Trivy, a popular open-source vulnerability scanner maintained by Aqua Security, was compromised a second time within the span of a month to deliver malware that stole sensitive CI/CD secrets.
The latest incident impacted GitHub Actions “aquasecurity/trivy-action” and “aquasecurity/setup-trivy,” which are used to scan Docker container images for vulnerabilities and set up GitHub Actions workflow with a specific version of the scanner, respectively.
“We identified that an attacker force-pushed 75 out of 76 version tags in the aquasecurity/trivy-action repository, the official GitHub Action for running Trivy vulnerability scans in CI/CD pipelines,” Socket security researcher Philipp Burckhardt said. “These tags were modified to serve a malicious payload, effectively turning trusted version references into a distribution mechanism for an infostealer.”
The payload executes within GitHub Actions runners and aims to extract valuable developer secrets from CI/CD environments, such as SSH keys, credentials for cloud service providers, databases, Git, Docker configurations, Kubernetes tokens, and cryptocurrency wallets.
The development marks the second supply chain incident involving Trivy. Towards the end of February and early March 2026, an autonomous bot called hackerbot-claw exploited a “pull_request_target” workflow to steal a Personal Access Token (PAT), which was then weaponized to seize control of the GitHub repository, delete several release versions, and push two malicious versions of its Visual Studio Code (VS Code) extension to Open VSX.
The first sign of the compromise was flagged by security researcher Paul McCarty after a new compromised release (version 0.69.4) was published to the “aquasecurity/trivy” GitHub repository. The rogue version has since been removed. According to Wiz, version 0.69.4 starts both the legitimate Trivy service and the malicious code responsible for a series of tasks –
- Conduct data theft by scanning the system for environmental variables and credentials, encrypting the data, and exfiltrating it via an HTTP POST request to scan.aquasecurtiy[.]org.
- Set up persistence by using a systemd service after confirming that it’s running on a developer machine. The systemd service is configured to run a Python script (“sysmon.py”) that polls an external server to retrieve the payload and execute it.
In a statement, Itay Shakury, vice president of open source at Aqua Security, said the attackers abused a compromised credential to publish malicious trivy, trivy-action, and setup-trivy releases. In the case of “aquasecurity/trivy-action,” the adversary force-pushed 75 version tags to point to the malicious commits containing the Python infostealer payload without creating a new release or pushing to a branch, as is standard practice. Seven “aquasecurity/setup-trivy” tags were force-pushed in the same manner.
“So in this case, the attacker didn’t need to exploit Git itself,” Burckhardt told The Hacker News. “They had valid credentials with sufficient privileges to push code and rewrite tags, which is what enabled the tag poisoning we observed. What remains unclear is the exact credential used in this specific step (e.g., a maintainer PAT vs automation token), but the root cause is now understood to be credential compromise carried over from the earlier incident.”
The security vendor also acknowledged that the latest attack stemmed from incomplete containment of the hackerbot-claw incident. “We rotated secrets and tokens, but the process wasn’t atomic, and attackers may have been privy to refreshed tokens,” Shakury said. “We are now taking a more restrictive approach and locking down all automated actions and any token in order to thoroughly eliminate the problem.”
The stealer operates in three stages: harvesting environment variables from the runner process memory and the file system, encrypting the data, and exfiltrating it to the attacker-controlled server (“scan.aquasecurtiy[.]org”).
Should the exfiltration attempt fail, the victim’s own GitHub account is abused to stage the stolen data in a public repository named “tpcp-docs” by making use of the captured INPUT_GITHUB_PAT, an environment variable used in GitHub Actions to pass a GitHub PAT for authentication with the GitHub API.
It’s currently not known who is behind the attack, although there are signs that the threat actor known as TeamPCP may be behind it. This assessment is based on the fact that the credential harvester self-identifies as “TeamPCP Cloud stealer” in the source code. Also known as DeadCatx3, PCPcat, PersyPCP, ShellForce, and CipherForce, the group is known for acting as a cloud-native cybercrime platform designed to breach modern cloud infrastructure to facilitate data theft and extortion.
“The credential targets in this payload are consistent with the group’s broader cloud-native theft-and-monetization profile,” Socket said. “The heavy emphasis on Solana validator key pairs and cryptocurrency wallets is less well-documented as a TeamPCP hallmark, though it aligns with the group’s known financial motivations. The self-labeling could be a false flag, but the technical overlap with prior TeamPCP tooling makes genuine attribution plausible.”
Users are advised to ensure that they are using the latest safe releases –
“If you suspect you were running a compromised version, treat all pipeline secrets as compromised and rotate immediately,” Shakury said. Additional mitigation steps include blocking the exfiltration domain and the associated IP address (45.148.10[.]212) at the network level, and checking GitHub accounts for repositories named “tpcp-docs,” which may indicate successful exfiltration via the fallback mechanism.
“Pin GitHub Actions to full SHA hashes, not version tags,” Wiz researcher Rami McCarthy said. “Version tags can be moved to point at malicious commits, as demonstrated in this attack.”
(This is a developing story. Please check back for more details.)
