{"id":340,"date":"2026-03-20T19:10:04","date_gmt":"2026-03-20T19:10:04","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=340"},"modified":"2026-03-20T19:10:04","modified_gmt":"2026-03-20T19:10:04","slug":"trivy-security-scanner-github-actions-breached-75-tags-hijacked-to-steal-ci-cd-secrets","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=340","title":{"rendered":"Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI\/CD Secrets"},"content":{"rendered":"<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgNf7vYlImTCJ7BCjYYEhoFZXTawhHcJJad9cFjQn98oQjaPY9HY6Qgpp6pAyqkq7CNHyVXI9fR8hcyVNlW_knYia3f0BhAlK7fZb2gplznk9v9QCFGKtIbMLTSu-erTslOxZCHd8jkJKXIcCYhK8QkKLuWjG8yxjhPBaEWUDzwY0sUkX5JvhBtzFxyfp_q\/s1700-e365\/scan.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><\/a><\/div>\n<p>Trivy, a popular open-source vulnerability scanner maintained by Aqua Security, was compromised a second time within the span of a month to deliver malware that stole sensitive CI\/CD secrets.<\/p>\n<p>The latest incident impacted GitHub Actions \u00ab<a href=\"https:\/\/github.com\/aquasecurity\/trivy-action\" rel=\"noopener\" target=\"_blank\">aquasecurity\/trivy-action<\/a>\u00bb and \u00ab<a href=\"https:\/\/github.com\/aquasecurity\/setup-trivy\" rel=\"noopener\" target=\"_blank\">aquasecurity\/setup-trivy<\/a>,\u00bb which are used to scan Docker container images for vulnerabilities and set up GitHub Actions workflow with a specific version of the scanner, respectively.<\/p>\n<p>\u00abWe identified that an attacker force-pushed 75 out of 76 version tags in the aquasecurity\/trivy-action repository, the official GitHub Action for running Trivy vulnerability scans in CI\/CD pipelines,\u00bb Socket security researcher Philipp Burckhardt <a href=\"https:\/\/socket.dev\/blog\/trivy-under-attack-again-github-actions-compromise\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abThese tags were modified to serve a malicious payload, effectively turning trusted version references into a distribution mechanism for an infostealer.\u00bb<\/p>\n<p>The payload executes within GitHub Actions runners and aims to extract valuable developer secrets from CI\/CD environments, such as SSH keys, credentials for cloud service providers, databases, Git, Docker configurations, Kubernetes tokens, and cryptocurrency wallets.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/not-fast-enough-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhlXM830ruQd2xT6M7JNeNRjaFa1onD12WjSCHihTFMTzbyfT9h-irPmXy_h3E1HGSs6sdv7FTmnyNVTM5kmSb7BuUtZe8gKoTQt99P1sSzRcqqXpOJP6eoAOhR3DGb6qHx9kOZ_HBZUMmVnsnd0DM7QfUp81bgzTvvgLww6oqB-EhnDfWXH5pWCYhAsyLs\/s728-e100\/tl-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>The <a href=\"https:\/\/www.stepsecurity.io\/blog\/trivy-compromised-a-second-time---malicious-v0-69-4-release\" rel=\"noopener\" target=\"_blank\">development<\/a> marks the second supply chain incident involving Trivy. Towards the end of February and early March 2026, an autonomous bot called hackerbot-claw exploited a \u00abpull_request_target\u00bb workflow to steal a Personal Access Token (PAT), which was then weaponized to seize control of the GitHub repository, delete several release versions, and push two malicious versions of its Visual Studio Code (VS Code) extension to Open VSX.<\/p>\n<p><a name=\"more\"\/><\/p>\n<p>The first sign of the compromise was <a href=\"https:\/\/www.linkedin.com\/posts\/mccartypaul_heads-up-trivy-version-0694-has-been-share-7440548547609079808-Uloi\/\" rel=\"noopener\" target=\"_blank\">flagged<\/a> by security researcher Paul McCarty after a new compromised release (version 0.69.4) was published to the \u00abaquasecurity\/trivy\u00bb GitHub repository. The rogue version has since been removed. According to <a href=\"https:\/\/www.wiz.io\/blog\/trivy-compromised-teampcp-supply-chain-attack\" rel=\"noopener\" target=\"_blank\">Wiz<\/a>, version 0.69.4 starts both the legitimate Trivy service and the malicious code responsible for a series of tasks &#8211;<\/p>\n<ul>\n<li>Conduct data theft by scanning the system for environmental variables and credentials, encrypting the data, and exfiltrating it via an HTTP POST request to scan.aquasecurtiy[.]org.<\/li>\n<li>Set up persistence by using a <a href=\"https:\/\/redcanary.com\/blog\/threat-detection\/attck-t1501-understanding-systemd-service-persistence\/\" rel=\"noopener\" target=\"_blank\">systemd service<\/a> after confirming that it&#8217;s running on a developer machine. The systemd service is configured to run a Python script (\u00absysmon.py\u00bb) that polls an external server to retrieve the payload and execute it.\u00a0<\/li>\n<\/ul>\n<p>In a statement, Itay Shakury, vice president of open source at Aqua Security, <a href=\"https:\/\/github.com\/aquasecurity\/trivy\/discussions\/10425\" rel=\"noopener\" target=\"_blank\">said<\/a> the attackers abused a compromised credential to publish malicious trivy, trivy-action, and setup-trivy releases. In the case of \u00abaquasecurity\/trivy-action,\u00bb the adversary force-pushed 75 version tags to point to the malicious commits containing the Python infostealer payload without creating a new release or pushing to a branch, as is standard practice. Seven \u00abaquasecurity\/setup-trivy\u00bb tags were force-pushed in the same manner.<\/p>\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhsNwdNYcc_SnbNdxXfi9Z2gA_5jJdCiAKz8loJAdu_wzQ6thlkYX6YqoWqXJiZH23-6Ueynq2OCUQe1XZPs6o5h7y7uKqxxn9XEhvkKZbGHzA3OwDpbSRKDJ4Wk7Hulv0f405D5dx_exOCwmWjAuHOrmmYbk1TBvYNkDiuYycm9fpfHSKj0kvI7Od86FVq\/s1700-e365\/hacked.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhsNwdNYcc_SnbNdxXfi9Z2gA_5jJdCiAKz8loJAdu_wzQ6thlkYX6YqoWqXJiZH23-6Ueynq2OCUQe1XZPs6o5h7y7uKqxxn9XEhvkKZbGHzA3OwDpbSRKDJ4Wk7Hulv0f405D5dx_exOCwmWjAuHOrmmYbk1TBvYNkDiuYycm9fpfHSKj0kvI7Od86FVq\/s1700-e365\/hacked.jpg\" alt=\"\" border=\"0\" data-original-height=\"904\" data-original-width=\"1600\"\/><\/a><\/div>\n<p>\u00abSo in this case, the attacker didn&#8217;t need to exploit Git itself,\u00bb Burckhardt told The Hacker News. \u00abThey had valid credentials with sufficient privileges to push code and rewrite tags, which is what enabled the tag poisoning we observed. What remains unclear is the exact credential used in this specific step (e.g., a maintainer PAT vs automation token), but the root cause is now understood to be credential compromise carried over from the earlier incident.\u00bb<\/p>\n<p>The security vendor also acknowledged that the latest attack stemmed from incomplete containment of the hackerbot-claw incident. \u00abWe rotated secrets and tokens, but the process wasn&#8217;t atomic, and attackers may have been privy to refreshed tokens,\u00bb Shakury said. \u00abWe are now taking a more restrictive approach and locking down all automated actions and any token in order to thoroughly eliminate the problem.\u00bb<\/p>\n<p>The stealer operates in three stages: harvesting environment variables from the runner process memory and the file system, encrypting the data, and exfiltrating it to the attacker-controlled server (\u00abscan.aquasecurtiy[.]org\u00bb).<\/p>\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjTs_Xbm79NyRtl34MoMryBBxX2p3v8k361tx6itvNRs0MoHA9DdPF2qpowGORL_xJUoV-FG9fGzE7ERmep4LBZwPcdx_3qtAy-vMnMos-yKwGt_yq5R5-N20k2AG9baRQMDEC9jzuCaLeymAl0AlUveuLLCe6vwajgXAUTIAGAw7jRo1a3bAxMvhoJYc2E\/s1700-e365\/git-actions.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjTs_Xbm79NyRtl34MoMryBBxX2p3v8k361tx6itvNRs0MoHA9DdPF2qpowGORL_xJUoV-FG9fGzE7ERmep4LBZwPcdx_3qtAy-vMnMos-yKwGt_yq5R5-N20k2AG9baRQMDEC9jzuCaLeymAl0AlUveuLLCe6vwajgXAUTIAGAw7jRo1a3bAxMvhoJYc2E\/s1700-e365\/git-actions.jpg\" alt=\"\" border=\"0\" data-original-height=\"1684\" data-original-width=\"2756\"\/><\/a><\/div>\n<p>Should the exfiltration attempt fail, the victim&#8217;s own GitHub account is abused to stage the stolen data in a public repository named \u00abtpcp-docs\u00bb by making use of the captured INPUT_GITHUB_PAT, an environment variable used in GitHub Actions to pass a GitHub PAT for authentication with the GitHub API.<\/p>\n<p>It&#8217;s currently not known who is behind the attack, although there are signs that the threat actor known as TeamPCP may be behind it. This assessment is based on the fact that the credential harvester self-identifies as \u00abTeamPCP Cloud stealer\u00bb in the source code. Also known as DeadCatx3, PCPcat, PersyPCP, ShellForce, and CipherForce, the <a href=\"https:\/\/www.elastic.co\/security-labs\/teampcp-container-attack-scenario\" rel=\"noopener\" target=\"_blank\">group<\/a> is known for acting as a cloud-native cybercrime platform designed to breach modern cloud infrastructure to facilitate data theft and extortion.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/cyber-comm-guide-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEigDbfWwE4P_DsjfBRxgecgosqTRr8-2j328LrzdUBWrWmWeDUTI7OhXc-zXveYOjBc7GStGz5WnpXsJGaLCuoryIXbL7NxRyaWzIJGO1TBpd48NkYzNqTMj9zWMzgfvqh20RxsdMll45TFiMzXja0pAd7roFjMnzsRYBGHOWSLnyKN-oMKyCLoYcjmb5hm\/s728-e100\/ciso-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>\u00abThe credential targets in this payload are consistent with the group&#8217;s broader cloud-native theft-and-monetization profile,\u00bb Socket said. \u00abThe heavy emphasis on Solana validator key pairs and cryptocurrency wallets is less well-documented as a TeamPCP hallmark, though it aligns with the group&#8217;s known financial motivations. The self-labeling could be a false flag, but the technical overlap with prior TeamPCP tooling makes genuine attribution plausible.\u00bb<\/p>\n<p>Users are advised to ensure that they are using the latest safe releases &#8211;<\/p>\n<p>\u00abIf you suspect you were running a compromised version, treat all pipeline secrets as compromised and rotate immediately,\u00bb Shakury said. Additional mitigation steps include blocking the exfiltration domain and the associated IP address (45.148.10[.]212) at the network level, and checking GitHub accounts for repositories named \u00abtpcp-docs,\u00bb which may indicate successful exfiltration via the fallback mechanism.<\/p>\n<p>\u00abPin GitHub Actions to full SHA hashes, not version tags,\u00bb Wiz researcher Rami McCarthy said. \u00abVersion tags can be moved to point at malicious commits, as demonstrated in this attack.\u00bb<\/p>\n<p><em>(This is a developing story. Please check back for more details.)<\/em><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Trivy, a popular open-source vulnerability scanner maintained by Aqua Security, was compromised a second time within the span of a month to deliver malware that stole sensitive CI\/CD secrets. The&hellip;<\/p>\n","protected":false},"author":1,"featured_media":341,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[802,534,576,71,804,801,145,47,571,803,800],"class_list":["post-340","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-actions","tag-breached","tag-cicd","tag-github","tag-hijacked","tag-scanner","tag-secrets","tag-security","tag-steal","tag-tags","tag-trivy"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/340","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=340"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/340\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/341"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=340"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=340"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=340"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}