Trivy Supply Chain Attack: 1,000+ Clouds Hit, Lapsus$ Linked to Secret Theft

March 25, 2026 Rachel Kim – Technology Editor Technology

More than 1,000 organizations’ cloud environments have been infected with secret-stealing malware following a supply chain attack targeting Trivy, an open-source vulnerability scanner, last week. The attackers, now collaborating with the notorious extortion group Lapsus$, exploited a misconfiguration in Trivy’s GitHub Actions environment to gain access and inject malicious code.

Mandiant Consulting CTO Charles Carmakal revealed the scale of the compromise during a Google event at the RSA Conference in San Francisco. “We realize of over 1,000 impacted SaaS environments right now that are actively dealing with this particular threat actor,” Carmakal said. He warned that the number of victims could rapidly increase, potentially reaching 500, 1,000, or even 10,000 organizations in the coming weeks and months.

The attackers are primarily based in the US, UK, Canada, and Western Europe, and are “known for being exceptionally aggressive with their extortion,” according to Carmakal. “They’re very loud, they’re very aggressive, and so we’re going to end up seeing the impact in the coming days, weeks, and months.”

Security researchers at Wiz, also owned by Google, have identified a dangerous convergence between supply chain attackers and groups like Lapsus$. Ben Read, a lead researcher at Wiz, stated, “We are seeing a dangerous convergence between supply chain attackers and high-profile extortion groups like Lapsus$.”

The attack has extended beyond Trivy and the open-source static analysis tool KICK to include liteLLM, an AI middleware component present in 36 percent of all cloud environments. According to Wiz, this expansion is creating a “snowball effect,” amplifying the potential for widespread compromise.

The initial compromise occurred in late February when a misconfigured pull request target workflow in the Trivy repository allowed the attackers, identified as TeamPCP, to steal a privileged access token. Despite Aqua Security’s attempt to revoke the token on March 1, the attackers maintained access and published malicious releases of Trivy on March 19.

Researchers at Socket discovered that TeamPCP force-pushed 75 out of 76 tags in the trivy-action GitHub Action to malicious versions, potentially impacting a vast number of developers who integrated the scanner into their CI/CD pipelines. Socket analyst Philipp Burckhardt noted that over 10,000 workflow files on GitHub reference this action, highlighting the significant blast radius of the attack.

TeamPCP also leveraged the initial compromise to introduce a novel self-propagating worm, dubbed CanisterWorm, into the npm ecosystem. This worm utilizes stolen publish tokens and an unconventional command-and-control infrastructure based on the ICP blockchain, making it difficult to disrupt.

Further malicious images were published to Docker Hub on Sunday, and attackers defaced Aqua Security’s internal GitHub repositories, renaming them all to “TeamPCP Owns Aqua Security” and exposing internal source code, CI/CD configurations, and knowledge bases. Socket researchers noted that this indicates a deeper level of control over the GitHub organization during the compromise.