Threat actors known as TeamPCP compromised the popular Trivy vulnerability scanner through a sophisticated supply-chain attack targeting infrastructure security. The group distributed credential-stealing malware via official GitHub releases and compromised GitHub Actions workflows used by development teams. Security researchers first identified the backdoor in version 0.69.4, alerting the open-source community to the significant risk. Trivy helps identify vulnerabilities across containers and cloud environments, making it a high-value target.
The breach involved tampering with the project’s build process to swap entrypoint scripts with malicious versions designed to evade detection. Attackers force-pushed 75 out of 76 tags in the aquasecurity/trivy-action repository to redirect users to compromised commits. This allowed the malware to execute automatically before legitimate security scans could run on developer machines or CI pipelines. The entrypoint.sh file in GitHub Actions was specifically targeted during the build process.
Analysis by Socket and Wiz revealed the malware collected reconnaissance data and scanned local systems for authentication secrets and exposed keys. The infostealer targeted memory regions used by GitHub Actions Workers and searched for specific JSON string patterns containing sensitive credentials. Exfiltrated data stored in an archive named tpcp.tar.gz was sent to a typosquatted command-and-control server for processing. The script specifically scanned for environment variables and local files storing passwords.
Aqua Security confirmed the incident, stating that compromised credentials from an earlier March breach were reused by the attackers. A company representative explained that the containment of the first incident was incomplete despite secret rotation efforts. The malicious Trivy release remained live for approximately three hours before detection and removal occurred. Tokens were refreshed in an atomic process, which may have allowed attackers to access new tokens.
To maintain persistence on infected devices, the malware dropped a Python payload at ~/.config/systemd/user/sysmon.py within the user environment. This service checked a remote server for additional payloads, giving the threat actor long-term access to the compromised machine. Researchers noted the malware could also upload stolen data to a public repository named tpcp-docs within the victim's GitHub account. This ensured data retrieval even if the primary command-and-control server was unreachable.
The same threat actor linked to a follow-up campaign involving a self-propagating worm named CanisterWorm targeting npm packages globally. This worm utilizes Internet Computer canisters to act as a decentralized command-and-control mechanism resistant to standard takedowns. It harvests npm tokens to publish malicious updates across 28 packages in merely 60 seconds of automated activity. Stopping the infrastructure would require a governance proposal and network vote on the Internet Computer.
Organizations using affected versions must treat their environments as fully compromised and rotate all cloud credentials immediately. Security teams should analyze systems for additional compromise indicators such as the systemd service mentioned earlier in this report. The attack highlights the critical need for securing build pipelines against credential theft and supply-chain injection. This includes rotating SSH keys, API tokens, and database passwords across all affected infrastructure.
This incident underscores the escalating risks associated with software supply chains in the modern development lifecycle and cloud infrastructure. Threat actors increasingly target high-value tools like Trivy to gain broad access to multiple organizations simultaneously through automation. The sophistication of the infrastructure used suggests a well-funded and organized criminal enterprise operating at scale. Financial losses from such breaches often extend beyond immediate data theft to remediation costs.
Future developments in this space will likely focus on npm-based attacks and decentralized command structures using blockchain technologies. Developers must remain vigilant regarding third-party dependencies and CI/CD pipeline configurations to prevent similar compromises. Continued monitoring of threat actor TTPs will be essential for maintaining defense in depth against evolving supply-chain threats. The industry must adapt to these challenges to protect critical software assets from further exploitation.
