The modern software supply chain faces a sophisticated new reality where even the most trusted security tools can be turned into delivery mechanisms for malicious payloads. Trivy, a widely adopted open-source vulnerability scanner maintained by Aqua Security, recently fell victim to a coordinated breach that saw 75 out of 76 version tags hijacked to distribute an information stealer. This incident highlights a critical shift in adversary tactics, moving away from simple typosquatting toward the direct compromise of official repositories to harvest secrets from continuous integration and continuous delivery (CI/CD) pipelines. By gaining control over the GitHub Actions environment, attackers were able to inject malicious code into the automated workflows of thousands of developers, effectively weaponizing the very tools meant to protect them. The breach specifically targeted “aquasecurity/trivy-action” and “aquasecurity/setup-trivy,” ensuring a broad reach across the global DevOps ecosystem.
This recent escalation follows a previous security incident in early 2026, where an autonomous bot exploited a specific workflow to seize control of the repository and delete release versions. Security researchers noted that the latest attack likely stemmed from an incomplete containment of that initial breach, allowing the threat actors to retain access through refreshed but still compromised tokens. The primary goal of this campaign was the systematic extraction of high-value developer secrets, ranging from SSH keys and cloud provider credentials to Kubernetes tokens and cryptocurrency wallets. By executing within the privileged environment of a GitHub Actions runner, the malware enjoyed a high level of visibility into the internal configurations of targeted organizations. This level of access transforms a standard build process into a data exfiltration pipeline, where every successful scan inadvertently contributes to the compromise of the underlying infrastructure.
1. Tactical Execution: Engineering the Malicious Release
The creation of the compromised version 0.69.4 involved a highly calculated series of steps designed to bypass standard security checks and automate the distribution of the infection. According to technical post-mortems, the attackers initiated the process by pushing a specific commit that altered the fundamental architecture of the action’s workflow. They replaced the legitimate “actions/checkout” reference with a pointer to an imposter commit hosted on a fraudulent domain. This imposter commit contained a composite action specifically engineered to download malicious Go source files. By redirecting the source of the build components, the adversaries ensured that the final binary would contain their data-stealing logic without altering the visible primary codebase in a way that would immediately trigger manual code review alarms during a cursory glance at the repository’s main branch.
To ensure the infected software reached the end-user without hitting technical roadblocks, the attackers had to circumvent the automated validation processes built into the release pipeline. They achieved this by appending the –skip=validate flag to the GoReleaser tool, which is responsible for compiling and packaging the Trivy binary. This maneuver allowed the malicious code to bypass signature checks and binary integrity validations that would have otherwise flagged the discrepancies between the expected output and the actual compromised file. Once the validation was disabled, the attackers tagged the fraudulent commit as version v0.69.4. This action automatically triggered the CI/CD pipeline to publish the release to official channels, lending the prestige and trust of the Aqua Security brand to a package that was, in reality, a functional piece of malware designed to breach its users.
2. Stealth and Persistence: The Mechanics of Tag Poisoning
A particularly damaging aspect of this campaign was the use of tag poisoning, a technique where attackers force-push existing version tags to point to new, malicious commits. By modifying 75 out of 76 version tags in the “aquasecurity/trivy-action” repository, the threat actors ensured that any developer using a floating tag—such as v0.1 or v0.34—would automatically pull the compromised code during their next scheduled build. This strategy effectively turned the repository’s historical record into a distribution network for the infostealer. Unlike a new release, which might be scrutinized by early adopters, tag poisoning targets users who believe they are operating within a stable, unchanging environment. The attackers exploited valid credentials with sufficient privileges to rewrite these tags, indicating that the root cause was a deep-seated compromise of administrative or automation tokens.
Once the malicious payload is active within a GitHub Actions runner, it initiates a three-stage operation focused on data theft and long-term persistence. The malware first harvests environment variables from the runner’s memory and scans the file system for sensitive files, including Docker configurations and Git credentials. If the malware identifies that it is running on a local developer machine rather than a temporary cloud runner, it attempts to establish persistence by installing a systemd service. This service is configured to run a Python script that continuously polls an external server for updated payloads and instructions. This dual-track approach allows the attackers to either quickly exfiltrate ephemeral secrets from cloud environments or maintain a long-term foothold on local workstations, providing a bridge from the CI/CD pipeline into the broader corporate network.
3. Exfiltration Strategies: Bypassing Detection with Fallback Methods
The exfiltration phase of the attack demonstrates a high degree of adaptability, utilizing both primary and secondary channels to ensure the stolen data reaches the attackers. The primary method involves encrypting the gathered credentials and sending them via an HTTP POST request to a domain designed to mimic legitimate Aqua Security infrastructure. If this direct connection is blocked by firewalls or network security tools, the malware employs a clever fallback mechanism involving the victim’s own GitHub account. It utilizes the “INPUT_GITHUB_PAT” environment variable, which is frequently present in GitHub Actions to allow the runner to interact with the API. Using this stolen token, the malware creates a public repository named “tpcp-docs” within the victim’s organization and uploads the stolen secrets there, effectively using the victim’s infrastructure to stage the data.
Attribution for this attack points toward a threat actor known as TeamPCP, also identified in the industry as DeadCatx3 or CipherForce. This assessment is based on the fact that the credential harvester self-identifies as the “TeamPCP Cloud stealer” within its own source code. This group is recognized for operating a cloud-native cybercrime platform that specializes in breaching modern infrastructure for extortion and financial gain. The inclusion of targets like Solana validator key pairs and various cryptocurrency wallets aligns with the group’s documented history of prioritizing financial assets alongside traditional corporate secrets. Whether this self-labeling is a genuine signature or a sophisticated false flag, the technical sophistication of the tool and its focus on cloud-native environments suggest a professional operation with a deep understanding of modern DevOps workflows.
4. Remediation and Defense: Securing the Development Pipeline
To mitigate the impact of this breach, organizations must immediately audit their use of Trivy-related actions and move to verified safe versions. The identified safe releases are Trivy 0.69.3, Trivy-action 0.35.0, and Setup-trivy 0.2.6. Any workflow that has utilized version 0.69.4 or any force-pushed tags during the period of compromise should be treated as a potential point of entry for attackers. It is essential to inspect the GitHub organization for the presence of repositories titled “tpcp-docs,” as these serve as a definitive indicator of successful data exfiltration. Furthermore, security teams should implement network-level blocks on the known exfiltration domain and the associated IP address 45.148.10.212 to prevent any remaining infected systems from communicating with the attacker’s command-and-control infrastructure.
The most effective long-term defense against tag poisoning and similar supply chain attacks is the transition from version tags to immutable commit SHA hashes. While version tags are convenient for receiving updates, they are essentially pointers that can be moved by anyone with write access to the repository. In contrast, a full SHA hash is a unique identifier for a specific state of the code; it cannot be altered without changing the hash itself. By pinning GitHub Actions to these hashes, developers ensure that the code running in their pipeline is exactly what they reviewed and approved. Additionally, if a breach is suspected, it is mandatory to rotate every secret, token, and key that was accessible to the CI/CD environment. Treating all pipeline secrets as compromised is the only way to ensure that the attackers cannot use stolen credentials to maintain access after the initial malware has been removed.
5. Forward-Looking Insights: Strengthening Pipeline Integrity
The Trivy incident serves as a stark reminder that the security of a tool is only as strong as the security of the pipeline that delivers it. Moving forward, the industry must adopt a more “atomic” approach to secret rotation and permission management to ensure that a single compromised token does not lead to a recurring cycle of breaches. Aqua Security has indicated a shift toward more restrictive automated actions and token lockdowns, a move that other open-source maintainers would be wise to emulate. The reality of modern software development is that dependencies are deep and often opaque, making it necessary to implement zero-trust principles even within internal build processes. This includes monitoring for unauthorized “pull_request_target” executions and ensuring that administrative credentials are never stored in a way that allows for automated exploitation.
The cascading impact of this attack, which reportedly led to the compromise of several npm packages via a self-propagating worm, underscores the interconnectedness of the global software ecosystem. A single breach in a popular security tool can have a multiplier effect, providing attackers with the keys to thousands of other projects. Therefore, the next step for organizations is not just to patch the current vulnerability but to fundamentally rethink how they trust third-party actions. Implementing mandatory code signing for all CI/CD components and utilizing ephemeral, short-lived tokens for all automated tasks can significantly reduce the window of opportunity for threat actors. By treating the CI/CD pipeline as a high-value target that requires the same level of protection as production servers, the developer community can begin to build a more resilient foundation against the evolving threat landscape of 2026.