Trivy Under Siege — How a Trusted Security Scanner Became the ...

Executive Summary

The open-source vulnerability scanner Trivy suffered a second supply chain attack in one month. Attackers compromised 75 of 76 GitHub Actions version tags for trivy-action and setup-trivy, deploying credential-harvesting payloads to thousands of CI/CD pipelines. Stolen credentials were then used to poison 47 npm packages with a self-propagating worm. The TeamPCP threat group is suspected.

Technical Analysis

The attack unfolded in stages. In late February, an AI-powered bot exploited a misconfigured GitHub Actions workflow using the pull_request_target trigger to steal a Personal Access Token. When Aqua Security rotated credentials, attackers captured the new tokens before the rotation completed.

Using git force-push, attackers quietly modified 75 existing version tags to point to malicious commits. Anyone with workflows pinned to version tags like v0.34.0 unknowingly ran attacker-controlled code.

The payload harvested environment variables from GitHub Actions runners, targeting SSH keys, cloud credentials, database connection strings, Docker configurations, Kubernetes tokens, and cryptocurrency wallet keys. Data was exfiltrated to a typosquatted domain resembling aquasecurity.com.

A fallback mechanism used captured GitHub PATs to create public repositories named "tpcp-docs" for staging stolen credentials when network exfiltration failed.

Researchers at Socket, Wiz, and StepSecurity attribute the attack to TeamPCP (aliases: DeadCatx3, PCPcat, CipherForce), a cloud-native cybercrime group specializing in modern infrastructure breaches.

The attack cascaded further when stolen credentials were used to push malicious versions of 47 npm packages containing CanisterWorm, a self-propagating component that hijacks publishing credentials for other packages.

Indicators of Compromise

Check for GitHub repositories named "tpcp-docs" in your organization. Block the typosquatted exfiltration domain. Monitor for unexpected npm package version updates from your organization's accounts.

Remediation Steps

Verify you're running safe versions: Trivy 0.69.3, trivy-action 0.35.0, setup-trivy 0.2.6. If you ran compromised versions, rotate ALL secrets accessible to your CI/CD pipeline immediately: cloud credentials, database passwords, SSH keys, API tokens.

Pin GitHub Actions to full SHA commit hashes, not version tags. Tags can be moved to point at malicious commits; SHAs cannot.

References

[{"title": "Aqua Security Advisory", "url": "https://github.com/aquasecurity/trivy/security/advisories"}]