The Trivy vulnerability scanner was compromised in a supply-chain attack by threat actors known as TeamPCP, which distributed credential-stealing malware through official releases and GitHub Actions.

Trivy is a popular security scanner that helps identify vulnerabilities, misconfigurations, and exposed secrets across containers, Kubernetes environments, code repositories, and cloud infrastructure. Because developers and security teams commonly use it, it is a high-value target for attackers to steal sensitive authentication secrets.

The breach was first disclosed by security researcher Paul McCarty, who warned that Trivy version 0.69.4 had been backdoored, with malicious container images and GitHub releases published to users.

Further analysis by Socket and later by Wiz determined that the attack affected multiple GitHub Actions, compromising nearly all version tags of the trivy-action repository.

Researchers found that threat actors compromised Trivy's GitHub build process, swapping the entrypoint.sh in GitHub Actions with a malicious version and publishing trojanized binaries in the Trivy v0.69.4 release, both of which acted as infostealers across the main scanner and related GitHub Actions, including trivy-action and setup-trivy.

The attackers abused a compromised credential with write access to the repository, allowing them to publish malicious releases. These compromised credentials are from an earlier March breach, in which credentials were exfiltrated from Trivy's environment and not fully contained.

The threat actor force-pushed 75 out of 76 tags in the aquasecurity/trivy-action repository, redirecting them to malicious commits.

As a result, any external workflows using the affected tags automatically executed the malicious code before running legitimate Trivy scans, making the compromise difficult to detect.

Socket reports that the infostealer collected reconnaissance data and scanned systems for a wide range of files and locations known to store credentials and authentication secrets, including:

• Reconnaissance data: hostname, whoami, uname, network configuration, and environment variables
• SSH: private and public keys and related configuration files
• Cloud and infrastructure configs: Git, AWS, GCP, Azure, Kubernetes, and Docker credentials
• Environment files: .env and related variants
• Database credentials: configuration files for PostgreSQL, MySQL/MariaDB, MongoDB, and Redis
• Credential files: including package manager and Vault-related authentication tokens
• CI/CD configurations: Terraform, Jenkins, GitLab CI, and similar files
• TLS private keys
• VPN configurations
• Webhooks: Slack and Discord tokens
• Shell history files
• System files: /etc/passwd, /etc/shadow, and authentication logs
• Cryptocurrency wallets

The malicious script would also scan memory regions used by the GitHub Actions Runner.Worker process for the JSON string "" <name> ":{ "value": "<secret>", "isSecret":true}" to find additional authentication secrets.

On developer machines, the trojanized Trivy binary performed similar data collection, gathering environment variables, scanning local files for credentials, and enumerating network interfaces.

Collected data was encrypted and stored in an archive named tpcp.tar.gz, which was then exfiltrated to a typosquatted command-and-control server at scan.aquasecurtiy[.]org.

If exfiltration failed, the malware created a public repository named tpcp-docs within the victim's GitHub account and uploaded the stolen data there.

To persist on a compromised device, the malware would also drop a Python payload at ~/.config/systemd/user/sysmon.py and register it as a systemd service. This payload would check a remote server for additional payloads to drop, giving the threat actor persistent access to the device.

The attack is believed to be linked to a threat actor known as TeamPCP, as one of the infostealer payloads used in the attack has a "TeamPCP Cloud stealer" comment as the last line of the Python script.

"The malware self-identifies as TeamPCP Cloud stealer in a Python comment on the final line of the embedded filesystem credential harvester. TeamPCP, also tracked as DeadCatx3, PCPcat, and ShellForce, is a documented cloud-native threat actor known for exploiting misconfigured Docker APIs, Kubernetes clusters, Ray dashboards, and Redis servers," explains Socket.

Aqua Security confirmed the incident, stating that a threat actor used compromised credentials from the earlier incident that was not properly contained.

"This was a follow up from the recent incident (2026-03-01) which exfiltrated credentials. Our containment of the first incident was incomplete," explained Aqua Security.

"We rotated secrets and tokens, but the process wasn't atomic and attackers may have been privy to refreshed tokens."

The malicious Trivy release (v0.69.4) was live for approximately three hours, with compromised GitHub Actions tags remaining active for up to 12 hours.

The attackers also tampered with the project’s repository, deleting Aqua Security’s initial disclosure of the earlier March incident.

Organizations that used affected versions during the incident should treat their environments as fully compromised.

This includes rotating all secrets, such as cloud credentials, SSH keys, API tokens, and database passwords, and analyzing systems for additional compromise.

Follow-up attack spreads CanisterWorm via npm

Researchers at Aikido have also linked the same threat actor to a follow-up campaign involving a new self-propagating worm named "CanisterWorm," which targets npm packages.

The worm compromises packages, installs a persistent backdoor via a systemd user service, and then uses stolen npm tokens to publish malicious updates to other packages.

"Self-propagating worm. deploy.js takes npm tokens, resolves usernames, enumerates all publishable packages, bumps patch versions, and publishes the payload across the entire scope. 28 packages in under 60 seconds," highlights Aikido.

The malware uses a decentralized command-and-control mechanism using Internet Computer (ICP) canisters, which act as a dead-drop resolver that provides URLs for additional payloads. 

Using ICP canisters makes the operation more resistant to takedown, as only the canister's controller can remove it, and any attempt to stop it would require a governance proposal and network vote.

The worm also includes functionality to harvest npm authentication tokens from configuration files and environment variables, enabling it to spread across developer environments and CI/CD pipelines.

At the time of analysis, some of the secondary payload infrastructure was inactive or configured with harmless content, but the researchers say this could change at any time.