Trivy, a well-liked open-source vulnerability scanner maintained by Aqua Safety, was compromised a second time inside the span of a month to ship malware that stole delicate CI/CD secrets and techniques.
The newest incident impacted GitHub Actions “aquasecurity/trivy-action” and “aquasecurity/setup-trivy,” that are used to scan Docker container photographs for vulnerabilities and arrange GitHub Actions workflow with a particular model of the scanner, respectively.
“We recognized that an attacker force-pushed 75 out of 76 model tags within the aquasecurity/trivy-action repository, the official GitHub Motion for working Trivy vulnerability scans in CI/CD pipelines,” Socket safety researcher Philipp Burckhardt stated. “These tags had been modified to serve a malicious payload, successfully turning trusted model references right into a distribution mechanism for an infostealer.”
The payload executes inside GitHub Actions runners and goals to extract priceless developer secrets and techniques from CI/CD environments, equivalent to SSH keys, credentials for cloud service suppliers, databases, Git, Docker configurations, Kubernetes tokens, and cryptocurrency wallets.
The growth marks the second provide chain incident involving Trivy. In the direction of the tip of February and early March 2026, an autonomous bot known as hackerbot-claw exploited a “pull_request_target” workflow to steal a Private Entry Token (PAT), which was then weaponized to grab management of the GitHub repository, delete a number of launch variations, and push two malicious variations of its Visible Studio Code (VS Code) extension to Open VSX.
The primary signal of the compromise was flagged by safety researcher Paul McCarty after a brand new compromised launch (model 0.69.4) was revealed to the “aquasecurity/trivy” GitHub repository. The rogue model has since been eliminated. In keeping with Wiz, model 0.69.4 begins each the reputable Trivy service and the malicious code answerable for a collection of duties –
- Conduct information theft by scanning the system for environmental variables and credentials, encrypting the info, and exfiltrating it by way of an HTTP POST request to scan.aquasecurtiy[.]org.
- Arrange persistence through the use of a systemd service after confirming that it is working on a developer machine. The systemd service is configured to run a Python script (“sysmon.py”) that polls an exterior server to retrieve the payload and execute it.
In a press release, Itay Shakury, vice chairman of open supply at Aqua Safety, stated the attackers abused a compromised credential to publish malicious trivy, trivy-action, and setup-trivy releases. Within the case of “aquasecurity/trivy-action,” the adversary force-pushed 75 model tags to level to the malicious commits containing the Python infostealer payload with out creating a brand new launch or pushing to a department, as is commonplace apply. Seven “aquasecurity/setup-trivy” tags had been force-pushed in the identical method.
“So on this case, the attacker did not want to take advantage of Git itself,” Burckhardt instructed The Hacker Information. “That they had legitimate credentials with adequate privileges to push code and rewrite tags, which is what enabled the tag poisoning we noticed. What stays unclear is the precise credential used on this particular step (e.g., a maintainer PAT vs automation token), however the root trigger is now understood to be credential compromise carried over from the sooner incident.”
The safety vendor additionally acknowledged that the newest assault stemmed from incomplete containment of the hackerbot-claw incident. “We rotated secrets and techniques and tokens, however the course of wasn’t atomic, and attackers could have been aware of refreshed tokens,” Shakury stated. “We at the moment are taking a extra restrictive strategy and locking down all automated actions and any token in an effort to totally remove the issue.”
The stealer operates in three phases: harvesting surroundings variables from the runner course of reminiscence and the file system, encrypting the info, and exfiltrating it to the attacker-controlled server (“scan.aquasecurtiy[.]org”).
Ought to the exfiltration try fail, the sufferer’s personal GitHub account is abused to stage the stolen information in a public repository named “tpcp-docs” by making use of the captured INPUT_GITHUB_PAT, an surroundings variable utilized in GitHub Actions to go a GitHub PAT for authentication with the GitHub API.
It is presently not recognized who’s behind the assault, though there are indicators that the risk actor generally known as TeamPCP could also be behind it. This evaluation is predicated on the truth that the credential harvester self-identifies as “TeamPCP Cloud stealer” within the supply code. Also referred to as DeadCatx3, PCPcat, PersyPCP, ShellForce, and CipherForce, the group is thought for performing as a cloud-native cybercrime platform designed to breach trendy cloud infrastructure to facilitate information theft and extortion.
“The credential targets on this payload are per the group’s broader cloud-native theft-and-monetization profile,” Socket stated. “The heavy emphasis on Solana validator key pairs and cryptocurrency wallets is much less well-documented as a TeamPCP hallmark, although it aligns with the group’s recognized monetary motivations. The self-labeling might be a false flag, however the technical overlap with prior TeamPCP tooling makes real attribution believable.”
Customers are suggested to make sure that they’re utilizing the newest secure releases –
“When you suspect you had been working a compromised model, deal with all pipeline secrets and techniques as compromised and rotate instantly,” Shakury stated. Further mitigation steps embrace blocking the exfiltration area and the related IP tackle (45.148.10[.]212) on the community stage, and checking GitHub accounts for repositories named “tpcp-docs,” which can point out profitable exfiltration by way of the fallback mechanism.
“Pin GitHub Actions to full SHA hashes, not model tags,” Wiz researcher Rami McCarthy stated. “Model tags will be moved to level at malicious commits, as demonstrated on this assault.”
(This can be a creating story. Please verify again for extra particulars.)
