Home

Published

- 7 min read

The Second Fall of Trivy: How TeamPCP Poisoned the CI/CD Supply Chain

By William OGOU
Trivy compromised Aqua Security Supply Chain Attack GitHub Actions TeamPCP CI/CD Security
img of The Second Fall of Trivy: How TeamPCP Poisoned the CI/CD Supply Chain

Just when the DevSecOps community thought the early March incident involving Aqua Security’s Trivy was contained, a second, far more devastating attack occurred. On March 19, 2026, a threat actor identifying as “TeamPCP” successfully breached the Trivy project’s release pipeline, injecting a sophisticated credential stealer into official binaries and widely used GitHub Actions.

Unlike the first incident which primarily involved a destroyed repository and a “Pwn Request” vulnerability this second attack was a full-blown, textbook Supply Chain Compromise. The attackers didn’t just break the tool; they weaponized it against every organization that trusted it.

Here is everything you need to know about the breach, how to hunt for compromise in your environments, and the hard lessons we must learn about CI/CD security.

What to Remember

  • The Breach: Trivy and its official GitHub Actions were compromised by “TeamPCP” on March 19, 2026, highly likely using a stolen Personal Access Token (PAT).
  • The Payload: The malicious release v0.69.4 contains a sophisticated credential stealer targeting CI/CD secrets, AWS/GCP/Azure keys, and Kubernetes tokens.
  • The Impact: Any CI/CD pipeline pulling trivy-action or setup-trivy via mutable version tags (e.g., @master or @v0.28.0) during the breach window pulled malware directly into the build environment.
  • The Remediation: Immediately delete v0.69.4 artifacts, pin all GitHub Actions to specific commit SHAs, and aggressively rotate all potentially exposed secrets.

The Anatomy of the Attack

The root cause of this second breach appears to be a failure in incident response: incomplete containment.

During the initial late-February/early-March breach, attackers stole a highly privileged GitHub Personal Access Token (PAT) belonging to the aqua-bot service account. Security researchers at BoostSecurity and Wiz highly suspect that this same token which was evidently not revoked was used to orchestrate the March 19 attack.

Armed with this token, TeamPCP executed a multi-stage poisoning operation:

1. The Imposter Commits & The Poisoned Release (v0.69.4)

At 17:43 UTC, the attackers pushed malicious commits to the Trivy repository, spoofing legitimate authors. They cleverly hid the malicious payload by pinning a GitHub Action (actions/checkout) to a specific, compromised SHA hash. They then triggered the release of Trivy v0.69.4.

This malicious binary was successfully published across official distribution channels, including:

  • GitHub Releases: The primary distribution point for the binary.
  • Docker Hub: The official container registry image.
  • Amazon ECR: The AWS container registry distribution.
  • GHCR: GitHub Container Registry.
  • Homebrew: Mac package manager (though it was quickly rolled back to v0.69.3).

What the Malware Did: When the poisoned v0.69.4 binary ran, it operated normally but spawned a parallel, malicious process. This “TeamPCP Cloud Stealer”:

  • Memory Scraping: Scraped memory from the Runner.Worker process looking for secrets.
  • Filesystem Sweeping: Swept the filesystem (over 50 paths) for SSH keys, AWS/GCP/Azure credentials, and Kubernetes tokens.
  • Data Encryption: Encrypted the loot (AES-256 + RSA-4096).
  • Data Exfiltration: Exfiltrated the data to a typosquatted domain (scan.aquasecurtiy[.]org).
  • Fallback Mechanism: If the C2 server was down, it used the victim’s own GITHUB_TOKEN to create a private repository named tpcp-docs and uploaded the stolen secrets there as a release asset.
  • Persistence: If it detected it was on a developer’s local machine (not a CI runner), it installed a persistent Python backdoor (sysmon.py).

2. Poisoning the GitHub Actions

The attackers didn’t stop at the binary. Between 22:06 and 22:08 UTC, they used the aqua-bot token to force-push malicious code into the official GitHub Actions used to run Trivy:

  • aquasecurity/trivy-action: 75 out of 76 tags were rewritten with the malware.
  • aquasecurity/setup-trivy: Multiple tags were compromised before being purged.

Any CI/CD pipeline that pulled these actions using a tag (e.g., uses: aquasecurity/trivy-action@master or @v0.28.0) during the compromise window pulled the malware directly into their build environment.

How to Know if You Are Compromised (Detection)

If you use Trivy in any capacity, you must assume a potential breach until verified otherwise. Security teams should immediately execute the following audit:

1. Audit Binary & Container Usage

  • Check Registries: Check your registries, artifact stores, and build logs. Did any system pull, download, or execute Trivy v0.69.4 on or after March 19, 2026?

2. Audit GitHub Actions

  • Review Workflows: Review all workflow runs from March 19 to March 20, 2026.
  • Check Execution Tags: Did any workflow execute aquasecurity/trivy-action or aquasecurity/setup-trivy using a version tag rather than a specific, known-good commit SHA?
  • Inspect Logs: Check the workflow logs specifically in the “Run Trivy” or “Setup environment” steps for unusual network activity.

3. Hunt for Exfiltration Artifacts (IOCs)

  • GitHub Repos: Search your GitHub organization for any newly created repositories named tpcp-docs.
  • Network Logs: Query your SIEM/Firewalls for traffic to:
    • Domain 1: scan.aquasecurtiy.org (Note the typo: ‘tiy’)
    • IP Address: 45.148.10.212
    • Domain 2: plug-tab-protective-relay.trycloudflare.com

If you find any of these indicators, immediately rotate all secrets, cloud credentials, and SSH keys that were present in the affected CI/CD environment.

Remediation and Lessons Learned

The Trivy incident is a masterclass in how CI/CD pipelines have become the most critical attack surface in modern software development.

Immediate Remediation

  • Purge Affected Artifacts: Delete all instances of Trivy v0.69.4 and any Docker images built during that window.
  • Pin to SHA: Immediately update your GitHub Actions workflows. Stop using tags. Change uses: aquasecurity/trivy-action@master to uses: aquasecurity/trivy-action@<full-commit-sha>.
  • Evaluate Alternatives: Until Aqua Security provides a full, transparent post-mortem and demonstrates a completely rebuilt, secure release pipeline, consider pausing the use of Trivy. Open-source alternatives like Grype (for vulnerability scanning) and Syft (for SBOM generation) by Anchore are mature and reliable options.

The Hard Lessons of Supply Chain Security

  • A Leaked PAT is a Ticking Time Bomb: The blast radius of a single GitHub Personal Access Token is terrifying. If a PAT is suspected of being compromised, immediate, global revocation is non-negotiable. Waiting allows attackers to embed themselves deeply into the release automation.
  • Tags are Mutable; SHAs are Forever: Git tags can be deleted and recreated to point to malicious commits. Pinning dependencies (both Actions and base images) to a cryptographic hash (SHA) is the only way to ensure you are executing the exact code you audited.
  • Least Privilege in CI/CD: CI/CD runners often have broad access to cloud environments. Workflows must be locked down using permissions: blocks to ensure they only have read access unless explicitly required. Never expose long-lived secrets when an ephemeral, scoped token (like GITHUB_TOKEN or OIDC) will suffice.
  • Incident Response Requires Transparency: The deletion of initial incident discussion threads (#10265) and the subsequent bot-flooding hindered community coordination. Open source security relies on transparent, rapid communication during a crisis.

The second compromise of Trivy proves that attackers understand our delivery pipelines better than we do. We must stop treating CI/CD as just a “build tool” and start defending it as the most critical infrastructure we own.

To further enhance your cloud security and implement Zero Trust, contact me on LinkedIn Profile or [email protected]

Frequently Asked Questions (FAQ)

What happened to Trivy on March 19, 2026?

The Trivy project's release pipeline was breached by a threat actor known as "TeamPCP," who injected a sophisticated credential stealer into official binaries and widely used GitHub Actions.

Which versions of Trivy are affected?

Trivy v0.69.4 is confirmed to contain the malicious payload. Additionally, 75 out of 76 tags for `aquasecurity/trivy-action` and multiple tags for `aquasecurity/setup-trivy` were rewritten with malware.

What data does the TeamPCP malware steal?

The malware scrapes memory and sweeps the filesystem for SSH keys, cloud credentials (AWS/GCP/Azure), and Kubernetes tokens, exfiltrating the encrypted data to a remote server or a private GitHub repository.

How did the attackers breach the Trivy repository?

Security researchers highly suspect the attackers used a highly privileged GitHub Personal Access Token (PAT) belonging to the `aqua-bot` service account, which was likely stolen in a previous breach and not revoked.

What is the immediate remediation for this supply chain attack?

Organizations must immediately delete Trivy v0.69.4 artifacts, pin all GitHub Actions to specific known-good commit SHAs instead of mutable tags, and rotate any secrets exposed in the affected CI/CD environments.

William OGOU

William OGOU

Need help implementing Zero Trust strategy or securing your cloud infrastructure? I help organizations build resilient, compliance-ready security architectures.

Connect on LinkedIn