Trivy, a preferred open-source vulnerability scanner maintained by Aqua Safety, was compromised a second time throughout the span of a month to ship malware that stole delicate CI/CD secrets and techniques.
The newest incident impacted GitHub Actions “aquasecurity/trivy-action” and “aquasecurity/setup-trivy,” that are used to scan Docker container photos for vulnerabilities and arrange GitHub Actions workflow with a particular model of the scanner, respectively.
“We recognized that an attacker force-pushed 75 out of 76 model tags within the aquasecurity/trivy-action repository, the official GitHub Motion for operating Trivy vulnerability scans in CI/CD pipelines,” Socket security researcher Philipp Burckhardt stated. “These tags have been modified to serve a malicious payload, successfully turning trusted model references right into a distribution mechanism for an infostealer.”
The payload executes inside GitHub Actions runners and goals to extract beneficial developer secrets and techniques from CI/CD environments, reminiscent of SSH keys, credentials for cloud service suppliers, databases, Git, Docker configurations, Kubernetes tokens, and cryptocurrency wallets.
The event marks the second provide chain incident involving Trivy. In the direction of the top of February and early March 2026, an autonomous bot referred to as hackerbot-claw exploited a “pull_request_target” workflow to steal a Private Entry Token (PAT), which was then weaponized to grab management of the GitHub repository, delete a number of launch variations, and push two malicious variations of its Visible Studio Code (VS Code) extension to Open VSX.
The primary signal of the compromise was flagged by security researcher Paul McCarty after a brand new compromised launch (model 0.69.4) was revealed to the “aquasecurity/trivy” GitHub repository. The rogue model has since been eliminated. In response to Wiz, model 0.69.4 begins each the reputable Trivy service and the malicious code liable for a sequence of duties –
- Conduct information theft by scanning the system for environmental variables and credentials, encrypting the info, and exfiltrating it through an HTTP POST request to scan.aquasecurtiy[.]org.
- Arrange persistence by utilizing a systemd service after confirming that it is operating on a developer machine. The systemd service is configured to run a Python script (“sysmon.py”) that polls an exterior server to retrieve the payload and execute it.
In an announcement, Itay Shakury, vice chairman of open supply at Aqua Safety, stated the attackers abused a compromised credential to publish malicious trivy, trivy-action, and setup-trivy releases. Within the case of “aquasecurity/trivy-action,” the adversary force-pushed 75 model tags to level to the malicious commits containing the Python infostealer payload with out creating a brand new launch or pushing to a department, as is normal follow. Seven “aquasecurity/setup-trivy” tags have been force-pushed in the identical method.
“So on this case, the attacker did not want to use Git itself,” Burckhardt advised The Hacker Information. “That they had legitimate credentials with adequate privileges to push code and rewrite tags, which is what enabled the tag poisoning we noticed. What stays unclear is the precise credential used on this particular step (e.g., a maintainer PAT vs automation token), however the root trigger is now understood to be credential compromise carried over from the sooner incident.”
The security vendor additionally acknowledged that the most recent assault stemmed from incomplete containment of the hackerbot-claw incident. “We rotated secrets and techniques and tokens, however the course of wasn’t atomic, and attackers might have been aware about refreshed tokens,” Shakury stated. “We are actually taking a extra restrictive method and locking down all automated actions and any token with the intention to completely remove the issue.”
The stealer operates in three levels: harvesting setting variables from the runner course of reminiscence and the file system, encrypting the info, and exfiltrating it to the attacker-controlled server (“scan.aquasecurtiy[.]org”).
Ought to the exfiltration try fail, the sufferer’s personal GitHub account is abused to stage the stolen information in a public repository named “tpcp-docs” by making use of the captured INPUT_GITHUB_PAT, an setting variable utilized in GitHub Actions to go a GitHub PAT for authentication with the GitHub API.
It is at present not identified who’s behind the assault, though there are indicators that the menace actor referred to as TeamPCP could also be behind it. This evaluation is predicated on the truth that the credential harvester self-identifies as “TeamPCP Cloud stealer” within the supply code. Also referred to as DeadCatx3, PCPcat, PersyPCP, ShellForce, and CipherForce, the group is thought for appearing as a cloud-native cybercrime platform designed to breach trendy cloud infrastructure to facilitate information theft and extortion.
“The credential targets on this payload are according to the group’s broader cloud-native theft-and-monetization profile,” Socket stated. “The heavy emphasis on Solana validator key pairs and cryptocurrency wallets is much less well-documented as a TeamPCP hallmark, although it aligns with the group’s identified monetary motivations. The self-labeling might be a false flag, however the technical overlap with prior TeamPCP tooling makes real attribution believable.”
Customers are suggested to make sure that they’re utilizing the most recent protected releases –
“When you suspect you have been operating a compromised model, deal with all pipeline secrets and techniques as compromised and rotate instantly,” Shakury stated. Extra mitigation steps embrace blocking the exfiltration area and the related IP deal with (45.148.10[.]212) on the community stage, and checking GitHub accounts for repositories named “tpcp-docs,” which can point out profitable exfiltration through the fallback mechanism.
“Pin GitHub Actions to full SHA hashes, not model tags,” Wiz researcher Rami McCarthy stated. “Model tags will be moved to level at malicious commits, as demonstrated on this assault.”
(It is a growing story. Please examine again for extra particulars.)
