Trivy under attack supply chain exposes credentials in pipelines

Just a few days ago the community of developers and security teams received a disturbing news: the popular security scanner Trivy was used as a vector in a supply chain attack. Researchers and the project itself confirmed that an official version of the software and several related GitHub actions were cut to include a malware designed to steal credentials and persist in compromised systems.

The initial discovery came from the researcher Paul McCarty, which alerted about a backdoor version of Trivy (v0.69.4). Subsequent technical analysis of specialized groups, including Socket and Wiz, they detailed how the attackers not only published a binary in the release, but also compromised the building process in GitHub Actions and altered the repository labels aquasecurity / trivy-action, redirecting almost all version tags to malicious commitments.

According to the researchers, the responsible actor (linked to a group known as TeamPCP, also traced as DeadCatx3 or PCPcat) exploded credentials that had been exfiltered in an earlier incident in March. With writing access to the repository, the attackers forced tags updates: in particular, it was reported that 75 of 76 tags of the repository trivy-action were rewritten, so that external flows that referred to those tags executed malicious code before running the legitimate analysis of Trivy.

The displayed sample acted as an infostealer focused on locating secrets. In CI / CD environments, the malicious script tracked runner recognition information and scanned memory regions of the GitHub Actions Runner.Worker process looking for JSON chains that defined secrets (patterns of the type containing "isSecret": true). In developer machines, the chipped binary collected environment variables, examined local files for credentials and listed network interfaces. Analysis shows that malware was looking for SSH keys, Git configuration files, cloud services tokens (AWS, GCP, Azure), .env files, database credentials, CI / CD settings like Jenkins or Terraform, TLS keys, shell histories and even cryptomoneda portfolios.

The data collected were packed and encrypted in a file called tpcp.tar.gz then try to exfiltration it to a command and control server with an intentionally typosquat domainscan.aquasecurtiy [.] org. If direct exfiltration failed, malware used an ingenious escape route: it created a public repository in the victim's GitHub account called tpcp-docs And he'd get the stolen data up there. To achieve local persistence it also left a payload in~ / .config / systemd / user / sysmon.pyand recorded it as a system service that consulted remote to download additional loads.

A direct track in the code itself allowed the analysis teams to link the campaign to TeamPCP: one of the Python payloads contained a final comment that self-identified as "TeamPCP Cloud stealer", and tactics that take advantage of poorly configured infrastructure or stolen tokens fit into activities already documented for that actor, according to Socket researchers. The Aqua Security teams publicly confirmed that the intrusion was possible because the containment of the previous incident was incomplete and that, although secrets were rotated, the process did not guarantee that the renewed tokens had not been intercepted. The organization's statement can be found in its official discussion in GitHub: Aqua Security - discussion.

As for temporary windows, the malicious release of Trivy (v0.69.4) was publicly available for approximately three hours, while the compromised tags of GitHub Actions remained active for up to twelve hours in some cases, sufficient time for numerous pipelines to run the code unadvertently. In view of this, the recommendations of the forensic teams were strong: the organizations that used the affected versions during the incident period should be considered fully committed, immediately rotate all keys, tokens and passwords, and perform comprehensive systems analysis to detect side movements or persistent presence.

The scope of the problem was not limited to Trivy. Research Aikido linked the same actor to a secondary campaign based on an self-replicating worm called CanisterWorm which attacks the npm ecosystem. That malware steals npm tokens and automates the publication of malicious updates in compromised user packages, spreading extremely quickly: in tests it was observed how it resumed projects and published loads in dozens of packages in less than a minute. For the distribution of additional loads, it uses a dedicated-drop mechanism based on Internet Computer (ICP) canisters, making the control and control infrastructure more disruptive, as these canisters can only be removed by their controller through a network governance process. More technical details on this vector are available in the Aikido analysis and in the PCI canisters panel: Internet Computer - canisters.

The campaign combines two dangerous trends that we have seen in recent years: the preferred victim are tools that are often executed in pipelines and development environments - that is, points with access to sensitive secrets - and the use of decentralized or unconventional infrastructure to hide and strengthen the operation of the attacker. The result is an attack that can remain invisible during the execution phase (because the chipped binary runs as part of the legitimate workflow) and can quickly climb to other repositories or packages once it gets valid tokens.

If you manage pipelines, repositories or cloud environments, several actions should be taken immediately. Check if your organization ran Trivy v0.69.4 or references to compromised tags of the trivy-action repository during the indicated windows. Revolves and reissues credentials and tokens, not only in cloud services but also in package managers and GitHub accounts. Audits runners and development machines for persistence (e.g.~ / .config / systemd / user / sysmon.pyor other unknown services), looking for public repositories called similarities to tpcp-docs in own or partner accounts, and analyzes log to identify unusual exfiltrations or accesses. The analysis reports are available for mitigation guidance and additional technical information: Socket, the blog of Wiz and the discussion of Aqua Security.

This incident again stresses that security tools are also valuable targets for attackers: their presence in pipelines and their ability to access artifacts or secrets make them privileged vectors if they are compromised. Maintain atomic and verifiable processes for key rotation, apply device signature and reproducibility in buildings, isolate runners and minimize the use of far-reaching credentials in pipelines are measures that reduce risk, but do not eliminate the need for rapid response and prudent assumption of commitment when such gaps occur.

For those who want to deepen the original analyses, here are the technical sources cited in this report: Paul McCarty's initial notice in LinkedIn ( link), the Socket analysis ( link), the Wiz report ( link), the official discussion of Aqua Security in GitHub ( link) and the analysis on Aikido's CanisterWorm ( link).