The modern development lifecycle relies heavily on the assumption that automated security tools are inherently secure, yet the recent compromise of the official Trivy GitHub Action demonstrates how fragile this trust can be. Security researchers uncovered a massive supply chain breach in late March 2026 that effectively weaponized one of the most popular container scanning tools in the ecosystem. By exploiting residual write access from a previous credential leak, attackers managed to compromise 75 out of 76 existing version tags for the aquasecurity/trivy-action repository. This was not a simple case of a new, malicious version being released; instead, the threat actors force-pushed malicious updates to established, trusted tags like 0.33.0 and 0.18.0. This tactical choice allowed the breach to bypass standard automated alerts that typically flag new or suspicious releases. With over 10,000 GitHub workflows affected, the blast radius of this tag poisoning incident has forced organizations to re-evaluate their reliance on mutable version references.
Tactics of the Supply Chain Intrusion
The Strategy of Tag Poisoning
The technical execution of this attack relied on a sophisticated understanding of how developers manage dependencies within the GitHub ecosystem. By force-pushing updates to existing tags, the attackers ensured that any pipeline configured to use those specific versions would automatically pull the compromised code without any manual intervention from the development teams. This approach exploited the fundamental nature of Git tags as mutable pointers, which can be redirected to different commits if a user possesses the necessary administrative permissions. In this instance, the threat actors leveraged lingering credentials that had not been fully revoked following an earlier, less publicized security incident. This persistent access allowed them to overwrite the history of the repository across nearly its entire versioning timeline. Consequently, even legacy projects that had not been updated in months were suddenly executing malicious code during their routine build processes, illustrating a significant vulnerability in standard devops workflows.
The scale of the “tag poisoning” technique is particularly alarming because it targets the very foundation of secure software delivery. When a developer pins a workflow to a version like v0.18.0, they expect a static, immutable piece of software that has already passed security audits and community vetting. However, the attackers demonstrated that without cryptographic verification, these version labels provide only a false sense of security. The impact was felt across a diverse range of industries, as the Trivy action is a staple for teams performing vulnerability scans on Docker images and Kubernetes configurations. Because the malicious updates were pushed to established tags, security monitoring tools that look for new or unknown dependencies remained silent. This allowed the breach to persist undetected for a critical window of time, during which thousands of sensitive environments were exposed to unauthorized code execution. The incident serves as a stark reminder that the security of a CI/CD pipeline is only as strong as the weakest link in its third-party dependency chain.
Forgery and Malicious Script Injection
To maintain an aura of legitimacy and avoid detection by human auditors, the threat actors went to great lengths to forge the repository logs. They meticulously cloned the original author names, timestamps, and commit messages from the legitimate history of the repository. When a developer looked at the commit history of a compromised tag, the changes appeared to be consistent with the established development pattern of the Aqua Security team. This level of social engineering within the code repository itself meant that even a cursory manual review of the recent changes might not have raised immediate red flags. By blending in with the expected behavior of the project maintainers, the attackers were able to minimize the risk of early discovery. This camouflage was essential for the primary objective of the campaign, which was to remain embedded in as many active pipelines as possible for the longest possible duration. Such attention to detail highlights a shift toward more professional and disciplined operations in contemporary supply chain attacks.
At the heart of the technical compromise was the replacement of the standard entrypoint.sh file with a heavily modified malicious script. While the original script is designed to initialize the Trivy environment and execute security scans, the forged version contained 204 lines of code dedicated to the “TeamPCP Cloud stealer” malware. This script was engineered to execute immediately upon the start of the GitHub Action, ensuring that the data collection process began before the actual security scan could even take place. This preemptive execution is a classic characteristic of modern infostealers, which seek to harvest credentials and environment variables while the system is in its most active and vulnerable state. The malicious code was written to be platform-agnostic, allowing it to operate effectively across various runner configurations. By hijacking the entry point of the container, the attackers gained complete control over the execution context, enabling them to bypass internal security checks and establish a foothold within the temporary environment of the CI/CD runner.
Impact and Mitigation Strategies
Deep Dive into Information Theft
The data collection phase of the TeamPCP malware was designed to be both highly targeted and exceptionally thorough. In environments using GitHub-hosted Linux runners, the malware actively exploited passwordless sudo privileges to perform deep memory analysis. By dumping the process memory of the current execution environment, the script was able to extract sensitive secrets and session tokens directly from the heap. This method is particularly effective because many applications and environment managers store credentials in memory in plaintext during the duration of a build or deployment process. The ability to scrape this data without triggering traditional filesystem monitoring tools makes memory-based exfiltration a potent threat. Furthermore, the malware was programmed to identify specific patterns related to authentication headers and temporary access keys. This ensured that the attackers could gather the most valuable information with minimal overhead, focusing their efforts on the high-value targets that would provide the greatest level of access to the victim’s broader cloud infrastructure.
On self-hosted runners or environments where memory dumping was less feasible, the malware transitioned to a robust filesystem scraping routine powered by Python. This script systematically searched for high-value targets including SSH keys, cloud provider configurations for AWS, Azure, and Google Cloud Platform, and database connection strings. It also targeted cryptocurrency wallet files and specialized configuration data that could provide a map of the internal network architecture. The versatility of this approach allowed the attackers to maximize their haul regardless of the specific setup used by the victim organization. By automating the search for these files, the malware could complete its collection process in a matter of seconds. This efficiency was critical, as CI/CD runners are often short-lived ephemeral environments that disappear once a job is completed. The speed and breadth of the data collection demonstrate a clear intent to move laterally from the initial breach point into the wider corporate network, using the harvested credentials as a springboard for further attacks.
Response and Future Security Hardening
Once the data was collected, the malware employed sophisticated encryption protocols to ensure that the stolen information remained protected during transit. The harvested data was compressed and then encrypted using a combination of AES-256-CBC and RSA-4096. This multi-layered encryption approach meant that even if the exfiltration attempt was intercepted by network monitoring tools, the contents of the data bundle would remain unreadable to anyone without the attacker’s private key. The primary exfiltration route involved sending the encrypted package to a typosquatted domain, specifically scan[.]aquasecurtiy[.]org, which was designed to look like a legitimate endpoint associated with the tool’s original developers. By mimicking the naming conventions of the official security scanning service, the attackers hoped to blend in with legitimate telemetry traffic. This use of deceptive infrastructure is a common tactic intended to exploit the visual biases of security analysts who might overlook a minor spelling variation in a high-volume traffic log during their daily monitoring tasks.
If the primary exfiltration channel failed or was blocked by firewall rules, the TeamPCP malware implemented a creative secondary method that utilized the victim’s own infrastructure. The script was programmed to use the GitHub Personal Access Token found within the runner environment to programmatically create a new public repository under the victim’s account named tpcp-docs. The stolen and encrypted data bundle was then uploaded as a release asset to this newly created repository. This technique not only ensured that the data was successfully moved off the local runner but also placed the burden of hosting the stolen data on the victim themselves. This forced the victim to inadvertently participate in the breach of their own security. By using the GitHub API in this manner, the attackers could bypass many traditional data loss prevention systems that might flag traffic to unknown external domains but allow legitimate traffic to GitHub’s own infrastructure. This secondary exfiltration path highlighted the strategic depth of the attack and the importance of strictly limiting the scope of tokens.
The resolution of the Trivy Action breach required a massive coordinated response from the security community to mitigate the widespread exposure of sensitive infrastructure. Organizations were advised to immediately transition away from using mutable version tags and instead adopt the practice of pinning actions to specific, immutable commit SHAs. While version 0.35.0 was eventually identified as a clean release, the incident demonstrated that cryptographic verification is the only reliable way to ensure the integrity of third-party dependencies in modern pipelines. For teams that had already executed a poisoned tag, the recommended protocol involved a comprehensive rotation of all secrets, including cloud credentials and API keys, alongside a rigorous audit of their GitHub organizations for unauthorized repositories. This event successfully shifted the industry’s perspective on supply chain security, highlighting the necessity of zero-trust principles within automated build environments. Security practitioners ultimately prioritized the implementation of automated dependency verification tools to prevent similar occurrences in the future.
