Trivy vulnerability scanner breach pushed infostealer by way of GitHub Actions

The Trivy vulnerability scanner was compromised in a supply-chain assault by menace actors referred to as TeamPCP, which distributed credential-stealing malware via official releases and GitHub Actions.

Trivy is a well-liked safety scanner that helps determine vulnerabilities, misconfigurations, and uncovered secrets and techniques throughout containers, Kubernetes environments, code repositories, and cloud infrastructure. As a result of builders and safety groups generally use it, it’s a high-value goal for attackers to steal delicate authentication secrets and techniques.

The breach was first disclosed by safety researcher Paul McCarty, who warned that Trivy model 0.69.4 had been backdoored, with malicious container photographs and GitHub releases revealed to customers.

Additional evaluation by Socket and later by Wiz decided that the assault affected a number of GitHub Actions, compromising almost all model tags of the trivy-action repository.

Researchers discovered that menace actors compromised Trivy’s GitHub construct course of, swapping the entrypoint.sh in GitHub Actions with a malicious model and publishing trojanized binaries within the Trivy v0.69.4 launch, each of which acted as infostealers throughout the primary scanner and associated GitHub Actions, together with trivy-action and setup-trivy.

The attackers abused a compromised credential with write entry to the repository, permitting them to publish malicious releases. These compromised credentials are from an earlier March breach, wherein credentials have been exfiltrated from Trivy’s surroundings and never absolutely contained.

The menace actor force-pushed 75 out of 76 tags within the aquasecurity/trivy-action repository, redirecting them to malicious commits.

Consequently, any exterior workflows utilizing the affected tags mechanically executed the malicious code earlier than working reliable Trivy scans, making the compromise tough to detect.

Socket experiences that the infostealer collected reconnaissance knowledge and scanned techniques for a variety of information and areas recognized to retailer credentials and authentication secrets and techniques, together with:

• Reconnaissance knowledge: hostname, whoami, uname, community configuration, and surroundings variables
• SSH: non-public and public keys and associated configuration information
• Cloud and infrastructure configs: Git, AWS, GCP, Azure, Kubernetes, and Docker credentials
• Surroundings information: .env and associated variants
• Database credentials: configuration information for PostgreSQL, MySQL/MariaDB, MongoDB, and Redis
• Credential information: together with bundle supervisor and Vault-related authentication tokens
• CI/CD configurations: Terraform, Jenkins, GitLab CI, and comparable information
• TLS non-public keys
• VPN configurations
• Webhooks: Slack and Discord tokens
• Shell historical past information
• System information: /and so forth/passwd, /and so forth/shadow, and authentication logs
• Cryptocurrency wallets

The malicious script would additionally scan reminiscence areas utilized by the GitHub Actions Runner.Employee course of for the JSON string “" ":{ "worth": "", "isSecret":true}” to seek out extra authentication secrets and techniques.

On developer machines, the trojanized Trivy binary carried out comparable knowledge assortment, gathering surroundings variables, scanning native information for credentials, and enumerating community interfaces.

Collected knowledge was encrypted and saved in an archive named tpcp.tar.gz, which was then exfiltrated to a typosquatted command-and-control server at scan.aquasecurtiy[.]org.

If exfiltration failed, the malware created a public repository named tpcp-docs inside the sufferer’s GitHub account and uploaded the stolen knowledge there.

To persist on a compromised system, the malware would additionally drop a Python payload at ~/.config/systemd/consumer/sysmon.py and register it as a systemd service. This payload would test a distant server for added payloads to drop, giving the menace actor persistent entry to the system.

The assault is believed to be linked to a menace actor referred to as TeamPCP, as one of many infostealer payloads used within the assault has a “TeamPCP Cloud stealer” remark because the final line of the Python script.

“The malware self-identifies as TeamPCP Cloud stealer in a Python comment on the final line of the embedded filesystem credential harvester. TeamPCP, also tracked as DeadCatx3, PCPcat, and ShellForce, is a documented cloud-native threat actor known for exploiting misconfigured Docker APIs, Kubernetes clusters, Ray dashboards, and Redis servers,” explains Socket.

Aqua Safety confirmed the incident, stating {that a} menace actor used compromised credentials from the sooner incident that was not correctly contained.

“This was a follow up from the recent incident (2026-03-01) which exfiltrated credentials. Our containment of the first incident was incomplete,” defined Aqua Safety.

“We rotated secrets and tokens, but the process wasn’t atomic and attackers may have been privy to refreshed tokens.”

The malicious Trivy launch (v0.69.4) was stay for roughly three hours, with compromised GitHub Actions tags remaining lively for as much as 12 hours.

The attackers additionally tampered with the undertaking’s repository, deleting Aqua Safety’s preliminary disclosure of the sooner March incident.

Organizations that used affected variations through the incident ought to deal with their environments as absolutely compromised.

This contains rotating all secrets and techniques, similar to cloud credentials, SSH keys, API tokens, and database passwords, and analyzing techniques for added compromise.

Observe-up assault spreads CanisterWorm by way of npm

Researchers at Aikido have additionally linked the identical menace actor to a follow-up marketing campaign involving a brand new self-propagating worm named “CanisterWorm,” which targets npm packages.

The worm compromises packages, installs a persistent backdoor by way of a systemd consumer service, after which makes use of stolen npm tokens to publish malicious updates to different packages.

“Self-propagating worm. deploy.js takes npm tokens, resolves usernames, enumerates all publishable packages, bumps patch versions, and publishes the payload across the entire scope. 28 packages in under 60 seconds,” highlights Aikido.

The malware makes use of a decentralized command-and-control mechanism utilizing Web Pc (ICP) canisters, which act as a dead-drop resolver that gives URLs for added payloads. 

Utilizing ICP canisters makes the operation extra immune to takedown, as solely the canister’s controller can take away it, and any try and cease it might require a governance proposal and community vote.

The worm additionally contains performance to reap npm authentication tokens from configuration information and surroundings variables, enabling it to unfold throughout developer environments and CI/CD pipelines.

On the time of study, a few of the secondary payload infrastructure was inactive or configured with innocent content material, however the researchers say this might change at any time.