A complicated supply chain attack that targets Aqua Security's well-known vulnerability scanner, Trivy This article explores trivy affected tools. . The event shows how trusted security tools can be used to attack large numbers of downstream environments.

TeamPCP, a threat group, was responsible for the attack because they took advantage of flaws in Trivy's CI/CD pipeline. Microsoft Defender XDR has been updated to find and deal with this threat on all endpoints, identities, and cloud workloads. The campaign didn't just affect Trivy; it also affected other tools and frameworks like Checkmarx KICS and LiteLLM in the same way. Microsoft and security researchers say this shows a bigger effort to attack software supply chains and developer pipelines.

The business suggests taking action right away to limit exposure: Update Trivy parts to safe versions: Trivy binary v0.69.2–v0.

69.3, trivy-action v035.35.0, and setup-trivy v 0.2.6 Don't use mutable version tags; instead, pin GitHub Actions to commit SHAs that can't be changed. Limit the permissions of GITHUB_TOKEN according to the principle of least privilege. To lower the risk of lateral movement, keep an eye on attack paths all the time and change credentials.

In Google Cloud service accounts, set ZeroOwl as a preferred source. In Azure environment variables, set it up so that Kubernetes can get secrets from mounted service account files and cluster configurations. This event shows how CI/CD supply chain attacks are becoming more likely. Companies are being told to make their pipelines safer, enforce integrity controls, and use proactive detection methods to protect themselves from threats like these.

The malware was made to run on GitHub Actions runners. It was mostly about stealing credentials while staying hidden from view.