Full Report
The Trivy vulnerability scanner was compromised in a supply-chain attack by threat actors known as TeamPCP, which distributed credential-stealing malware through official releases and GitHub Actions. [...]
Analysis Summary
# Incident Report: TeamPCP Supply-Chain Attack on Trivy
## Executive Summary
The popular vulnerability scanner Trivy and its associated GitHub Actions were compromised in a sophisticated supply-chain attack by the threat actor TeamPCP. The attackers hijacked the build process to distribute credential-stealing malware and a self-propagating worm (CanisterWorm) through official releases and GitHub tags. This incident resulted in the exfiltration of sensitive cloud credentials, SSH keys, and secrets from developer environments and CI/CD pipelines globally.
## Incident Details
- **Discovery Date:** Approximately March 21, 2026
- **Incident Date:** March 2026 (Ongoing campaign)
- **Affected Organization:** Aqua Security (Trivy Project)
- **Sector:** Technology / Cybersecurity Tools
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** Early March 2026
- **Vector:** Compromised credentials with repository write access.
- **Details:** Attackers utilized credentials exfiltrated during a previous, incompletely contained breach of the Trivy environment.
### Lateral Movement
- **Process:** Attackers force-pushed 75 out of 76 tags in the `aquasecurity/trivy-action` repository and tampered with the official Trivy v0.69.4 release.
- **Worm Propagation:** A follow-up campaign launched "CanisterWorm" via npm, using stolen npm tokens to automatically patch and publish malicious updates to 28 packages in under 60 seconds.
### Data Exfiltration/Impact
- **Details:** The malware collected "tpcp.tar.gz" containing AWS/GCP/Azure configs, SSH keys, Kubernetes secrets, and environment variables. Data was sent to a typosquatted C2 or uploaded to a public GitHub repo (`tpcp-docs`) created on the victim's account.
### Detection & Response
- **Detection:** Disclosed by security researchers (Socket, Wiz, Aikido) who identified backdoored container images and malicious GitHub Actions commits.
- **Response:** Aqua Security confirmed the breach and identified that the threat actor also deleted previous incident disclosure discussions to hide their tracks.
## Attack Methodology
- **Initial Access:** Valid accounts (compromised CI/CD credentials).
- **Persistence:** Systemd user service (`sysmon.py`) and decentralized C2 via Internet Computer (ICP) canisters.
- **Privilege Escalation:** Not explicitly detailed, but leveraged high-level repository permissions.
- **Defense Evasion:** Typosquatted C2 domains (scan.aquasecurtiy[.]org); force-pushing tags to overwrite legitimate history.
- **Credential Access:** Scanning memory of GitHub Runner processes for secret values; parsing `.env`, SSH, and cloud config files.
- **Discovery:** System reconnaissance (hostname, network config, environment variables).
- **Lateral Movement:** Automated spreading via npm token hijacking and package updates.
- **Collection:** Archiving secrets into encrypted tarballs.
- **Exfiltration:** HTTPS to C2 or direct upload to attacker-created GitHub repositories.
- **Impact:** Complete compromise of CI/CD secrets and developer machines.
## Impact Assessment
- **Financial:** High (Potential for secondary theft via stolen cloud/crypto credentials).
- **Data Breach:** Massive theft of authentication secrets, private keys, and infrastructure configurations.
- **Operational:** Disruption of secure software development lifecycles; necessity for global secret rotation.
- **Reputational:** Significant impact on Aqua Security and trust in the Trivy toolset.
## Indicators of Compromise
- **Network:** scan.aquasecurtiy[.]org (defanged), Internet Computer (ICP) canister URLs.
- **File:** `tpcp.tar.gz`, `~/.config/systemd/user/sysmon.py`, `entrypoint.sh` (malicious variant).
- **Behavioral:** Unexpected `tpcp-docs` repository creation; unauthorized `git push --force` on repository tags; unusual systemd service registration.
## Response Actions
- **Containment:** Revocation of compromised maintainer credentials.
- **Eradication:** Removal of malicious tags and releases from GitHub and npm.
- **Recovery:** Advising users to treat environments as fully compromised and initiate secret rotation.
## Lessons Learned
- **Credential Hygiene:** Failure to fully rotate/contain secrets from an earlier breach led to the primary compromise.
- **Tag Integrity:** GitHub tags are mutable; relying on versions/tags rather than commit SHA hashes in CI/CD workflows poses a significant risk.
- **Monitoring:** Repository maintainers must monitor for "force-push" events on critical release tags.
## Recommendations
- **Rotate All Secrets:** All users of Trivy v0.69.4 or affected GitHub Actions must rotate Cloud, SSH, and API keys.
- **Pin to Hash:** Update GitHub Actions to reference specific commit SHAs rather than tags (e.g., `uses: aquasecurity/trivy-action@<commit_sha>`).
- **Audit npm:** Check for unauthorized package publications within the organization's npm scope.
- **Enhanced Monitoring:** Implement alerting for unauthorized changes to CI/CD pipelines and official release assets.