The software supply chain again demonstrated its fragility when Trivy, the popular open source vulnerability scanner maintained by Aqua Security, suffered a second commitment in a few weeks that allowed the distribution of malicious code designed to steal secrets from CI / CD environments. The incident affected the repository so much aquasecurity / trivy-action, used to run Trivy within GitHub Actions, as a aquasecurity / setup-trivy, which makes it easier to set up a specific version of the scanner in workflows.
According to the public investigation, the attacker managed to rewrite most of the version labels in the official action repository and point them to malicious commitments that included a credentials thief written in Python. By modifying the tags, the attackers turned supposedly reliable version references into a malware distribution vector, which allowed the execution of the payload within the GitHub Actions runners and the extraction of sensitive information present in these environments.
The malicious software was designed to search and collect a wide range of secrets: environment variables, SSH keys, cloud supplier credentials, database credentials, Docker configurations, Kubernetes tokens and even pairs of cryptomoneda keys and coins associated with Solana validators. After collecting that information, the code encrypted it and tried to send it to a server controlled by the attacker; as a contingency mechanism, if the direct exfiltration failed, the malware tried to publish the data in a public repository under the victim's GitHub account using a stolen token.
This episode is the continuation of a previous incident that involved an autonomous bot nicknamed hackerbot-claw, which exploded the actionpull _ request _ targetto get a personal access token (PAT) and then used it to publish malicious versions and modify the project infrastructure. Aqua Security itself has recognized that, although secrets and tokens were rotated after that initial intrusion, the containment was not complete and some committed credentials could remain active during the new manipulation. You can read more about the company's chronology and response in the official discussion in GitHub: communication from Aqua.
Several security firms have analyzed the malicious code. The technical reports indicate that the thief operates in clear stages: he first collects sensitive data from both the memory of the runner process and the file system; then he numbers the stolen material; and finally tries to transmit it to a domain controlled by the attacker (identified in the reports as scan.aquasecurtiy [.] org) or, if that does not work, uses the captured token to upload the information to a public repository called "tpcp-docs." Additional reports and technical descriptions are available on research blogs such as Socket, Wiz and Step Security.
In terms of attribution, there are indications that point to an actor known in the ecosystem as TeamPCP (also identified by several aliases). Part of the code is called "TeamPCP Cloud stealer" and technical elements match previous tools attributed to the group, although researchers point out that such self-secondment could be a decoy. For a broader context about this threat and its tactics in cloud environments, Elastic Security Labs published reference material that helps to understand the modus operandi of actors like TeamPCP: technical analysis of Elastic.
The implications for projects and equipment that depend on GitHub Actions are clear: references to versions or labels can no longer be safe if an actor with valid credentials rewrites tags or publishes malicious releases. Therefore, experts recommend avoid anchoring actions to mobile version labels and, instead, use the complete SHA of the commit to ensure that the action executed is exactly the one expected. This technical recommendation was highlighted by Wiz researchers as a practical defense against the type of tag poisoning observed.
If you administer pipelines that would use Trivy or its associated actions, the immediate response must be preventive and strong. Aqua Security and the firms that investigated the incident have suggested that a secure version of the software (for example, Trivy 0.69.3, trivy-action 0.35.0 and setup-trivy 0.2.6 according to the reports) is being used, to treat any secrets that might have been accessible as a commitment and to proceed to rotate it as a matter of priority. In addition, blocking the exfiltration domain and associated IP address at the network level (mentioned 45.148.10 [.] 212 in the analyses) can help mitigate data transmission attempts while being investigated.
Beyond reactive actions, there are important organizational lessons: the process of rotation of credentials must be atomic and verifiable, the permits granted to tokens and automations must be minimal by design, and the safety reviews of workflows must include controls to detect unexpected changes in labels or releases. To better understand the persistence that malware was trying to install in Linux systems through systemd, the discussion about this mechanism in Red Canary provides useful context on how attackers try to maintain access in affected equipment: explanation of persistence with systemd.
Finally, this case highlights that software security does not end when publishing code: the continuous delivery infrastructure and the privileged accounts are critical target. The combination of technical reviews, secret management practices, and a safety-conscious CI configuration is essential to reduce the risk that a legitimate dependence will become a back door to your secrets. Keep an eye on the updates of the maintainers and security laboratories investigating the incident and act with caution if your organization may have used affected versions.
Recommended sources and readings: Socket's analysis of the new wave of commitments ( Socket), the technical report of Wiz with malware details ( Wiz), follow up Step Security on the malicious version ( Step Security) and Aqua's open discussion in GitHub ( Aqua Security).
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...