Trivy Supply Chain Attack Compromises 75 GitHub Actions Tags
A second supply chain attack on Trivy compromised 75 GitHub Actions tags and spawned a credential-stealing worm across 47 npm packages. Check your CI pipeline.
Executive Summary
The open-source vulnerability scanning scanner Trivy suffered a second supply chain attack in one month. Attackers compromised 75 of 76 GitHub Actions version tags for trivy-action and setup-trivy, deploying credential theft-harvesting payloads to thousands of CI/CD pipelines. Stolen credentials were then used to poison 47 npm packages with a self-propagating worm. The TeamPCP threat group is suspected.
Technical Analysis
The attack unfolded in stages. In late February, an AI-powered bot exploited a misconfigured GitHub Actions workflow using the pull_request_target trigger to steal a Personal Access Token. When Aqua Security rotated credentials, attackers captured the new tokens before the rotation completed.
Using git force-push, attackers quietly modified 75 existing version tags to point to malicious commits. Anyone with workflows pinned to version tags like v0.34.0 unknowingly ran attacker-controlled code.
The payload harvested environment variables from GitHub Actions runners, targeting SSH keys, cloud credentials, database connection strings, Docker configurations, Kubernetes tokens, and cryptocurrency wallet keys. Data was exfiltrated to a typosquatted domain resembling aquasecurity.com.
A fallback mechanism used captured GitHub PATs to create public repositories named "tpcp-docs" for staging stolen credentials when network exfiltration failed.
Researchers at Socket, Wiz, and StepSecurity attribute the attack to TeamPCP (aliases: DeadCatx3, PCPcat, CipherForce), a cloud-native cybercrime group specializing in modern infrastructure breaches.
The attack cascaded further when stolen credentials were used to push malicious versions of 47 npm packages containing CanisterWorm, a self-propagating component that hijacks publishing credentials for other packages.
Indicators of Compromise
Check for GitHub repositories named "tpcp-docs" in your organization. Block the typosquatted exfiltration domain. Monitor for unexpected npm package version updates from your organization's accounts.
Remediation Steps
Verify you're running safe versions: Trivy 0.69.3, trivy-action 0.35.0, setup-trivy 0.2.6. If you ran compromised versions, rotate ALL secrets accessible to your CI/CD pipeline immediately: cloud credentials, database passwords, SSH keys, API tokens.
Pin GitHub Actions to full SHA commit hashes, not version tags. Tags can be moved to point at malicious commits; SHAs cannot.
References
[{"title": "Aqua Security Advisory", "url": "https://github.com/aquasecurity/trivy/security/advisories"}]
References
- Aqua Security Advisory
https://github.com/aquasecurity/trivy/security/advisories
Concerned about this threat?
Our security team can assess your exposure and recommend immediate actions.
Protect Your Organization
Find vulnerabilities like this in your systems before attackers do.
24/7 monitoring to detect and respond to threats like these in real time.
Block phishing and malware delivery targeting your organization.
Map security controls to 26 frameworks including NIST, SOC 2, and HIPAA.