A major supply chain security incident has affected the widely used open-source vulnerability scanner Trivy, maintained by Aqua Security. Attackers compromised its GitHub Actions ecosystem and manipulated version tags to distribute malware designed to steal sensitive CI/CD secrets.
The attack targeted repositories including aquasecurity/trivy-action and aquasecurity/setup-trivy, which are commonly used in CI/CD pipelines to scan container images and configure Trivy workflows.
How the Attack Was Executed
Security researchers revealed that attackers force-pushed 75 out of 76 version tags in the affected repository. These tags were modified to point to malicious commits, effectively turning trusted releases into a malware distribution channel.
By exploiting this technique, attackers ensured that users pulling specific versions unknowingly executed compromised code within GitHub Actions runners.
The injected payload acted as an infostealer, designed to extract highly sensitive data from development environments.
What Data Was Targeted
The malware focused on stealing critical CI/CD secrets, including:
- SSH keys
- Cloud service credentials
- Database access tokens
- Git and Docker configurations
- Kubernetes credentials
- Cryptocurrency wallet data
These secrets provide attackers with deep access to development pipelines and cloud infrastructure.
Execution and Persistence Mechanism
Once executed in a CI/CD runner, the malicious payload followed a structured approach:
- Scanned system environment variables and memory for credentials
- Encrypted collected data
- Sent the data to an external attacker-controlled server
In addition, it attempted to establish persistence using a system service. A Python-based script continuously contacted an external server to fetch and execute additional payloads.
The exfiltration domain used in the attack was scan.aquasecurtiy[.]org.
Previous Related Compromise
This incident follows a prior supply chain attack involving Trivy earlier in 2026. In that case, attackers exploited a GitHub workflow vulnerability to steal a Personal Access Token (PAT), which was then used to gain control of repositories and inject malicious releases.
This shows a pattern of repeated targeting of CI/CD infrastructure, highlighting the growing risks in software supply chains.
Role of Compromised Credentials
Investigations indicate that the attackers did not need to exploit GitHub itself. Instead, they used valid credentials with sufficient privileges to modify repository tags and inject malicious code.
This confirms that credential compromise was the root cause, likely carried over from the earlier breach.
Fallback Data Exfiltration Technique
If direct data exfiltration failed, the malware used an alternative method by creating a public GitHub repository named tpcp-docs. It then uploaded stolen data using captured authentication tokens, ensuring data leakage even in restricted environments.
Threat Actor Attribution
While the attackers remain unidentified, researchers have linked the activity to a group referred to as TeamPCP. This group is known for cloud-focused attacks aimed at stealing sensitive data and monetizing compromised systems.
Indicators such as self-identification within the malware code and targeting of cryptocurrency assets suggest possible involvement, although attribution is not confirmed.
Update
The supply chain attack on Trivy appears to have had a cascading impact, with threat actors leveraging the stolen data to compromise several npm packages and push malicious versions containing a self-propagating worm. More details about the activity can be found here.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
