Trivy, a preferred open-source vulnerability scanner maintained by Aqua Safety, was compromised a second time throughout the span of a month to ship malware that stole delicate CI/CD secrets and techniques.
The newest incident impacted GitHub Actions “aquasecurity/trivy-action” and “aquasecurity/setup-trivy,” that are used to scan Docker container pictures for vulnerabilities and arrange GitHub Actions workflow with a particular model of the scanner, respectively.
“We identified that an attacker force-pushed 75 out of 76 version tags in the aquasecurity/trivy-action repository, the official GitHub Action for running Trivy vulnerability scans in CI/CD pipelines,” Socket safety researcher Philipp Burckhardt mentioned. “These tags were modified to serve a malicious payload, effectively turning trusted version references into a distribution mechanism for an infostealer.”
The payload executes inside GitHub Actions runners and goals to extract precious developer secrets and techniques from CI/CD environments, akin to SSH keys, credentials for cloud service suppliers, databases, Git, Docker configurations, Kubernetes tokens, and cryptocurrency wallets.
The event marks the second provide chain incident involving Trivy. In direction of the top of February and early March 2026, an autonomous bot known as hackerbot-claw exploited a “pull_request_target” workflow to steal a Private Entry Token (PAT), which was then weaponized to grab management of the GitHub repository, delete a number of launch variations, and push two malicious variations of its Visible Studio Code (VS Code) extension to Open VSX.
The primary signal of the compromise was flagged by safety researcher Paul McCarty after a brand new compromised launch (model 0.69.4) was revealed to the “aquasecurity/trivy” GitHub repository. The rogue model has since been eliminated. In line with Wiz, model 0.69.4 begins each the respectable Trivy service and the malicious code answerable for a collection of duties –
- Conduct information theft by scanning the system for environmental variables and credentials, encrypting the info, and exfiltrating it by way of an HTTP POST request to scan.aquasecurtiy[.]org.
- Arrange persistence by utilizing a systemd service after confirming that it is working on a developer machine. The systemd service is configured to run a Python script (“sysmon.py”) that polls an exterior server to retrieve the payload and execute it.
In an announcement, Itay Shakury, vice chairman of open supply at Aqua Safety, mentioned the attackers abused a compromised credential to publish malicious trivy, trivy-action, and setup-trivy releases. Within the case of “aquasecurity/trivy-action,” the adversary force-pushed 75 model tags to level to the malicious commits containing the Python infostealer payload with out creating a brand new launch or pushing to a department, as is commonplace follow. Seven “aquasecurity/setup-trivy” tags have been force-pushed in the identical method.
“So in this case, the attacker didn’t need to exploit Git itself,” Burckhardt advised The Hacker Information. “They had valid credentials with sufficient privileges to push code and rewrite tags, which is what enabled the tag poisoning we observed. What remains unclear is the exact credential used in this specific step (e.g., a maintainer PAT vs automation token), but the root cause is now understood to be credential compromise carried over from the earlier incident.”
The safety vendor additionally acknowledged that the most recent assault stemmed from incomplete containment of the hackerbot-claw incident. “We rotated secrets and tokens, but the process wasn’t atomic, and attackers may have been privy to refreshed tokens,” Shakury mentioned. “We are now taking a more restrictive approach and locking down all automated actions and any token in order to thoroughly eliminate the problem.”
The stealer operates in three phases: harvesting setting variables from the runner course of reminiscence and the file system, encrypting the info, and exfiltrating it to the attacker-controlled server (“scan.aquasecurtiy[.]org”).
Ought to the exfiltration try fail, the sufferer’s personal GitHub account is abused to stage the stolen information in a public repository named “tpcp-docs” by making use of the captured INPUT_GITHUB_PAT, an setting variable utilized in GitHub Actions to move a GitHub PAT for authentication with the GitHub API.
It is at present not identified who’s behind the assault, though there are indicators that the menace actor generally known as TeamPCP could also be behind it. This evaluation relies on the truth that the credential harvester self-identifies as “TeamPCP Cloud stealer” within the supply code. Often known as DeadCatx3, PCPcat, PersyPCP, ShellForce, and CipherForce, the group is understood for performing as a cloud-native cybercrime platform designed to breach trendy cloud infrastructure to facilitate information theft and extortion.
“The credential targets in this payload are consistent with the group’s broader cloud-native theft-and-monetization profile,” Socket mentioned. “The heavy emphasis on Solana validator key pairs and cryptocurrency wallets is less well-documented as a TeamPCP hallmark, though it aligns with the group’s known financial motivations. The self-labeling could be a false flag, but the technical overlap with prior TeamPCP tooling makes genuine attribution plausible.”
Customers are suggested to make sure that they’re utilizing the most recent secure releases –
“If you suspect you were running a compromised version, treat all pipeline secrets as compromised and rotate immediately,” Shakury mentioned. Extra mitigation steps embrace blocking the exfiltration area and the related IP deal with (45.148.10[.]212) on the community degree, and checking GitHub accounts for repositories named “tpcp-docs,” which can point out profitable exfiltration by way of the fallback mechanism.
“Pin GitHub Actions to full SHA hashes, not version tags,” Wiz researcher Rami McCarthy mentioned. “Version tags can be moved to point at malicious commits, as demonstrated in this attack.”
(It is a creating story. Please test again for extra particulars.)
