Trivy, a well-liked open-source vulnerability scanner maintained by Aqua Safety, was compromised a second time inside the span of a month to ship malware that stole delicate CI/CD secrets and techniques.
The newest incident impacted GitHub Actions “aquasecurity/trivy-action” and “aquasecurity/setup-trivy,” that are used to scan Docker container pictures for vulnerabilities and arrange GitHub Actions workflow with a particular model of the scanner, respectively.
“We recognized that an attacker force-pushed 75 out of 76 model tags within the aquasecurity/trivy-action repository, the official GitHub Motion for operating Trivy vulnerability scans in CI/CD pipelines,” Socket safety researcher Philipp Burckhardt mentioned. “These tags have been modified to serve a malicious payload, successfully turning trusted model references right into a distribution mechanism for an infostealer.”
The payload executes inside GitHub Actions runners and goals to extract useful developer secrets and techniques from CI/CD environments, akin to SSH keys, credentials for cloud service suppliers, databases, Git, Docker configurations, Kubernetes tokens, and cryptocurrency wallets.
The event marks the second provide chain incident involving Trivy. In direction of the tip of February and early March 2026, an autonomous bot referred to as hackerbot-claw exploited a “pull_request_target” workflow to steal a Private Entry Token (PAT), which was then weaponized to grab management of the GitHub repository, delete a number of launch variations, and push two malicious variations of its Visible Studio Code (VS Code) extension to Open VSX.
The primary signal of the compromise was flagged by safety researcher Paul McCarty after a brand new compromised launch (model 0.69.4) was printed to the “aquasecurity/trivy” GitHub repository. The rogue model has since been eliminated. Based on Wiz, model 0.69.4 begins each the respectable Trivy service and the malicious code accountable for a sequence of duties –
- Conduct knowledge theft by scanning the system for environmental variables and credentials, encrypting the information, and exfiltrating it through an HTTP POST request to scan.aquasecurtiy[.]org.
- Arrange persistence through the use of a systemd service after confirming that it is operating on a developer machine. The systemd service is configured to run a Python script (“sysmon.py”) that polls an exterior server to retrieve the payload and execute it.
In an announcement, Itay Shakury, vice chairman of open supply at Aqua Safety, mentioned the attackers abused a compromised credential to publish malicious trivy, trivy-action, and setup-trivy releases. Within the case of “aquasecurity/trivy-action,” the adversary force-pushed 75 model tags to level to the malicious commits containing the Python infostealer payload with out creating a brand new launch or pushing to a department, as is normal observe. Seven “aquasecurity/setup-trivy” tags have been force-pushed in the identical method.
“So on this case, the attacker did not want to use Git itself,” Burckhardt instructed The Hacker Information. “They’d legitimate credentials with ample privileges to push code and rewrite tags, which is what enabled the tag poisoning we noticed. What stays unclear is the precise credential used on this particular step (e.g., a maintainer PAT vs automation token), however the root trigger is now understood to be credential compromise carried over from the sooner incident.”
The safety vendor additionally acknowledged that the newest assault stemmed from incomplete containment of the hackerbot-claw incident. “We rotated secrets and techniques and tokens, however the course of wasn’t atomic, and attackers could have been aware of refreshed tokens,” Shakury mentioned. “We are actually taking a extra restrictive strategy and locking down all automated actions and any token to be able to totally remove the issue.”
The stealer operates in three levels: harvesting setting variables from the runner course of reminiscence and the file system, encrypting the information, and exfiltrating it to the attacker-controlled server (“scan.aquasecurtiy[.]org”).
Ought to the exfiltration try fail, the sufferer’s personal GitHub account is abused to stage the stolen knowledge in a public repository named “tpcp-docs” by making use of the captured INPUT_GITHUB_PAT, an setting variable utilized in GitHub Actions to move a GitHub PAT for authentication with the GitHub API.
It is at present not recognized who’s behind the assault, though there are indicators that the risk actor generally known as TeamPCP could also be behind it. This evaluation is predicated on the truth that the credential harvester self-identifies as “TeamPCP Cloud stealer” within the supply code. Also called DeadCatx3, PCPcat, PersyPCP, ShellForce, and CipherForce, the group is understood for performing as a cloud-native cybercrime platform designed to breach fashionable cloud infrastructure to facilitate knowledge theft and extortion.
“The credential targets on this payload are according to the group’s broader cloud-native theft-and-monetization profile,” Socket mentioned. “The heavy emphasis on Solana validator key pairs and cryptocurrency wallets is much less well-documented as a TeamPCP hallmark, although it aligns with the group’s recognized monetary motivations. The self-labeling may very well be a false flag, however the technical overlap with prior TeamPCP tooling makes real attribution believable.”
Customers are suggested to make sure that they’re utilizing the newest secure releases –
“For those who suspect you have been operating a compromised model, deal with all pipeline secrets and techniques as compromised and rotate instantly,” Shakury mentioned. Extra mitigation steps embrace blocking the exfiltration area and the related IP handle (45.148.10[.]212) on the community degree, and checking GitHub accounts for repositories named “tpcp-docs,” which can point out profitable exfiltration through the fallback mechanism.
“Pin GitHub Actions to full SHA hashes, not model tags,” Wiz researcher Rami McCarthy mentioned. “Model tags could be moved to level at malicious commits, as demonstrated on this assault.”
(This can be a creating story. Please examine again for extra particulars.)
