Aqua’s Trivy Vulnerability Scanner Hit by Supply Chain Attack

Summary

Threat actor TeamPCP compromised Aqua Security's Trivy open source vulnerability scanner via GitHub Actions workflow exploitation, publishing malicious releases and VS Code extensions containing an information stealer. The attacker used exfiltrated credentials to push malicious version v0.69.4 and force-pushed tags across Trivy, trivy-action, and setup-trivy repositories to distribute the infostealer malware designed to extract secrets from CI/CD runners. The attack is ongoing, with Aqua warning of continued unauthorized activity and urging users to rotate credentials and remove affected artifacts.

Full text

A threat actor compromised Aqua Security’s Trivy open source vulnerability scanner in a supply chain attack that started in late February. On March 1, Trivy’s maintainers announced that the scanner’s GitHub repository had been compromised in an attack involving a GitHub Actions workflow issue. Some releases were deleted, and malicious versions of the application’s VS Code extensions were published to the Open VSIX marketplace. The attack was part of a larger, automated attack campaign that hit multiple open source repositories via GitHub Actions workflows and resulted in a large natural-language prompt being injected into two malicious versions of Trivy’s VS Code extension. Credentials exfiltrated during the initial incident were used last week in a new supply chain attack that targeted not only the Trivy package but also trivy-action and setup-trivy, Trivy’s maintainers have confirmed in a March 21 advisory. “Following the initial disclosure on March 1, credential rotation was performed, but was not atomic (not all credentials were revoked simultaneously). The attacker could have used a valid token to exfiltrate newly rotated secrets during the rotation window (which lasted a few days),” the maintainers explain. The attackers used the compromised credentials to push a malicious Trivy release (version v0.69.4) that was distributed across all regular channels, including GitHub Container Registry, Amazon ECR Public, and Docker Hub.Advertisement. Scroll to continue reading. They also force-pushed 76 of 77 trivy-action version tags to malicious commits, leading to infections with an information stealer designed to dump the Runner.Worker process memory and extract all secrets from it. The malware was also designed to encrypt the harvested data and send it to a remote server. If the exfiltration failed, it created a public GitHub repository and uploaded the data to it. Additionally, the attackers targeted the setup-trivy releases, force-pushing all tags to malicious commits, leading to the same infostealer. Socket and Wiz published technical details on the attack and the malware. Ongoing attack According to Aqua, none of its commercial products that use Trivy have been affected by the attack, as “the forked version of Aqua’s commercial platform lags Trivy open source with a controlled integration process.” On Monday, the company warned that the attack is ongoing and evolving, with suspicious activity identified on March 22, “involving unauthorized changes and repository tampering”. “Based on our current understanding, this activity is consistent with the attacker’s previously observed behavior. Our investigation is actively focused on validating that all access paths have been identified and fully closed,” Aqua said. Trivy’s maintainers released clean iterations of Trivy (versions v0.69.2 and v0.69.3), trivy-action (v0.35.0), and setup-trivy (v0.2.6). Because the original trivy-action tags were deleted during remediation, new tags with a v prefix were published. They urge all users to rotate all credentials, tokens, and other secrets if a compromised version of Trivy, trivy-action, or setup-trivy ran on their environments. “Check whether your organization pulled or executed Trivy v0.69.4 from any source. Remove any affected artifacts immediately. Look for repositories named tpcp-docs in your GitHub organization. The presence of such a repository may indicate that the fallback exfiltration mechanism was triggered and secrets were successfully stolen,” the maintainers note. TeamPCP’s CanisterWorm campaign The attack has been linked to a threat actor named TeamPCP, which has expanded its activity following the Trivy compromise, targeting the NPM ecosystem with the CanisterWorm malware. Last week, Aikido reported that TeamPCP compromised over 45 NPM packages, injecting them with a post-install loader that fetches a persistent Python backdoor, enabling dynamic payload delivery via an ICP canister used for command-and-control (C&C) dead-drop. CanisterWorm, the security firm says, can extract NPM tokens, resolve usernames, enumerate published packages, create new package versions, and publish the payload across all of them. It also establishes persistence, contains evasion capabilities, masquerades as PostgreSQL tooling, polls the ICP canister every 50 minutes, and can be disarmed by pointing the canister to a YouTube link. “If the attacker updates the canister to point to a new URL, every infected machine picks up the new binary on its next poll. The old binary keeps running in the background since the script never kills previous processes,” Aikido explains. The infected packages contain a standalone self-propagating tool that appears to be entirely vibe-coded and does not use obfuscation, and which uses stolen tokens to spread the malicious payload across packages. Financially motivated, TeamPCP emerged in late 2025, targeting cloud-native infrastructure via exposed CI/CD pipelines, Docker APIs, and Kubernetes clusters. The threat actor is known for mounting supply chain attacks and for leveraging credentials stolen from cloud workloads and GitHub Actions runners via memory scrapers. Related: ForceMemo: Python Repositories Compromised in GlassWorm Aftermath Related: Polyfill Supply Chain Attack Impacting 100k Sites Linked to North Korea Related: New ‘Sandworm_Mode’ Supply Chain Attack Hits NPM Related: Over 100 GitHub Repositories Distributing BoryptGrab Stealer Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Eclypsium Raises $25 Million for Device Supply Chain SecurityNavia Data Breach Impacts 2.7 MillionThousands of Magento Sites Hit in Ongoing Defacement CampaignAllure Security Raises $17 Million for Online Brand ProtectionCritical Langflow Vulnerability Exploited Hours After Public DisclosureOasis Security Raises $120 Million for Agentic Access Management1stProtect Emerges From Stealth With $20 Million in FundingCritical ScreenConnect Vulnerability Exposes Machine Keys Latest News M-Trends 2026: Initial Access Handoff Shrinks From Hours to 22 SecondsChip Services Firm Trio-Tech Says Subsidiary Hit by Ransomware QNAP Patches Four Vulnerabilities Exploited at Pwn2Own Tycoon 2FA Fully Operational Despite Law Enforcement TakedownOracle Releases Emergency Patch for Critical Identity Manager VulnerabilityCritical Quest KACE Vulnerability Potentially Exploited in AttacksIn Other News: New Android Safeguards, Operation Alice, UK Toughens Cyber Reporting3 Men Charged With Conspiring to Smuggle US Artificial Intelligence to China Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the MoveBrian Harrell has been appointed Chief Security Officer at FirstEnergy.eSentire has named James C. Foster as Chief Executive Officer.Green Impact Exchange has appointed John Visneski as Chief Information Security Officer.More People On The MoveExpert Insights The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Cr

Indicators of Compromise

• malware — CanisterWorm
• malware — Information Stealer (Trivy attack)
• hash_sha256 — Trivy v0.69.4
• mitre_attack — T1555 – Credentials from Password Stores
• mitre_attack — T1078 – Valid Accounts