Trivy GitHub Actions Supply Chain Compromise
CriticalExecutive Summary
On March 19, 2026, threat group TeamPCP exploited credentials retained from an incomplete incident response to inject a three-stage credential stealer into Aqua Security’s Trivy ecosystem. The attackers force-pushed 75 of 76 version tags in aquasecurity/trivy-action and 7 tags in aquasecurity/setup-trivy to malicious commits containing the TeamPCP Cloud Stealer. Over 10,000 GitHub workflow files reference these actions. This is the second successful compromise of the Trivy ecosystem within three weeks, following an initial AI-assisted intrusion on February 28, 2026.
The root cause was non-atomic secret rotation: after the first breach, credentials were rotated sequentially rather than atomically, allowing the attacker to capture refreshed tokens during the rotation window and return with valid authentication three weeks later.
Findings Summary
| Finding | Severity | Status |
|---|---|---|
| trivy-action Tag Poisoning — 75/76 version tags force-pushed with three-stage credential-stealing payload | Critical | REMEDIATED |
| setup-trivy Compromise — 7 version tags poisoned with TeamPCP Cloud Stealer | Critical | REMEDIATED |
| Trivy v0.69.4 Binary — Malicious release distributed via official channels | Critical | TAG REMOVED |
| CI/CD Secret Exposure — All pipelines running poisoned tags must be treated as fully compromised | Critical | ROTATE NOW |
| Incomplete Incident Response — Non-atomic secret rotation after Feb 28 breach enabled re-compromise | High | PROCESS GAP |
Data Exposure Risk
CRITICAL: Assume Full Secret Compromise. Any pipeline that executed a poisoned Trivy action tag between approximately 17:43 UTC and 23:13 UTC on March 19, 2026 should be treated as fully compromised. The TeamPCP Cloud Stealer harvested: cloud provider credentials (AWS, GCP, Azure), SSH deployment keys, Kubernetes service account tokens, API tokens, database passwords, Docker registry credentials, GitHub PATs, TLS private keys, and cryptocurrency wallet keys.
Vendor Relationship Context
Trivy is Aqua Security’s flagship open-source vulnerability scanner with over 32,000 GitHub stars and more than 100 million annual downloads. Its official GitHub Actions are used by development teams worldwide to automate container, filesystem, and IaC security scanning within CI/CD pipelines. This compromise turns that trust relationship into an attack vector: the security scanner itself became the malware delivery mechanism.
Incident Timeline
Phase 1: The hackerbot-claw Breach (February 28, 2026)
| Date/Time (UTC) | Event |
|---|---|
| Feb 20, 2026 | AI-powered attack bot hackerbot-claw account created on GitHub; begins scanning 47,000+ repos for vulnerable pull_request_target workflows |
| Feb 27, 2026 | hackerbot-claw submits PR #10252 to aquasecurity/trivy; vulnerable apidiff.yaml workflow executes payload in base repo context with full secret access |
| Feb 28, ~03:47 UTC | Stolen aqua-bot PAT used to privatise repo, delete 178 releases (v0.27.0–v0.69.1), push malicious VS Code extension |
| Mar 1, 2026 | Aqua Security discloses incident in Discussion #10265; removes vulnerable workflow; rotates secrets non-atomically |
Phase 2: The TeamPCP Tag Poisoning (March 19–20, 2026)
| Timestamp (UTC) | Event |
|---|---|
| Mar 19, 17:43 | Malicious Trivy v0.69.4 binary released via compromised aqua-bot account; documentation deployed |
| Mar 19, 17:51 | Attacker deletes v0.70.0 tag |
| Mar 19, ~18:00 | 75 of 76 trivy-action tags and 7 setup-trivy tags force-pushed to malicious commits with spoofed metadata |
| Mar 19, 18:30 | Helm chart bump PR opened for v0.69.4 (closed without merge at 21:50) |
| Mar 19, ~19:15 | Socket Security detects anomalous activity; generates 182 threat feed entries |
| Mar 19, 21:07–21:43 | Aqua Security begins incident response for setup-trivy; publishes clean v0.2.6 |
| Mar 19, 23:13 | Malicious v0.69.4 tag deleted |
| Mar 20 | Socket, StepSecurity, Wiz, and The Hacker News publish full technical disclosure |
Technical Analysis: TeamPCP Cloud Stealer
Tag Poisoning Technique
The attacker exploited a fundamental weakness in Git’s tag model: version tags are mutable references that can be force-pushed to arbitrary commits. Using the compromised aqua-bot PAT, TeamPCP replaced each version tag with a fabricated commit that extracted the master branch HEAD tree, replaced entrypoint.sh with the stealer payload, spoofed original commit metadata (author identity, timestamps, messages), set the parent to current master, and force-pushed the tag. No new branches, releases, or commit notifications were triggered.
Three-Stage Payload
The payload injected into entrypoint.sh executes silently before the legitimate Trivy scan, which completes normally to avoid detection:
Stage 1 — Collection: On GitHub-hosted runners, the payload escalates privileges via passwordless sudo to dump Runner.Worker process memory, searching for the JSON pattern used to store masked secrets internally. On self-hosted runners, a filesystem harvester sweeps 50+ paths including SSH keys, cloud credentials (AWS/GCP/Azure and IMDS/ECS endpoints), Kubernetes tokens, Docker configs, database credentials, TLS private keys, cryptocurrency wallets, and shell history files.
Stage 2 — Encryption: Collected credentials are compressed and encrypted with AES-256-CBC using a PBKDF2-derived session key, which is then wrapped with an embedded attacker RSA-4096 public key (OAEP padding). Only the attacker’s private key can decrypt the exfiltrated material. Output is bundled as tpcp.tar.gz.
Stage 3 — Exfiltration: Primary channel: HTTPS POST to the typosquatted domain scan.aquasecurtiy[.]org (note misspelling) at IP 45.148.10.212 with header X-Filename: tpcp.tar.gz. Fallback channel: if primary fails and INPUT_GITHUB_PAT is available, creates a public tpcp-docs repository on the victim’s GitHub account and uploads the encrypted bundle as a release asset.
Persistence: On self-hosted runners, the payload installs a systemd service running sysmon.py that polls external servers for additional payload execution, providing persistent backdoor access that survives the CI/CD job.
Root Cause: Non-Atomic Incident Response
The second breach required no new exploit or vulnerability. Secret rotation after the February 28 incident was not fully atomic, leaving a window for the attacker to capture refreshed credentials. Aqua Security’s VP Open Source confirmed: the rotation process allowed attackers to be privy to refreshed tokens. This is a textbook example of non-atomic secret rotation risk during active incident response.
Affected Scope and Safe Versions
| Component | Affected Versions | Status | Notes |
|---|---|---|---|
aquasecurity/trivy-action | Tags 0.0.1–0.34.2 (75 tags) | TAGS REMOVED | Any workflow referencing by version tag on Mar 19–20 should be treated as compromised |
aquasecurity/setup-trivy | 7 tags (all except v0.2.6) | TAGS REMOVED | Same exposure window and remediation requirement |
| Trivy binary | v0.69.4 only | TAG REMOVED | Published to GitHub Releases, Docker Hub, GHCR, Amazon ECR, Homebrew |
| Downstream CI/CD pipelines | ~10,000+ workflow files | SECRETS AT RISK | All secrets accessible to affected runs must be rotated |
| Self-hosted runners | All architectures | HIGHER RISK | Broader credential sweep + systemd persistence; re-image hosts |
trivy-action@0.35.0 | Unaffected | SAFE | SHA: 57a97c7e — no action required |
Indicators of Compromise
Network Indicators
| Type | Indicator | Context |
|---|---|---|
| C2 Domain | scan[.]aquasecurtiy[.]org | Primary exfiltration endpoint (typosquat) |
| C2 IP | 45.148.10[.]212 | TECHOFF SRV LIMITED, Amsterdam, Netherlands |
| Secondary C2 | plug-tab-protective-relay.trycloudflare.com | Cloudflare Tunnel for Aqua-specific exfiltration |
| Phase 1 C2 | recv.hackmoltrepeat[.]com | February 28 hackerbot-claw exfiltration endpoint |
Host and Artifact Indicators
| Type | Indicator | Context |
|---|---|---|
| Malware Hash (SHA-256) | 18a24f83e807479438dcab7a1804c51a00dafc1d526698a66e0640d1e5dd671a | Malicious payload identifier |
| Encrypted Bundle | tpcp.tar.gz | Filename of encrypted exfiltration archive |
| HTTP Header | X-Filename: tpcp.tar.gz | Custom header on exfiltration POST requests |
| GitHub Repository | Repository named tpcp-docs | Fallback exfiltration indicator in victim accounts |
| Process Indicator | /proc/<pid>/mem reads of Runner.Worker | Memory scraping for secrets |
| Persistence | systemd service executing sysmon.py | Polling-based backdoor on self-hosted runners |
| Code Signature | ## TeamPCP Cloud stealer | Self-identification string in Python payload |
Immediate Mitigation Recommendations
Tier 1 — Immediate (Within 24–48 Hours)
- Determine exposure: Search your GitHub organisation for any workflow referencing
aquasecurity/trivy-actionoraquasecurity/setup-trivyby version tag (not SHA). - Pin to safe SHA: Update all Trivy action references to
aquasecurity/trivy-action@57a97c7e(v0.35.0). - Rotate all secrets: Any secret accessible to pipelines that ran poisoned tags between 17:43 and 23:13 UTC on March 19 must be rotated — cloud credentials, SSH keys, tokens, API keys, database passwords.
- Re-image self-hosted runners: Any self-hosted runner that executed a poisoned tag must be re-imaged immediately due to systemd persistence.
- Search for IOCs: Check for repositories named
tpcp-docsin your org, outbound connections toscan.aquasecurtiy[.]org, and the malware hash.
Tier 2 — Short-Term (Within 1–2 Weeks)
- SHA-pin all GitHub Actions: Replace all version tag references across your workflows with full commit SHA pins.
- Deploy StepSecurity Harden-Runner: Provides egress filtering and runtime monitoring for GitHub Actions.
- Audit GitHub Actions permissions: Ensure workflows use minimum required
permissionsandGITHUB_TOKENscope. - Enable GitHub secret scanning: Detect any leaked credentials in repositories.
Tier 3 — Medium-Term (Within 30 Days)
- Implement atomic secret rotation procedures: Revoke all existing credentials before issuing replacements during incident response.
- Deploy GitHub Actions allow-listing: Restrict which actions can run in your org to a vetted allow-list.
- Conduct tabletop exercise: Simulate a supply chain compromise of a trusted CI/CD action.
- Update vendor risk assessment: Re-evaluate Trivy/Aqua Security vendor risk tier.
Tier 4 — Strategic
- Evaluate alternatives to tag-based action references: Consider vendoring actions or using container-based actions with digest pinning.
- Contribute to GitHub Actions security improvements: Advocate for immutable tags or built-in tag signing.
- Build supply chain security into CI/CD architecture: Treat every third-party action as untrusted code.
Client-Facing Summary
“We are aware of the supply chain compromise affecting Aqua Security’s Trivy GitHub Actions discovered on March 19, 2026. Our security team has assessed our exposure, rotated all potentially affected credentials, and updated our CI/CD pipeline configurations to use verified safe versions. We have confirmed that our production systems and customer data were not accessed using any credentials that may have been exposed. We are implementing SHA pinning across all third-party GitHub Actions to prevent recurrence of this class of attack.”
References
- Socket Security: Trivy GitHub Actions Supply Chain Analysis
- StepSecurity: Trivy Action Compromise Detection
- Wiz Research: TeamPCP Cloud Stealer Technical Analysis
- The Hacker News: Trivy GitHub Actions Compromise Coverage
- Aqua Security: Discussion #10425 — Incident Disclosure
- Aqua Security: Discussion #10265 — February 28 Incident