Trivy, a popular open source vulnerability scanner managed by Aqua Security, has been compromised for the second time in less than a month to distribute malware that steals sensitive CI/CD secrets.
The latest incident affected GitHub Actions ‘aquasecurity/trivy-action’ and ‘aquasecurity/setup-trivy’. These are used to scan Docker container images for vulnerabilities and configure GitHub Actions workflows with specific versions of the scanner, respectively.
“We observed that the attacker force-pushed 75 of the 76 version tags in the aquasecurity/trivy-action repository, which is the official GitHub action for running Trivy vulnerability scans in CI/CD pipelines,” said socket security researcher Philipp Burckhardt. “These tags have been modified to deliver malicious payloads, effectively turning trusted version references into a distribution mechanism for information thieves.”
The payload runs within the GitHub Actions runner and is intended to extract valuable developer secrets from the CI/CD environment, such as SSH keys, cloud service provider credentials, databases, Git, Docker configurations, Kubernetes tokens, and cryptocurrency wallets.
This is the second incident in the supply chain involving Tribee. In late February and early March 2026, an autonomous bot called hackerbot-claw exploited the “pull_request_target” workflow to steal personal access tokens (PATs), which were weaponized to seize control of GitHub repositories, delete several release versions, and push two malicious versions of Visual Studio Code (VS Code) extensions to Open VSX.
The first indication of a breach was reported by security researcher Paul McCarty after a new compromised release (version 0.69.4) was published to the “aquasecurity/trivy” GitHub repository. The unauthorized version has since been removed. According to Wiz, version 0.69.4 starts both the legitimate Trivy service and malicious code that performs a series of tasks.
It performs data theft by scanning the system for environment variables and credentials, encrypting the data, and exfiltrating the data via HTTP POST requests to scan.aquasecurtiy.[.]organization. After making sure it’s running on the developer’s machine, set up persistence using the systemd service. The systemd service is configured to run a Python script (‘sysmon.py’) that polls an external server to retrieve the payload and execute it.
Itay Shakury, vice president of open source at Aqua Security, said in a statement that the attackers exploited the leaked credentials to publish malicious Tribby, Tribby Action, and Setup Tribby releases. In the case of “aquasecurity/trivy-action”, the attacker force-pushed a 75 version tag pointing to a malicious commit containing a Python infostealer payload, without creating a new release or pushing to a branch, as is standard practice. Seven “aquasecurity/setup-trivy” tags were force pushed in the same way.
“So in this case, the attacker didn’t need to exploit Git itself,” Burckhardt told The Hacker News. “They had valid credentials with sufficient privileges to push the code and rewrite the tags, which is what enabled the tag poisoning we observed. What is unknown is the exact credentials used in this particular step (e.g., maintainer PAT and automation tokens), but the root cause is currently understood to be compromised credentials carried over from a previous incident.”
The security vendor also acknowledged that the latest attack was due to incomplete containment of the hackerbot claw incident. “We rotated the secrets and tokens, but the process was not atomic, so the attacker could have obtained updated tokens,” Shakri said. “We are now taking a more restrictive approach, locking down all automated actions and all tokens to completely eliminate the issue.”
The stealer operates in three stages. It collects environment variables from the runner’s process memory and file system, encrypts the data, and leaks the data to an attacker-controlled server (‘scan.aquasecurtiy’).[.]organization”).
If the exfiltration attempt fails, the victim’s own GitHub account is exploited and the stolen data is staged in a public repository named ‘tpcp-docs’ using the captured INPUT_GITHUB_PAT. INPUT_GITHUB_PAT is an environment variable used by GitHub Actions to pass the GitHub PAT for authentication with the GitHub API.
It is currently unclear who is behind the attack, but there are indications that a threat actor known as TeamPCP may be behind it. This assessment is based on the fact that the credential harvester self-identifies in its source code as a “TeamPCP Cloud stealer.” The group, also known as DeadCatx3, PCPcat, PersyPCP, ShellForce, and CipherForce, is known for operating as a cloud-native cybercrime platform designed to infiltrate modern cloud infrastructure to facilitate data theft and extortion.
“The credential targeting in this payload is consistent with the group’s broader cloud-native theft and monetization profile,” Socket said. “The focus on Solana validator key pairs and cryptocurrency wallets is a less well-documented characteristic of TeamPCP, but is consistent with the group’s known financial motives. While the self-labeling may be a false flag, the technical overlap with previous TeamPCP tools makes genuine attribution plausible.”
Users are advised to ensure they are using the latest secure release.
“If you suspect you are running a compromised version, treat all pipeline secrets as compromised and rotate them immediately,” Shakri said. Additional mitigation steps include blocking the exposed domain and associated IP address (45.148.10).[.]212) at the network level and check the GitHub account for a repository named “tpcp-docs”. This may indicate that the extraction was successful via a fallback mechanism.
Wiz researcher Rami McCarthy says, “Pin GitHub Actions to full SHA hashes instead of version tags.” “As demonstrated in this attack, version tags can be moved to point to malicious commits.”
(This is a developing story. Check back for more details.)
Source link
