Trivy Security Scanner Compromised Again: 75 GitHub Action Tags Hijacked to Exfiltrate CI/CD Secrets
In a troubling development for the cybersecurity community, Trivy, an open-source vulnerability scanner maintained by Aqua Security, has been compromised for the second time in a month. This latest breach has enabled attackers to deliver malware designed to steal sensitive Continuous Integration/Continuous Deployment (CI/CD) secrets.
Incident Overview
The recent attack specifically targeted GitHub Actions repositories, notably the aquasecurity/trivy-action and aquasecurity/setup-trivy. These repositories are integral for scanning Docker container images for vulnerabilities and establishing GitHub Actions workflows with specific versions of the Trivy scanner.
Philipp Burckhardt, a security researcher at Socket, reported that an attacker force-pushed 75 out of 76 version tags in the aquasecurity/trivy-action repository. This manipulation effectively transformed trusted version references into a distribution mechanism for an infostealer payload. The malicious code executes within GitHub Actions runners, aiming to extract valuable developer secrets from CI/CD environments, including SSH keys, cloud service credentials, database access, Git configurations, Docker settings, Kubernetes tokens, and cryptocurrency wallets.
Background and Previous Incidents
This incident marks the second supply chain attack involving Trivy. Earlier in 2026, a bot named hackerbot-claw exploited a “pull_request_target” workflow to steal a Personal Access Token (PAT). This token was subsequently weaponized to gain control over the GitHub repository, leading to the deletion of several release versions and the introduction of malicious versions of the Visual Studio Code extension to Open VSX.
The first indication of the current compromise was flagged by security researcher Paul McCarty, who noted a new compromised release (version 0.69.4) in the aquasecurity/trivy GitHub repository. This rogue version has since been removed. According to Wiz, version 0.69.4 initiates both the legitimate Trivy service and the malicious code responsible for various tasks, including:
- Conducting data theft by scanning the system for environmental variables and credentials, encrypting the data, and exfiltrating it via an HTTP POST request to scan.aquasecurtiy[.]org.
- Establishing persistence by using a systemd service after confirming that it is running on a developer machine. This service is configured to execute a Python script (“sysmon.py”) that polls an external server for payload retrieval and execution.
Exploitation Mechanism
Itay Shakury, Vice President of Open Source at Aqua Security, stated that the attackers exploited a compromised credential to publish malicious versions of Trivy, trivy-action, and setup-trivy. In the case of aquasecurity/trivy-action, the adversary force-pushed 75 version tags to point to malicious commits containing the Python infostealer payload, bypassing standard practices of creating new releases or pushing to branches. Seven tags from aquasecurity/setup-trivy were similarly manipulated.
Burckhardt emphasized that the attackers did not need to exploit Git itself; they had valid credentials with sufficient privileges to push code and rewrite tags. The exact nature of the compromised credential remains unclear, whether it was a maintainer PAT or an automation token. However, the root cause is now understood to be a credential compromise stemming from the earlier incident.
The security vendor acknowledged that the latest attack resulted from incomplete containment of the hackerbot-claw incident. Shakury noted that while secrets and tokens were rotated, the process was not atomic, allowing attackers to potentially access refreshed tokens. The organization is now adopting a more restrictive approach to lock down all automated actions and tokens to eliminate the issue thoroughly.
Data Exfiltration Process
The infostealer operates in three stages: harvesting environment variables from the runner process memory and file system, encrypting the data, and exfiltrating it to the attacker-controlled server. If the exfiltration attempt fails, the victim’s GitHub account is exploited to stage the stolen data in a public repository named tpcp-docs, utilizing the captured INPUT_GITHUB_PAT, an environment variable used for authentication with the GitHub API.
Currently, the identity of the attackers remains uncertain, although there are indications that the threat actor known as TeamPCP may be involved. This assessment arises from the credential harvester self-identifying as “TeamPCP Cloud stealer” in the source code. TeamPCP, also known by various aliases, is recognized for operating as a cloud-native cybercrime platform aimed at breaching modern cloud infrastructures for data theft and extortion.
Implications for the Cybersecurity Landscape
The credential targets in this payload align with TeamPCP’s broader profile of cloud-native theft and monetization. The emphasis on Solana validator key pairs and cryptocurrency wallets, while less documented, corresponds with the group’s known financial motivations. The self-labeling could be a false flag; however, the technical overlap with previous TeamPCP tools makes genuine attribution plausible.
Users are advised to ensure they are utilizing the latest safe releases. Shakury recommended treating all pipeline secrets as compromised if running a potentially affected version and rotating them immediately. Additional mitigation steps include blocking the exfiltration domain and the associated IP address (45.148.10[.]212) at the network level, as well as checking GitHub accounts for repositories named tpcp-docs, which may indicate successful exfiltration via the fallback mechanism.
Wiz researcher Rami McCarthy advised users to pin GitHub Actions to full SHA hashes rather than version tags, as version tags can be manipulated to point to malicious commits, as demonstrated in this attack.
For further details, refer to the original reporting from The Hacker News.
Follow the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
