Trivy Weaponized to Steal CI/CD Secrets Across Developer Pipelines
One of the most trusted tools in the DevSecOps toolkit has been turned against the developers who rely on it. The Trivy open-source container and filesystem vulnerability scanner — with over 32,000 GitHub stars — was compromised by threat actor TeamPCP in a supply chain attack that hijacked 75 of 76 release tags in the official aquasecurity/trivy-action repository, deploying a credential-stealing infostealer into CI/CD pipelines worldwide.
The attack is notable not just for its technical sophistication, but for its choice of target: Trivy is a DevSecOps security tool. By compromising the security scanner itself, TeamPCP achieved a high degree of irony — and a high blast radius.
Attack Overview
| Attribute | Value |
|---|---|
| Target | aquasecurity/trivy-action (GitHub Actions) |
| Threat Actor | TeamPCP (also: DeadCatx3, PCPcat, ShellForce) |
| Attack Type | Supply Chain — GitHub token compromise + tag poisoning |
| Tags Hijacked | 75 out of 76 release tags |
| Payload | TeamPCP Cloud Stealer (infostealer) |
| Secrets Stolen | SSH keys, cloud credentials, K8s tokens, Git tokens, Docker configs, crypto wallets |
| Initial Compromise | 2026-03-19 (~19:00 UTC) |
| Blast Radius | 10,000+ CI/CD workflow files on GitHub referencing trivy-action |
How the Attack Unfolded
Step 1 — GitHub Workflow Misconfiguration Exploited
An autonomous AI bot called hackerbot-claw exploited a pull_request_target misconfiguration in Trivy's GitHub Actions workflows. This misconfiguration allowed the bot to execute workflow code in a privileged context despite originating from a fork, enabling the theft of a Personal Access Token with write access to the repository.
This is a known GitHub Actions attack pattern: when pull_request_target is used without proper restrictions, forks can trigger workflows that run with repository-level secrets.
Step 2 — Tag Poisoning
Using the stolen PAT, TeamPCP performed force-push operations on 75 of the 77 existing release tags in the aquasecurity/trivy-action repository. Each poisoned tag now pointed to a malicious commit instead of the legitimate release.
# Before attack:
aquasecurity/trivy-action@v0.29.0 → commit abc123 (legitimate)
# After tag poisoning:
aquasecurity/trivy-action@v0.29.0 → commit xyz999 (malicious payload)Because most CI/CD pipelines reference actions by version tag rather than by commit SHA, workflows that had been running securely for months now silently executed the malicious payload.
Step 3 — Silent Secret Exfiltration
The malicious payload — self-described as "TeamPCP Cloud Stealer" — ran before the legitimate Trivy scanner, making affected workflows appear to complete normally. Internally, it:
- Dumped
Runner.Workerprocess memory - Harvested SSH keys, cloud credentials (AWS, Azure, GCP), Kubernetes tokens, database credentials, and cryptocurrency wallet files
- Encrypted the stolen data using AES-256 + RSA-4096
- Exfiltrated the package to a remote C2 server
The malware ran with the full permissions of the CI/CD runner — the same permissions Trivy needs to scan images and filesystems — which in many pipelines means access to deployment credentials, container registries, and production secrets.
The Threat Actor: TeamPCP
TeamPCP (tracked also as DeadCatx3, PCPcat, and ShellForce) is a cloud-native threat actor with a documented history of targeting misconfigured developer infrastructure:
- Known TTPs: Exploiting open Docker APIs, Kubernetes dashboards, Redis servers, and Ray instances
- Prior campaigns: Worm-driven ransomware, cryptomining, data exfiltration
- MO in this attack: Impersonator commits — the attackers spoofed legitimate contributors in their commit messages to blend with normal repository activity
What Was Stolen
The infostealer targeted the high-value secrets that CI/CD pipelines routinely access:
| Secret Type | Examples |
|---|---|
| Cloud credentials | AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, Azure service principals, GCP service accounts |
| Container registry tokens | Docker Hub access tokens, ECR credentials, GCR keys |
| Kubernetes | KUBECONFIG, service account tokens, cluster certificates |
| SSH keys | Private keys stored in the runner's ~/.ssh/ directory |
| Git tokens | GITHUB_TOKEN, GitLab PATs, Bitbucket app passwords |
| Crypto wallets | Wallet files, seed phrase files accessible in the build environment |
| Database credentials | Connection strings, passwords from environment variables |
Scope and Impact
With over 10,000 workflow files on GitHub referencing aquasecurity/trivy-action, the potential blast radius of this attack extends across hundreds or thousands of organizations. Any CI/CD pipeline that:
- Referenced Trivy by version tag (not commit SHA) after March 19, 2026 (~19:00 UTC)
- Did not pin to a pre-compromise SHA
- Ran in an environment with access to the secrets listed above
…should be considered potentially compromised.
Remediation
Immediate Steps
# VULNERABLE — any version tag after March 19, 2026 is potentially poisoned
- uses: aquasecurity/trivy-action@v0.29.0
# SECURE — pin to a specific pre-compromise commit SHA
- uses: aquasecurity/trivy-action@<commit-sha>To find a safe commit SHA, check the Aqua Security security advisory for verified clean hashes. The last known clean release on Docker Hub was Trivy 0.69.3.
Credential Rotation (If Exposed)
If your pipeline ran trivy-action after March 19, 2026 at ~19:00 UTC:
- Rotate all cloud credentials (AWS IAM keys, Azure service principals, GCP service accounts)
- Revoke and regenerate GitHub tokens for affected repositories
- Rotate Kubernetes service account tokens
- Invalidate Docker registry credentials
- Audit outbound network connections from your CI runners during the attack window
- Review all deployments made during or after the compromise for unauthorized changes
Detect TeamPCP Presence
# Check for tpcp-docs repositories in your GitHub org
# (TeamPCP planted these as persistence markers)
gh repo list YOUR_ORG --json name | grep tpcp-docs
# Review GitHub Actions logs for trivy-action runs after 2026-03-19T19:00:00Z
# Look for unexpected outbound connections or env variable dumpsBroader Lessons: Supply Chain Security
This attack is the second Trivy-related supply chain incident in 2026, underscoring that security tooling itself is a high-value target. Key takeaways for DevSecOps teams:
| Practice | Why It Matters |
|---|---|
| Pin GitHub Actions to commit SHAs | Tags can be rewritten silently; SHAs cannot |
Restrict pull_request_target workflows | Never run privileged code from fork-triggered events |
| Verify release signatures | Use cosign/Sigstore to verify artifacts before execution |
| Monitor for tag mutations | Alert when a known tag now resolves to a different commit |
| Least-privilege CI/CD | Limit which secrets are accessible to scanner/audit steps |
| Audit GitHub org for unexpected repos | TeamPCP-style attackers leave tpcp-docs markers |
Key Takeaways
- TeamPCP compromised Trivy via a
pull_request_targetmisconfiguration, stealing a PAT used to force-push malicious tags - 75 release tags were poisoned — any pipeline referencing these tags after March 19 executed the infostealer
- The infostealer targeted CI/CD secrets: cloud credentials, SSH keys, Kubernetes tokens, and more — all encrypted and exfiltrated
- 10,000+ workflow files referenced the compromised action at the time of attack
- Pin to commit SHAs, not version tags — this is the most important single mitigation for GitHub Actions supply chain risk