Trivy vulnerability scanner breach pushed infostealer via GitHub Actions

Recorded: March 21, 2026, 8 p.m.

Original

News

Featured
Latest

Trivy vulnerability scanner breach pushed infostealer via GitHub Actions

Microsoft Azure Monitor alerts abused for callback phishing attacks

Musician admits to $10M streaming royalty fraud using AI bots

FBI links Signal phishing attacks to Russian intelligence services

Varonis Atlas: Securing AI and the Data That Powers It

Microsoft Exchange Online service change causes email access issues

Block ads and trackers on 9 devices for only $16 in this deal

FBI warns of Handala hackers using Telegram in malware attacks

Tutorials

Latest
Popular

How to access the Dark Web using the Tor Browser

How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11

How to use the Windows Registry Editor

How to backup and restore the Windows Registry

How to start Windows in Safe Mode

How to remove a Trojan, Virus, Worm, or other Malware

How to show hidden files in Windows 7

How to see hidden files in Windows

Webinars
Downloads

Latest
Most Downloaded

Qualys BrowserCheck

STOPDecrypter

AuroraDecrypter

FilesLockerDecrypter

AdwCleaner

ComboFix

RKill

Junkware Removal Tool

Deals

Categories

eLearning

IT Certification Courses

Gear + Gadgets

Security

VPNs

Popular

Best VPNs

How to change IP address

Access the dark web safely

Best VPN for YouTube

Forums
More

Virus Removal Guides
Startup Database
Uninstall Database
Glossary
Send us a Tip!
Welcome Guide

HomeNewsSecurityTrivy vulnerability scanner breach pushed infostealer via GitHub Actions

Trivy vulnerability scanner breach pushed infostealer via GitHub Actions

By Lawrence Abrams

March 21, 2026
01:30 PM
0

The Trivy vulnerability scanner was compromised in a supply-chain attack by threat actors known as TeamPCP, which distributed credential-stealing malware through official releases and GitHub Actions.
Trivy is a popular security scanner that helps identify vulnerabilities, misconfigurations, and exposed secrets across containers, Kubernetes environments, code repositories, and cloud infrastructure. Because developers and security teams commonly use it, it is a high-value target for attackers to steal sensitive authentication secrets.
The breach was first disclosed by security researcher Paul McCarty, who warned that Trivy version 0.69.4 had been backdoored, with malicious container images and GitHub releases published to users.
Further analysis by Socket and later by Wiz determined that the attack affected multiple GitHub Actions, compromising nearly all version tags of the trivy-action repository.
Researchers found that threat actors compromised Trivy's GitHub build process, swapping the entrypoint.sh in GitHub Actions with a malicious version and publishing trojanized binaries in the Trivy v0.69.4 release, both of which acted as infostealers across the main scanner and related GitHub Actions, including trivy-action and setup-trivy.
The attackers abused a compromised credential with write access to the repository, allowing them to publish malicious releases. These compromised credentials are from an earlier March breach, in which credentials were exfiltrated from Trivy's environment and not fully contained.
The threat actor force-pushed 75 out of 76 tags in the aquasecurity/trivy-action repository, redirecting them to malicious commits.
As a result, any external workflows using the affected tags automatically executed the malicious code before running legitimate Trivy scans, making the compromise difficult to detect.
Socket reports that the infostealer collected reconnaissance data and scanned systems for a wide range of files and locations known to store credentials and authentication secrets, including:
Reconnaissance data: hostname, whoami, uname, network configuration, and environment variables
SSH: private and public keys and related configuration files
Cloud and infrastructure configs: Git, AWS, GCP, Azure, Kubernetes, and Docker credentials
Environment files: .env and related variants
Database credentials: configuration files for PostgreSQL, MySQL/MariaDB, MongoDB, and Redis
Credential files: including package manager and Vault-related authentication tokens
CI/CD configurations: Terraform, Jenkins, GitLab CI, and similar files
TLS private keys
VPN configurations
Webhooks: Slack and Discord tokens
Shell history files
System files: /etc/passwd, /etc/shadow, and authentication logs
Cryptocurrency wallets

Infostealer harvesting credentials, SSH keys, and environment filesSource: BleepingComputer
The malicious script would also scan memory regions used by the GitHub Actions Runner.Worker process for the JSON string "" <name> ":{ "value": "<secret>", "isSecret":true}" to find additional authentication secrets.
On developer machines, the trojanized Trivy binary performed similar data collection, gathering environment variables, scanning local files for credentials, and enumerating network interfaces.
Collected data was encrypted and stored in an archive named tpcp.tar.gz, which was then exfiltrated to a typosquatted command-and-control server at scan.aquasecurtiy[.]org.
If exfiltration failed, the malware created a public repository named tpcp-docs within the victim's GitHub account and uploaded the stolen data there.
To persist on a compromised device, the malware would also drop a Python payload at ~/.config/systemd/user/sysmon.py and register it as a systemd service. This payload would check a remote server for additional payloads to drop, giving the threat actor persistent access to the device.
The attack is believed to be linked to a threat actor known as TeamPCP, as one of the infostealer payloads used in the attack has a "TeamPCP Cloud stealer" comment as the last line of the Python script.
"The malware self-identifies as TeamPCP Cloud stealer in a Python comment on the final line of the embedded filesystem credential harvester. TeamPCP, also tracked as DeadCatx3, PCPcat, and ShellForce, is a documented cloud-native threat actor known for exploiting misconfigured Docker APIs, Kubernetes clusters, Ray dashboards, and Redis servers," explains Socket.

Comment showing the script was named TeamPCP Cloud StealerSource: BleepingComputer
Aqua Security confirmed the incident, stating that a threat actor used compromised credentials from the earlier incident that was not properly contained.
"This was a follow up from the recent incident (2026-03-01) which exfiltrated credentials. Our containment of the first incident was incomplete," explained Aqua Security.
"We rotated secrets and tokens, but the process wasn't atomic and attackers may have been privy to refreshed tokens."
The malicious Trivy release (v0.69.4) was live for approximately three hours, with compromised GitHub Actions tags remaining active for up to 12 hours.
The attackers also tampered with the project’s repository, deleting Aqua Security’s initial disclosure of the earlier March incident.
Organizations that used affected versions during the incident should treat their environments as fully compromised.
This includes rotating all secrets, such as cloud credentials, SSH keys, API tokens, and database passwords, and analyzing systems for additional compromise.
Follow-up attack spreads CanisterWorm via npm
Researchers at Aikido have also linked the same threat actor to a follow-up campaign involving a new self-propagating worm named "CanisterWorm," which targets npm packages.
The worm compromises packages, installs a persistent backdoor via a systemd user service, and then uses stolen npm tokens to publish malicious updates to other packages.
"Self-propagating worm. deploy.js takes npm tokens, resolves usernames, enumerates all publishable packages, bumps patch versions, and publishes the payload across the entire scope. 28 packages in under 60 seconds," highlights Aikido.
The malware uses a decentralized command-and-control mechanism using Internet Computer (ICP) canisters, which act as a dead-drop resolver that provides URLs for additional payloads.
Using ICP canisters makes the operation more resistant to takedown, as only the canister's controller can remove it, and any attempt to stop it would require a governance proposal and network vote.
The worm also includes functionality to harvest npm authentication tokens from configuration files and environment variables, enabling it to spread across developer environments and CI/CD pipelines.
At the time of analysis, some of the secondary payload infrastructure was inactive or configured with harmless content, but the researchers say this could change at any time.

Red Report 2026: Why Ransomware Encryption Dropped 38%
Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.
Download The Report

Related Articles:
GlassWorm malware hits 400+ code repos on GitHub, npm, VSCode, OpenVSXAppsFlyer Web SDK hijacked to spread crypto-stealing JavaScript codeFBI seeks victims of Steam games used to spread malwareStarbucks discloses data breach affecting hundreds of employeesNew PhantomRaven NPM attack wave steals dev data via 88 packages

Breach
GitHub Actions
Infostealer
Security Scanner
Supply Chain Attack
TeamPCP
Trivy

Lawrence Abrams
Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com. Lawrence's area of expertise includes Windows, malware removal, and computer forensics. Lawrence Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and the technical editor for Rootkits for Dummies.

Previous Article
Next Article

Popular Stories

Microsoft: March Windows updates break Teams, OneDrive sign-ins

CISA orders feds to patch max-severity Cisco flaw by Sunday

Microsoft Azure Monitor alerts abused for callback phishing attacks

Sponsor Posts

Secure your AI agents without sacrificing speed.

Overdue a password health-check? Audit your Active Directory for free

Cyber resilience without the complexity. Join Zero Networks to stop lateral movement fast.

Are refund fraud methods targeting your brand? You can monitor the underground for these threats.

AI is a data-breach time bomb: Read the new report

Main Sections

News
Webinars
VPN Buyer Guides
SysAdmin Software Guides
Downloads
Virus Removal Guides
Tutorials
Startup Database
Uninstall Database
Glossary

Community

Forums
Forum Rules
Chat

Useful Resources

Welcome Guide
Sitemap

Company

About BleepingComputer
Contact Us
Send us a Tip!
Advertising
Write for BleepingComputer
Social & Feeds
Changelog

Username

Password

Remember Me

Not a member yet? Register Now

Reporter

Help us understand the problem. What is going on with this comment?

Spam

Abusive or Harmful

Inappropriate content

Strong language

Other

Read our posting guidelinese to learn what content is prohibited.

Submitting...
SUBMIT

The Trivy vulnerability scanner, a widely used tool for identifying security weaknesses in containerized environments and code repositories, experienced a significant compromise orchestrated by the threat actor group known as TeamPCP. This supply-chain attack leveraged a backdoored version of Trivy (v0.69.4) distributed through official GitHub releases and GitHub Actions, resulting in the deployment of an infostealer designed to compromise systems and extract sensitive information. The initial breach stemmed from a compromised credential utilized to publish malicious releases, a vulnerability that hadn’t been fully contained following a prior incident in March 2026.

Following the initial compromise, TeamPCP systematically manipulated 75 out of 76 tags within the `aquasecurity/trivy-action` repository, redirecting them to malicious commits. This effectively transformed benign Trivy workflows into active malware agents, silently scanning systems and harvesting a vast array of credentials and configuration details. The infostealer targeted a broad range of data, including reconnaissance information like hostnames and network configurations, SSH keys, cloud credentials for platforms such as AWS, GCP, and Azure, environment variables, database passwords, CI/CD configurations (including Terraform and Jenkins), TLS private keys, VPN settings, and even webhooks from platforms like Slack and Discord. Furthermore, the malicious script actively scanned memory regions within the GitHub Actions Runner.Worker process to identify and extract authentication secrets.

The attack’s sophistication was amplified by the attacker’s attempt to conceal their actions, deleting Aqua Security’s initial disclosure regarding the earlier March incident. The malware itself, identified as “TeamPCP Cloud stealer,” not only collected data but also employed a persistent infection strategy. It dropped a Python payload at `~/.config/systemd/user/sysmon.py`, establishing a systemd service that checked for additional payloads and delivered continuous access to the compromised device. This tactic was compounded by the deployment of a public GitHub repository named `tpcp-docs` which served as a dumping ground for the stolen data.

Investigations, conducted by Socket and Wiz, revealed a concerning trend: the compromised Trivy releases remained active for approximately three hours, with impacted GitHub Actions tags remaining vulnerable for up to twelve hours. The immediate fallout significantly increased the potential attack surface for users of the scanner. Concurrently, Aikido researchers linked TeamPCP to a subsequent campaign involving a self-propagating worm named “CanisterWorm,” targeting npm packages. This worm leveraged stolen npm tokens to propagate malicious updates across the npm ecosystem, creating a multi-faceted threat. The worm’s architecture utilized ICP (Internet Computer) canisters as a decentralized command-and-control mechanism, enhancing its resilience against takedown attempts by utilizing a governance proposal and network vote.

The incident highlighted critical vulnerabilities in Aqua Security's containment processes, as the initial breach went unaddressed, exposing refreshed tokens to the attackers. Organizations reliant on Trivy during this period are strongly advised to implement immediate safeguards, including rotating all secrets, performing thorough system scans, and closely monitoring for further suspicious activity. The breadth of data targeted and the attack’s multifaceted approach underscore the serious implications of supply-chain vulnerabilities and the importance of robust security practices within DevOps and CI/CD pipelines.