Trivy Supply Chain Attack Hits 3 Developer Tools via GitHub Exploit

A major supply chain attack attributed to the threat actor ‘TeamPCP’ compromised Aqua Security’s Trivy vulnerability scanner and at least two other frameworks starting March 19, 2026, injecting credential-stealing malware by abusing GitHub’s repository tag functionality to hijack CI/CD pipelines. The campaign turned trusted security tooling into a vector for widespread credential theft, targeting secrets for all three major cloud providers.

"This activity has since expanded to additional frameworks, including Checkmarx KICS and LiteLLM," Microsoft's Defender for Cloud team said in a security blog, noting the core attack chain remained similar in each wave. "Each wave used a new C2 domain themed to the compromised project."

The attackers force-pushed 76 of 77 version tags in the aquasecurity/trivy-action GitHub repository and all seven tags in aquasecurity/setup-trivy, redirecting them to malicious code. A malicious Trivy binary, version 0.69.4, was also published to official channels. The malware exfiltrated cloud credentials for AWS, GCP, and Azure, along with Kubernetes secrets, to typosquatted domains like scan.aquasecurtiy[.]org.

The attack turns trusted security and development tools into insider threats, creating significant risk for any organization using automated CI/CD pipelines with the compromised versions. The focus on broad credential harvesting suggests the actor's goal is to gain widespread access to cloud infrastructure for follow-on attacks, with the total blast radius still under investigation.

How Mutable Tags Became a Weapon

The attack exploited a core design feature of Git: mutable tags. By default, a tag—a label pointing to a specific software version—can be reassigned by anyone with push access to a repository. The threat actor used compromised credentials to re-tag 76 existing versions of the trivy-action and all versions of setup-trivy, pointing them to new commits containing the malicious payload.

Downstream CI/CD workflows that referenced these actions by version tag automatically pulled the attacker's code on their next run, with no visible changes in GitHub's user interface to alert developers. The actor also spoofed the commit identity, making the malicious commits appear legitimate, a tactic previously seen in other supply chain attacks. This method bypasses typical version-checking and allows the malware to propagate silently.

A Multi-Stage Credential Heist

Once executed within a CI/CD runner, the malware began a broad-spectrum credential harvesting operation. After fingerprinting the host machine, a Python-based stealer searched for credentials for Amazon Web Services, Google Cloud Platform, and Microsoft Azure, querying both environment variables and instance metadata services.

The malware didn't stop at cloud keys. It also enumerated and exfiltrated Kubernetes secrets, searched the file system for API keys in configuration files, and harvested Slack and Discord webhook URLs. The stolen data was encrypted into a tpcp.tar.gz archive and sent via HTTP POST to an attacker-controlled server. To mask the compromise, the malware would then execute the legitimate Trivy scanner, allowing the pipeline to complete successfully with the expected output.

Mitigation and Affected Versions

Organizations are urged to immediately audit their CI/CD pipelines and ensure they are running verified safe versions of the affected tools. Pinning actions to immutable commit SHAs instead of mutable version tags is the most critical preventative measure.

Microsoft provided the following table of affected products and the minimum safe versions to use:

Product	Component	Safe Version
Trivy	Trivy binary	v0.69.2 – v0.69.3
	trivy-action	v0.35.0
	setup-trivy	v0.2.6
LiteLLM	litellm	v1.82.6 and below
Checkmarx	checkmarx.cx-dev-assist	1.10.0 and above
	checkmarx.ast-results	2.56.0 and above
	ast-github-action	2.3.33
	kics-github-action	2.1.20

Security teams can also hunt for indicators of compromise. Microsoft Defender customers can use advanced hunting queries to find malicious commands, suspicious DNS queries to attacker domains, and enumeration of Kubernetes secrets. For example, the following query can help identify command lines associated with the TeamPCP attacks:

CloudProcessEvents | where ProcessCommandLine has_any ('scan.aquasecurtiy.org','checkmarx.zone','tpcp.tar.gz')

This incident serves as a critical reminder of the fragility of the software supply chain. For investors, it highlights the operational and financial risks for companies heavily reliant on open-source software without stringent verification processes. Companies found to be using compromised tools may face significant remediation costs, potential data breach liabilities, and a loss of customer trust, impacting their stock performance. Conversely, the event may act as a tailwind for cybersecurity firms like Palo Alto Networks (PANW) or CrowdStrike (CRWD) that specialize in supply chain security and cloud workload protection.

This article is for informational purposes only and does not constitute investment advice.