Trivy Vulnerability Scanner Breached to Push Infostealer via GitHub Actions

Trivy Supply Chain Attack: 75 Tags Hijacked to Deliver Credential Stealer

The Trivy open-source vulnerability scanner — one of the most widely deployed container and filesystem security tools in the DevSecOps ecosystem — was compromised in a supply chain attack carried out by threat actors identified as TeamPCP. The attackers used stolen GitHub tokens to force-push 75 release tags in the official aquasecurity/trivy repository, replacing legitimate release binaries with versions bundling a credential-stealing infostealer distributed through the project's GitHub Actions workflows.

Attack Overview

How TeamPCP Compromised Trivy

The attack followed a pattern increasingly common in open-source supply chain campaigns: rather than attacking Trivy's codebase directly, TeamPCP targeted GitHub authentication tokens with write access to the repository.

Compromise Chain

1. TeamPCP obtained GitHub tokens with write access to aquasecurity/trivy
   (likely via credential theft, secrets leak, or compromised contributor)
 
2. Using the stolen tokens, attackers performed force-push operations on
   75 existing release tags in the official Trivy repository
 
3. Each force-pushed tag replaced the legitimate release commit with a
   modified version containing malicious binaries
 
4. GitHub Actions workflows — triggered by release events — automatically
   built and published the malicious binaries as official Trivy release artifacts
 
5. Developers and CI/CD pipelines that pulled Trivy via version tag
   (e.g., v0.x.y) downloaded the infostealer instead of the legitimate scanner
 
6. The infostealer executed with the same privileges as Trivy in the
   pipeline, stealing CI/CD secrets, tokens, and credentials

Why Force-Push on Release Tags Is Devastating

In the Git model, tags are typically treated as immutable pointers to specific commits — the foundation of reproducible, trusted release distribution. When an attacker can force-push a tag, they can silently redirect anyone who fetches that tag to an entirely different commit. Most CI/CD pipelines and package managers do not verify the commit hash behind a tag — they simply trust that v0.52.0 today is the same as v0.52.0 yesterday.

This is why tag-pinning (using commit SHAs instead of version tags) and cryptographic verification (Sigstore/cosign) are security-critical practices in modern supply chain defense.

Infostealer Payload

The malicious binaries bundled by TeamPCP included an infostealer designed to target the CI/CD environment in which Trivy typically runs. In DevSecOps pipelines, Trivy executes with access to:

• Environment variables — often containing cloud provider credentials (AWS_ACCESS_KEY_ID, GITHUB_TOKEN, KUBECONFIG, etc.)
• Mounted secrets — Kubernetes secrets, Vault tokens, or service account keys
• Build artifacts — container images, compiled binaries, deployment packages
• Repository access — the infostealer can read source code and configuration files within the workspace

The infostealer exfiltrated harvested data to a remote command-and-control server under TeamPCP's control.

Impact and Scope

Organizations most exposed are those that:

1. Reference Trivy by version tag (not commit SHA) in GitHub Actions or other CI/CD platforms
2. Do not verify release signatures or checksums against known-good values
3. Run Trivy with elevated permissions or in environments with broad secret access
4. Cache or mirror Trivy releases without re-validating integrity after the compromise window

Aqua Security moved quickly to remediate the affected tags and published a security advisory notifying users of the affected release window and providing clean checksums for verification.

Remediation

Immediate Steps

# INSECURE: Pulling by version tag — vulnerable to tag manipulation
- name: Run Trivy
  uses: aquasecurity/trivy-action@v0.29.0  # tag can be rewritten
 
# SECURE: Pin to a specific commit SHA
- name: Run Trivy
  uses: aquasecurity/trivy-action@<commit-sha>  # immutable

Verify Your Trivy Binaries

# Check the SHA256 hash of your Trivy binary against known-good values
# (obtain verified checksums from Aqua Security's security advisory)
sha256sum /usr/local/bin/trivy
 
# Verify via cosign if Trivy releases are signed
cosign verify-blob \
  --certificate trivy_linux_amd64.tar.gz.pem \
  --signature trivy_linux_amd64.tar.gz.sig \
  trivy_linux_amd64.tar.gz

Rotate Credentials if Exposed

If your CI/CD pipeline ran a compromised Trivy version during the attack window:

1. Rotate all cloud provider credentials (AWS keys, Azure service principals, GCP service accounts)
2. Revoke and regenerate GitHub tokens with access to your repositories
3. Rotate Kubernetes service account tokens and any secrets mounted in the pipeline
4. Audit outbound network connections from your CI/CD runners during the attack window
5. Review all deployments made during or after the compromise window for unauthorized changes

Supply Chain Security Best Practices

This attack reinforces several supply chain security principles that every DevSecOps team should implement:

Key Takeaways

1. Trivy was compromised by TeamPCP via stolen GitHub tokens, enabling force-push of 75 release tags with malicious binaries
2. The infostealer payload targeted CI/CD environment secrets — cloud credentials, tokens, and keys accessible to scanner processes
3. Tag-based pinning is not sufficient for supply chain security — commit SHA pinning and signature verification are required
4. Organizations that ran Trivy during the compromise window should immediately rotate all CI/CD credentials
5. Aqua Security has remediated the affected tags; users should verify binary integrity before resuming use

Sources

• Trivy Vulnerability Scanner Breach Pushed Infostealer via GitHub Actions — BleepingComputer