Trivy Supply Chain Attack Hijacks GitHub Actions

Your Trusted Security Scanner Just Became a Threat

A massive supply chain attack recently compromised the Trivy vulnerability scanner ecosystem, turning a trusted defense tool into a malicious delivery vehicle. We no longer face a theoretical risk; attackers successfully weaponized the Trivy GitHub Actions to steal cloud credentials from unsuspecting organizations on March 19, 2026.

Your automated pipeline—the heart of your deployment process—could be leaking your most sensitive secrets right now. This breach, identified by several security researchers, allowed a threat group known as TeamPCP to intercept high-level tokens and distribute a malicious version of the Trivy binary.

If you ran a security scan during the mid-March window, you must assume your environment is compromised.

Technical Breach Analysis: From Token Theft to Tag Hijacking

The attackers executed a sophisticated, multi-stage campaign that exploited human error and platform limitations to gain persistent access.

Insight 1: The Initial Compromise and Atomic Rotation Failure

The attackers first gained entry in late February by exploiting a misconfigured pull_request_target on GitHub.

  • The Exploit: This misconfiguration allowed TeamPCP to steal a high-privilege Personal Access Token (PAT).
  • The Rotation Gap: Aqua Security attempted to rotate these credentials on March 1st, but the rotation process was not “atomic.” The attackers successfully intercepted the new tokens during the transition period, maintaining their “keys to the kingdom.”
  • The Payload: With these stolen credentials, the hackers published malicious version v0.69.4 of the Trivy binary. This version contained a hidden Trojan designed to activate during the scan process.

Insight 2: Tag Hijacking and the “TeamPCP Cloud Stealer”

The most devastating part of this attack involved the retroactive manipulation of existing version tags.

  • Tag Manipulation: The attackers force-pushed 76 out of 77 release tags in the aquasecurity/trivy-action repository. This meant that any developer using a standard tag (like @v0.34.2) automatically pulled the malicious code without changing a single line of their workflow.
  • The Malware Mechanism: Once active in your CI/CD runner, the “TeamPCP Cloud Stealer” scraped memory and filesystems for AWS, Azure, and Google Cloud credentials.
  • Exfiltration Tactics: The malware encrypted stolen data and sent it to a typosquatted domain. If the firewall blocked this traffic, the script attempted to create a private repository named tpcp-docs within the victim’s own GitHub account to store the looted secrets.

The CanisterWorm Domino Effect and Urgent Mitigation

This breach did not end with Trivy; it triggered a cascading failure across the wider software ecosystem.

The CanisterWorm Fallout

Attackers used the credentials harvested from the Trivy breach to launch a follow-on attack called CanisterWorm. This worm spread across nearly 50 npm packages, illustrating how a single compromised security tool can jeopardize an entire library of dependencies. We advocate for constant security evaluations because a single vulnerability in your toolchain can dismantle your entire security posture.

Immediate Action Required

If you utilized the Trivy Action between March 19th and March 20th, take these steps immediately:

  1. Rotate All Secrets: Treat all Cloud keys, SSH keys, and GitHub tokens accessed by your CI/CD runners as compromised.
  2. Audit GitHub Organizations: Search your organization for any unauthorized repositories, specifically those named tpcp-docs.
  3. Pin to SHAs: Stop using version tags for GitHub Actions. Upwind Security and other experts now mandate pinning actions to full commit SHAs to prevent future hijacking.

Final Thoughts

The Trivy supply chain incident proves that your security tools require as much scrutiny as the code they scan. We must treat CI/CD pipelines as high-risk environments and move toward immutable infrastructure practices. CSO Online reports that these attacks are becoming the “new normal” for sophisticated threat actors.

Does your organization need a deep-dive penetration test of your CI/CD pipeline to find hidden vulnerabilities?

We can help! Schedule a consultation with us today at StartupHakkSecurity.com.

Related Articles

Conceptual image of a secure digital globe fracturing into broken glass segments, with red glowing API icons, lock symbols, and raw source code leaking out. A laptop and scattered code snippets in the background illustrate a compromised development pipeline and secrets sprawl.
Security ReviewVulnerability
Software Supply Chain Security
High-tech visual representation of the LiteLLM supply chain attack, illustrating a waterfall campaign that originates from a poisoned Trivy scanner to exfiltrate API keys from Mercor.
AINews
LiteLLM Supply Chain Attack
A technical cybersecurity conceptual image showing a digital brain inside a cracked glowing hexagon, illustrating a hidden outbound channel leaking sensitive data from an AI sandbox environment.
Uncategorized
Codex unlocks your secrets