The popular open-source security tool Trivy has been compromised in a supply-chain attack attributed to a threat group known as TeamPCP. The breach allowed attackers to distribute credential-stealing malware through official releases and GitHub Actions, potentially impacting thousands of developers and organizations.
Trivy, maintained by Aqua Security, is commonly used to scan containers, Kubernetes environments, and code repositories for vulnerabilities and exposed secrets.
The issue was first disclosed by security researcher Paul McCarty, who discovered that version 0.69.4 of Trivy had been backdoored. Malicious container images and GitHub releases were distributed to users, embedding infostealing capabilities within what appeared to be legitimate updates.
Further investigations by Socket ;and Wiz revealed that nearly all version tags of the trivy-action repository were affected after attackers force-pushed malicious commits to 75 out of 76 tags, effectively hijacking automated workflows.
Researchers determined that the attackers gained access through previously stolen credentials from an earlier March breach that had not been fully contained. Using this access, they modified GitHub Actions by replacing key scripts with malicious versions and published trojanized binaries.
The embedded malware functioned as an advanced infostealer, scanning systems for a wide range of sensitive data, including SSH keys, cloud credentials (AWS, Azure, GCP), Kubernetes and Docker configurations, CI/CD secrets, and cryptocurrency wallets. It also harvested system-level data such as authentication logs and attempted to access memory used by GitHub Actions runners.
Stolen data was compressed into an archive and exfiltrated to a typosquatted command-and-control domain. If exfiltration failed, the malware attempted an alternative method by creating a public repository under the victim’s GitHub account and uploading the data there.
To maintain persistence, the malware deployed a Python-based payload disguised as a system service, allowing attackers to retain long-term access and execute additional commands remotely.
Aqua Security confirmed that the attackers exploited previously compromised credentials and acknowledged that the earlier breach had not been fully mitigated. The attackers also reportedly deleted initial incident reports from the project repository.
Developers and organizations using Trivy are urged to immediately audit their systems, rotate credentials, and ensure they are running clean, verified versions of the software.