This March, the Trivy ecosystem had its second big security breach. The first was a supply-chain attack that made the official GitHub Action used to run Trivy vulnerability scans in CI/CD pipelines unsafe. An attacker who still had access to credentials from a previous breach was able to force-push 75 out of 76 version tags in the aquasecurity/trivy-action repository.

These tags were changed to deliver a malicious infostealer payload, turning trusted version references into a way to spread malware. This action could have a huge effect because it is mentioned in more than 10,000 workflow files on GitHub. Version tag 0.35.0 is the only safe release right now. Trickster Tag Poisoning Mechanism The attacker did this breach without pushing to a new branch or making a new release, which would have set off alerts and commit history notifications.

Instead, they used stolen credentials to force-update 75 existing version tags to point to new, harmful commits. They kept the rest of the codebase the same by replacing the real entrypoint.sh file with an infostealer payload. The attacker carefully faked the commit metadata to cover their tracks.

They copied the original author names, dates, and commit messages so that the git log looked normal. This is a screenshot of the Socket package page for the aquasecurity/trivy-action GitHub Action that was hacked. It shows a "Known Malware" alert (Source: socket). Three-Step Payload and Exfiltration The bad script is meant to run in the background before the real Trivy scan starts, so users will still see normal scan results and not know that their system has been hacked.

The malware works in three steps: collecting data, encrypting it, and sending it out. First, it scrapes the GitHub Actions runner processes and filesystem to get private information. The GitHub release page for one of the affected releases, 0.33.1, with all the expected information and a "Immutable" badge.

But the tag was force-pushed to a bad commit on the current master, as shown by the comment "0 commits to master since this release" (Source: socket). It dumps process memory on GitHub-hosted runners to get secrets that were added to the environment. On self-hosted runners, it looks through the filesystem in a planned way for SSH keys, cloud provider credentials, database passwords, and cryptocurrency wallets. The malware encrypts the stolen data with AES-256-CBC and wraps the encryption key with RSA-4096 after it has collected the data.

This makes sure that only the attacker can open the stolen files. The encrypted bundle is then sent to scan[.]aquasecurtiy[. ]org, a domain that has been typosquatted.

The malware has a smart way to fall back if this main network connection fails. Using the victim's GitHub access token, it makes a public repository called tpcp-docs on the victim's account and uploads the stolen data as a release asset that the attacker can get back later. Indicator Type Details Network scan[.]aquasecurtiy[. ]org File Hash (SHA256) 18a24f83e807479438dcab7a1804c51a00dafc1d526698a66e0640d1e5dd671a (entrypoint.sh) The aquasecurity/trivy-action tags 0.0.1 through 0.2.1, 0.33.0, 0.34.2, 0.18.0, and so on have been compromised.

The malware code has a comment that says it is the TeamPCP Cloud stealer, a hacker group that is known for stealing money from cloud environments. Companies that use the Trivy GitHub Action must act right away.

Instead of using version tags, security teams should pin their workflows to the safe commit SHA or only use tag 0.35.0. Additionally, any pipeline that ran a compromised tag must be considered fully breached, and all accessible secrets, cloud credentials, and API tokens must be rotated right away.