes environments, code repositories, and cloud infrastructure. As a result of builders and safety groups generally use it, it’s a high-value goal for attackers to steal delicate authentication secrets and techniques.
The breach was first disclosed by safety researcher Paul McCarty, who warned that Trivy model 0.69.4 had been backdoored, with malicious container pictures and GitHub releases revealed to customers.
Additional evaluation by Socket and later by Wiz decided that the assault affected a number of GitHub Actions, compromising practically all model tags of the trivy-action repository.
Researchers discovered that risk actors compromised Trivy’s GitHub construct course of, swapping the entrypoint.sh in GitHub Actions with a malicious model and publishing trojanized binaries within the Trivy v0.69.4 launch, each of which acted as infostealers throughout the principle scanner and associated GitHub Actions, together with trivy-action and setup-trivy.
The attackers abused a compromised credential with write entry to the repository, permitting them to publish malicious releases. These compromised credentials are from an earlier March breach, through which credentials had been exfiltrated from Trivy’s setting and never totally contained.
The risk actor force-pushed 75 out of 76 tags within the aquasecurity/trivy-action repository, redirecting them to malicious commits.
Because of this, any exterior workflows utilizing the affected tags routinely executed the malicious code earlier than working reliable Trivy scans, making the compromise tough to detect.
Socket experiences that the infostealer collected reconnaissance information and scanned methods for a variety of information and areas identified to retailer credentials and authentication secrets and techniques, together with:
- Reconnaissance information: hostname, whoami, uname, community configuration, and setting variables
- SSH: personal and public keys and associated configuration information
- Cloud and infrastructure configs: Git, AWS, GCP, Azure, Kubernetes, and Docker credentials
- Surroundings information: .env and associated variants
- Database credentials: configuration information for PostgreSQL, MySQL/MariaDB, MongoDB, and Redis
- Credential information: together with bundle supervisor and Vault-related authentication tokens
- CI/CD configurations: Terraform, Jenkins, GitLab CI, and related information
- TLS personal keys
- VPN configurations
- Webhooks: Slack and Discord tokens
- Shell historical past information
- System information: /and so forth/passwd, /and so forth/shadow, and authentication logs
- Cryptocurrency wallets
Supply: BleepingComputer
The malicious script would additionally scan reminiscence areas utilized by the GitHub Actions Runner.Employee course of for the JSON string “" <title> ":{ "worth": "<secret>", "isSecret":true}” to search out extra authentication secrets and techniques.
On developer machines, the trojanized Trivy binary carried out related information assortment, gathering setting variables, scanning native information for credentials, and enumerating community interfaces.
Collected information was encrypted and saved in an archive named tpcp.tar.gz, which was then exfiltrated to a typosquatted command-and-control server at scan.aquasecurtiy[.]org.
If exfiltration failed, the malware created a public repository named tpcp-docs throughout the sufferer’s GitHub account and uploaded the stolen information there.
To persist on a compromised gadget, the malware would additionally drop a Python payload at ~/.config/systemd/person/sysmon.py and register it as a systemd service. This payload would verify a distant server for extra payloads to drop, giving the risk actor persistent entry to the gadget.
The assault is believed to be linked to a risk actor often known as TeamPCP, as one of many infostealer payloads used within the assault has a “TeamPCP Cloud stealer” remark because the final line of the Python script.
“The malware self-identifies as TeamPCP Cloud stealer in a Python touch upon the ultimate line of the embedded filesystem credential harvester. TeamPCP, additionally tracked as DeadCatx3, PCPcat, and ShellForce, is a documented cloud-native risk actor identified for exploiting misconfigured Docker APIs, Kubernetes clusters, Ray dashboards, and Redis servers,” explains Socket.
Supply: BleepingComputer
Aqua Safety confirmed the incident, stating {that a} risk actor used compromised credentials from the sooner incident that was not correctly contained.
“This was a observe up from the latest incident (2026-03-01) which exfiltrated credentials. Our containment of the primary incident was incomplete,” defined Aqua Safety.
“We rotated secrets and techniques and tokens, however the course of wasn’t atomic and attackers might have been aware about refreshed tokens.”
The malicious Trivy launch (v0.69.4) was stay for roughly three hours, with compromised GitHub Actions tags remaining energetic for as much as 12 hours.
The attackers additionally tampered with the undertaking’s repository, deleting Aqua Safety’s preliminary disclosure of the sooner March incident.
Organizations that used affected variations through the incident ought to deal with their environments as totally compromised.
This consists of rotating all secrets and techniques, equivalent to cloud credentials, SSH keys, API tokens, and database passwords, and analyzing methods for extra compromise.
Comply with-up assault spreads CanisterWorm by way of npm
Researchers at Aikido have additionally linked the identical risk actor to a follow-up marketing campaign involving a brand new self-propagating worm named “CanisterWorm,” which targets npm packages.
The worm compromises packages, installs a persistent backdoor by way of a systemd person service, after which makes use of stolen npm tokens to publish malicious updates to different packages.
“Self-propagating worm. deploy.js takes npm tokens, resolves usernames, enumerates all publishable packages, bumps patch variations, and publishes the payload throughout your entire scope. 28 packages in below 60 seconds,” highlights Aikido.
The malware makes use of a decentralized command-and-control mechanism utilizing Web Pc (ICP) canisters, which act as a dead-drop resolver that gives URLs for extra payloads.
Utilizing ICP canisters makes the operation extra proof against takedown, as solely the canister’s controller can take away it, and any try to cease it will require a governance proposal and community vote.
The worm additionally consists of performance to reap npm authentication tokens from configuration information and setting variables, enabling it to unfold throughout developer environments and CI/CD pipelines.
On the time of study, among the secondary payload infrastructure was inactive or configured with innocent content material, however the researchers say this might change at any time.
Malware is getting smarter. The Crimson Report 2026 reveals how new threats use math to detect sandboxes and conceal in plain sight.
Obtain our evaluation of 1.1 million malicious samples to uncover the highest 10 strategies and see in case your safety stack is blinded.
