Trivy, a well-liked open-source vulnerability scanner maintained by Aqua Safety, was compromised a second time inside the span of a month to ship malware that stole delicate CI/CD secrets and techniques.
The newest incident impacted GitHub Actions “aquasecurity/trivy-action” and “aquasecurity/setup-trivy,” that are used to scan Docker container photographs for vulnerabilities and arrange GitHub Actions workflow with a selected model of the scanner, respectively.
“We recognized that an attacker force-pushed 75 out of 76 model tags within the aquasecurity/trivy-action repository, the official GitHub Motion for operating Trivy vulnerability scans in CI/CD pipelines,” Socket safety researcher Philipp Burckhardt stated. “These tags had been modified to serve a malicious payload, successfully turning trusted model references right into a distribution mechanism for an infostealer.”
The payload executes inside GitHub Actions runners and goals to extract priceless developer secrets and techniques from CI/CD environments, equivalent to SSH keys, credentials for cloud service suppliers, databases, Git, Docker configurations, Kubernetes tokens, and cryptocurrency wallets.
The growth marks the second provide chain incident involving Trivy. In the direction of the tip of February and early March 2026, an autonomous bot known as hackerbot-claw exploited a “pull_request_target” workflow to steal a Private Entry Token (PAT), which was then weaponized to grab management of the GitHub repository, delete a number of launch variations, and push two malicious variations of its Visible Studio Code (VS Code) extension to Open VSX.
The primary signal of the compromise was flagged by safety researcher Paul McCarty after a brand new compromised launch (model 0.69.4) was printed to the “aquasecurity/trivy” GitHub repository. The rogue model has since been eliminated. In accordance with Wiz, model 0.69.4 begins each the respectable Trivy service and the malicious code accountable for a sequence of duties –
- Conduct knowledge theft by scanning the system for environmental variables and credentials, encrypting the info, and exfiltrating it through an HTTP POST request to scan.aquasecurtiy[.]org.
- Arrange persistence through the use of a systemd service after confirming that it is operating on a developer machine. The systemd service is configured to run a Python script (“sysmon.py”) that polls an exterior server to retrieve the payload and execute it.
In a press release, Itay Shakury, vice chairman of open supply at Aqua Safety, stated the attackers abused a compromised credential to publish malicious trivy, trivy-action, and setup-trivy releases. Within the case of “aquasecurity/trivy-action,” the adversary force-pushed 75 model tags to level to the malicious commits containing the Python infostealer payload with out creating a brand new launch or pushing to a department, as is customary apply. Seven “aquasecurity/setup-trivy” tags had been force-pushed in the identical method.
“So on this case, the attacker did not want to take advantage of Git itself,” Burckhardt instructed The Hacker Information. “They’d legitimate credentials with enough privileges to push code and rewrite tags, which is what enabled the tag poisoning we noticed. What stays unclear is the precise credential used on this particular step (e.g., a maintainer PAT vs automation token), however the root trigger is now understood to be credential compromise carried over from the sooner incident.”
The safety vendor additionally acknowledged that the most recent assault stemmed from incomplete containment of the hackerbot-claw incident. “We rotated secrets and techniques and tokens, however the course of wasn’t atomic, and attackers could have been aware of refreshed tokens,” Shakury stated. “We are actually taking a extra restrictive strategy and locking down all automated actions and any token with a view to completely eradicate the issue.”
The stealer operates in three levels: harvesting atmosphere variables from the runner course of reminiscence and the file system, encrypting the info, and exfiltrating it to the attacker-controlled server (“scan.aquasecurtiy[.]org”).
Ought to the exfiltration try fail, the sufferer’s personal GitHub account is abused to stage the stolen knowledge in a public repository named “tpcp-docs” by making use of the captured INPUT_GITHUB_PAT, an atmosphere variable utilized in GitHub Actions to go a GitHub PAT for authentication with the GitHub API.
It is at present not recognized who’s behind the assault, though there are indicators that the menace actor often called TeamPCP could also be behind it. This evaluation relies on the truth that the credential harvester self-identifies as “TeamPCP Cloud stealer” within the supply code. Also called DeadCatx3, PCPcat, PersyPCP, ShellForce, and CipherForce, the group is thought for performing as a cloud-native cybercrime platform designed to breach trendy cloud infrastructure to facilitate knowledge theft and extortion.
“The credential targets on this payload are according to the group’s broader cloud-native theft-and-monetization profile,” Socket stated. “The heavy emphasis on Solana validator key pairs and cryptocurrency wallets is much less well-documented as a TeamPCP hallmark, although it aligns with the group’s recognized monetary motivations. The self-labeling might be a false flag, however the technical overlap with prior TeamPCP tooling makes real attribution believable.”
Customers are suggested to make sure that they’re utilizing the most recent protected releases –
“In case you suspect you had been operating a compromised model, deal with all pipeline secrets and techniques as compromised and rotate instantly,” Shakury stated. Extra mitigation steps embrace blocking the exfiltration area and the related IP tackle (45.148.10[.]212) on the community stage, and checking GitHub accounts for repositories named “tpcp-docs,” which can point out profitable exfiltration through the fallback mechanism.
“Pin GitHub Actions to full SHA hashes, not model tags,” Wiz researcher Rami McCarthy stated. “Model tags could be moved to level at malicious commits, as demonstrated on this assault.”
(It is a creating story. Please examine again for extra particulars.)
