Back to News
Cyber Attack

Trivy GitHub Actions Breach Hijacks 75 Tags to Steal CI/CD Secrets

CyberSecurityWaala 2 months ago Mar 21, 2026
Trivy GitHub Actions Breach Hijacks 75 Tags to Steal CI/CD Secrets

Trivy, the widely used open source vulnerability scanner maintained by Aqua Security, has been hit by a second supply chain incident in less than a month. This time, the compromise targeted the GitHub Actions projects aquasecurity/trivy-action and aquasecurity/setup-trivy, which many teams use to scan container images and install a specific Trivy version inside CI/CD pipelines.

How the Attack Worked

Socket security researcher Philipp Burckhardt said the attacker force pushed 75 of the 76 version tags in the aquasecurity/trivy-action repository. He said those tags were altered to deliver a malicious payload, turning trusted version references into a channel for malware delivery.

In plain terms, anyone pinning to those tags could unknowingly pull in code designed to steal secrets from build systems.

The payload runs inside GitHub Actions runners and goes after the kinds of credentials that can unlock a lot of infrastructure.

According to the reporting from Socket and Wiz, it searches for SSH keys, cloud service credentials, database secrets, Git and Docker configuration, Kubernetes tokens, cryptocurrency wallets, and other developer secrets that might be exposed in the CI/CD environment.

What Aqua Security Said

Aqua Security said the latest attack was tied to a compromised credential that was used to publish malicious releases for trivy, trivy-action, and setup-trivy.

Burckhardt told The Hacker News that the attacker did not need to break GitHub itself. Instead, the attacker had valid credentials with enough privilege to push code and rewrite tags. He said, ‘They had valid credentials with sufficient privileges to push code and rewrite tags, which is what enabled the tag poisoning we observed.’ Burckhardt added that the exact credential used in this step is still unclear, but the root cause traces back to the earlier compromise.

Earlier Incident and Response

This latest incident appears to have grown out of an earlier one.

Aqua Security said its earlier response to the hackerbot-claw incident was not fully atomic, meaning the cleanup and token rotation did not happen in a way that completely shut the door on the attacker. Itay Shakury, vice president of open source at Aqua Security, said, ‘We rotated secrets and tokens, but the process wasn’t atomic, and attackers may have been privy to refreshed tokens.’ He said the company is now taking a stricter approach and locking down automated actions and tokens more tightly.

How the Malware Works

The malicious code follows a three stage process. First, it harvests environment variables and credentials from the runner process memory and the file system. Next, it encrypts the stolen data. Finally, it exfiltrates the information to an attacker controlled domain, scan.aquasecurtiy[.]org.

Wiz said the rogue version of Trivy, version 0.69.4, started both the legitimate Trivy service and the malicious code. Wiz also said the payload could establish persistence by creating a systemd service on a developer machine, which then runs a Python script called sysmon.py that repeatedly checks an external server for commands.

If the exfiltration attempt fails, the malware falls back to using the victim’s own GitHub account. It can stage stolen information in a public repository named tpcp-docs by using the captured INPUT_GITHUB_PAT, which is a GitHub Actions environment variable used to pass a personal access token for GitHub API authentication. That fallback increases the chance that stolen data still reaches the attacker even if the first channel is blocked.

Attribution Remains Unclear

Attribution is still not certain, but Socket said there are signs that the threat actor known as TeamPCP may be behind the operation. Socket noted that the credential harvester identifies itself in the source code as ‘TeamPCP Cloud stealer.’

The group is also known as DeadCatx3, PCPcat, PersyPCP, ShellForce, and CipherForce, and it has been associated with cloud focused theft and extortion. Socket said the malware’s targets fit that broader pattern, especially the strong focus on cloud secrets and cryptocurrency wallets, although the self label could still be a false flag.

What Users Should Do

Users who may have run a compromised version are being told to treat pipeline secrets as exposed and rotate them immediately.

Any pipeline that executed a poisoned tag should be treated as fully compromised. All secrets accessible to that workflow including cloud credentials, SSH keys, API tokens, database passwords, Docker registry tokens should be rotated immediately. Security teams should audit their GitHub organization for tpcp-docs repositories and review GitHub Actions logs for any trivy-action runs occurring after approximately 19:00 UTC on March 19, 2026.

Shakury said affected teams should also block the exfiltration domain and the IP address 45.148.10[.]212 at the network level and check GitHub accounts for any repository named tpcp-docs, which could indicate that the fallback exfiltration path succeeded.

Wiz researcher Rami McCarthy also urged teams to pin GitHub Actions to full SHA hashes instead of version tags, warning that tags can be moved to malicious commits, exactly as happened here.

Why This Matters

The incident is another reminder that trusted build tools can become attack vectors when maintainers lose control of signing credentials, release tags, or automation tokens. For teams that rely on GitHub Actions, the safest assumption is simple: if a build tool is compromised, every secret that touched that pipeline may need to be treated as exposed.

For Detailed Research on this attack, read this blog by Socket.dev

Trivy #AquaSecurity #TeamPCP #Infostealer #DevOpsSecurity #PipelineSecurity #GitHubSecurity #ZeroTrust #CloudThreats #SecurityResearch

#Data Exfiltration #Malware #Supply Chain Attack