Trivy Supply Chain Attack: TeamPCP Steals Secrets via Compromised Releases & GitHub Actions

March 22, 2026 Rachel Kim – Technology Editor Technology

A widely used security scanner, Trivy, was compromised in a sophisticated supply chain attack orchestrated by a threat actor known as TeamPCP, resulting in the distribution of credential-stealing malware through official releases and GitHub Actions workflows, security researchers revealed on March 21 and 22, 2026.

Trivy, developed by Aqua Security, is a popular open-source tool used by developers and security teams to identify vulnerabilities, misconfigurations, and exposed secrets in container images, Kubernetes environments, code repositories, and cloud infrastructure. Its widespread adoption made it a high-value target, according to security analysts.

The breach initially came to light when security researcher Paul McCarty alerted the community to a backdoor in Trivy version 0.69.4, noting the publication of malicious container images and GitHub releases. Subsequent analysis by Socket and Wiz confirmed the attack’s breadth, revealing that nearly all version tags of the trivy-action repository had been compromised.

Attackers gained access to Trivy’s GitHub build process, replacing the legitimate entrypoint.sh script in GitHub Actions with a malicious version. This allowed them to publish trojanized binaries in the v0.69.4 release, effectively turning the security scanner into an infostealer. The attackers exploited previously compromised credentials that were not fully contained following an earlier breach in March, Aqua Security confirmed.

Researchers determined that the threat actor force-pushed malicious commits to 75 out of 76 tags within the aquasecurity/trivy-action repository. This meant that any external workflows utilizing these affected tags would automatically execute the malicious code before running legitimate Trivy scans, making detection significantly more difficult.

The infostealer collected a wide range of reconnaissance data, including hostname, operating system information, network configurations, and environment variables. It specifically targeted sensitive files and locations known to store credentials, including SSH keys, cloud configuration files (AWS, GCP, Azure, Kubernetes, Docker), database credentials (PostgreSQL, MySQL, MongoDB, Redis), CI/CD configurations (Terraform, Jenkins, GitLab CI), TLS private keys, VPN configurations, and even cryptocurrency wallets.

The malicious script as well scanned memory regions used by the GitHub Actions Runner worker process for JSON strings indicative of stored secrets. On developer machines, the trojanized Trivy binary performed similar data collection, gathering environment variables, scanning local files for credentials, and enumerating network interfaces.

Collected data was encrypted and archived into a file named tpcp.tar.gz, then exfiltrated to a typosquatted command-and-control server at scan.aquasecurtiy[.]org. If exfiltration failed, the malware created a public repository named tpcp-docs within the victim’s GitHub account and uploaded the stolen data there.

To maintain persistence, the malware dropped a Python payload at ~/.config/systemd/user/sysmon.py and registered it as a systemd service. This payload periodically checked a remote server for additional payloads, providing the threat actor with persistent access to compromised devices.

Security researchers have linked the attack to TeamPCP, a cloud-native threat actor previously known for exploiting misconfigured Docker APIs, Kubernetes clusters, Ray dashboards, and Redis servers. One of the infostealer payloads contained a comment identifying itself as “TeamPCP Cloud stealer.” TeamPCP has also been tracked under the aliases DeadCatx3, PCPcat, and ShellForce.

Aqua Security acknowledged the incident, stating that the attackers leveraged compromised credentials from the earlier, incomplete containment effort. “This was a follow up from the recent incident (2026-03-01) which exfiltrated credentials,” the company stated. “We rotated secrets and tokens, but the process wasn’t atomic and attackers may have been privy to refreshed tokens.”

The malicious Trivy release (v0.69.4) remained live for approximately three hours, although the compromised GitHub Actions tags remained active for up to 12 hours. The attackers also deleted Aqua Security’s initial disclosure regarding the earlier March incident from the project’s repository.

Organizations that used affected versions of Trivy during the incident period are advised to treat their environments as fully compromised, rotating all secrets – including cloud credentials, SSH keys, API tokens, and database passwords – and thoroughly analyzing systems for additional signs of compromise.

In a related development, researchers at Aikido have linked TeamPCP to a follow-up campaign involving a self-propagating worm named “CanisterWorm,” which targets npm packages. The worm compromises packages, installs a persistent backdoor, and uses stolen npm tokens to publish malicious updates to other packages. CanisterWorm utilizes a decentralized command-and-control mechanism based on Internet Computer (ICP) canisters, designed to resist takedown efforts.