Aqua Security Trivy CI/CD Pipeline & Tag Poisoning

On March 19, 2026, the widely adopted container vulnerability scanner Trivy was compromised in a major supply chain attack. Cybercrime group TeamPCP poisoned version tags to harvest and exfiltrate runner credentials.

Date:
Severity:
critical
Sources:
7
#ci-cd#github-actions#supply-chain#tag-poisoning#credential-theft

Executive Summary

On March 19, 2026, the widely adopted container vulnerability scanner Trivy (developed by Aqua Security) was compromised in a major supply chain attack tracked as CVE-2026-33634 (GHSA-69fq-xp46-6x23) GitHub Advisory Database. Executed by the cybercrime group TeamPCP (also tracked as UNC6780, PCPcat, DeadCatx3, ShellForce, and CipherForce) Wiz.io Threat Research, the attack targeted key Trivy distribution channels GitHub Advisory Database. The threat actors force-pushed malicious commits to 76 of 77 version tags in aquasecurity/trivy-action and all 7 tags in aquasecurity/setup-trivy GitHub Advisory Database. Simultaneously, they released a compromised official Trivy binary (v0.69.4) and poisoned container images (v0.69.5 and v0.69.6) on Docker Hub GitHub Advisory Database. The injected payload acted as a memory-scraping credential stealer, harvesting secrets from CI/CD runners via /proc/*/mem and exfiltrating them to an attacker-controlled typosquatted C2 domain scan.aquasecurtiy[.]org Legit Security. If outbound access to the C2 domain failed, the malware deployed a fallback technique, leveraging stolen GitHub tokens to create a public repository named tpcp-docs on the victim’s organization to store encrypted exfiltrated data Palo Alto Networks Unit 42. Defenders must immediately rotate all CI/CD secrets exposed during the incident, verify active runners, and migrate from mutable version tags to pinning immutable commit SHAs GitHub Advisory Database.

Key Facts

threat_type: "CI/CD Pipeline Compromise & Tag Poisoning"
ecosystem: "github-actions, container-images, go"
registry: "GitHub Releases, Docker Hub"
affected_packages:
  - "aquasecurity/trivy-action"
  - "aquasecurity/setup-trivy"
  - "aquasec/trivy"
malicious_versions:
  - "aquasecurity/trivy-action@v0.0.1 - v0.34.2"
  - "aquasecurity/setup-trivy@v0.2.0 - v0.2.6"
  - "trivy-binary@v0.69.4"
  - "aquasec/trivy:0.69.5"
  - "aquasec/trivy:0.69.6"
fixed_versions:
  - "aquasecurity/trivy-action@v0.35.0"
  - "aquasecurity/setup-trivy@v0.2.6 (re-published)"
  - "trivy-binary@v0.69.7"
  - "aquasec/trivy:0.69.7"
safe_versions:
  - "aquasecurity/trivy-action@v0.35.0"
  - "trivy-binary@v0.69.2"
  - "trivy-binary@v0.69.3"
  - "trivy-binary@v0.69.7"
exposure_window: "2026-03-19T08:00:00Z to 2026-03-19T18:00:00Z"
execution_trigger: "Runner execution of workflows containing poisoned actions, or execution of compromised CLI binaries/containers"
primary_impact: "Host memory scraping, secret harvesting, and automated exfiltration via typosquat C2 or public fallback repositories"
known_iocs:
  - "scan.aquasecurtiy[.]org"
  - "tpcp-docs"
confidence: "high"
canonical_source: "https://github.com/advisories/GHSA-69fq-xp46-6x23"

Source Confidence & Evidence Mapping

  • confirmed:
    • Residual active token left during an incomplete, non-atomic credential rotation in late February 2026 allowed attackers repository write access. Source: Wiz.io Threat Research
    • Malicious force-pushing occurred across 76 of 77 historical version tags in aquasecurity/trivy-action and all 7 tags in aquasecurity/setup-trivy. Source: GitHub Advisory Database
    • Compromised v0.69.4 binary and container images v0.69.5 and v0.69.6 hosted on Docker Hub contained malicious payloads. Source: GitHub Advisory Database
    • Malicious code attempted memory scraping of runner processes via /proc/*/mem and targeted AWS, GCP, Azure, GitHub, and webhook credentials. Source: Legit Security
  • likely:
    • The campaign is attributed to the cybercrime threat group TeamPCP. Source: Broadcom / Symantec
    • A fallback exfiltration route was triggered upon primary C2 failures, dynamically creating a public repository named tpcp-docs to leak encrypted data. Source: Palo Alto Networks Unit 42
  • unclear:
    • The total number of downstream pipelines and credentials harvested during the active 10-hour exposure window. Source: CrowdStrike Intelligence
  • not_observed:
    • Self-propagating worm capabilities spreading laterally inside victim infrastructure beyond the immediate CI/CD workspace environment. Source: Palo Alto Networks Unit 42

Timeline

  • 2026-02-28T00:00:00Z Aqua Security experiences an initial security incident. Key credentials are rotated, but a single persistent token remains active. Source: Wiz.io Threat Research
  • 2026-03-19T08:00:00Z TeamPCP utilizes the residual credential to gain write access to the Trivy repositories on GitHub. Source: Wiz.io Threat Research
  • 2026-03-19T09:00:00Z Attackers begin force-pushing malicious commits to aquasecurity/trivy-action and aquasecurity/setup-trivy version tags, and upload malicious binary v0.69.4. Source: GitHub Advisory Database
  • 2026-03-19T12:00:00Z Downstream enterprise users report anomalous outbound network connections during pipeline security scans. Source: CrowdStrike Intelligence
  • 2026-03-19T18:00:00Z Aqua Security identifies the compromise, revokes the hijacked write tokens, pulls the malicious releases, and publishes a remediation advisory. Source: GitHub Advisory Database
  • 2026-03-20T09:00:00Z Coordinated security advisories are released detailing the cleanup actions. The incident is cataloged as GHSA-69fq-xp46-6x23. Source: GitHub Advisory Database

What Happened

The attack originated in late February 2026, when Aqua Security experienced an initial security incident Wiz.io Threat Research. Although the security team initiated credential rotations, the remediation process was not fully atomic Wiz.io Threat Research. A single persistent token was left active, which gave the threat actors a lingering foothold Wiz.io Threat Research.

On March 19, 2026, at 08:00 UTC, the cybercrime group TeamPCP leveraged the residual write token to access official Trivy repositories on GitHub Wiz.io Threat Research. Within two hours, the threat actors force-pushed poisoned commits directly into 76 of the 77 version tags for aquasecurity/trivy-action, and all 7 tags in aquasecurity/setup-trivy GitHub Advisory Database. Because Git version tags are mutable, pipelines consuming these actions automatically pulled and executed the poisoned commits Legit Security. Additionally, the attackers published a compromised Trivy binary (v0.69.4) and uploaded two infected container images (v0.69.5 and v0.69.6) on Docker Hub GitHub Advisory Database.

By 12:00 UTC, multiple downstream enterprise environments detected suspicious network requests from security scanning jobs CrowdStrike Intelligence. Aqua Security intervened, revoking the hijacked access credentials, removing the compromised releases, and publishing advisory notices to restrict further downstream damage GitHub Advisory Database. The vulnerability was subsequently logged as CVE-2026-33634 NIST NVD Advisory.

Technical Analysis

Initial Access

The threat actors gained access to Aqua Security’s official repository structures by exploiting a residual API write credential Wiz.io Threat Research. This credential survived a non-atomic credential rotation in late February 2026, leaving a single persistent token active and permitting write operations Wiz.io Threat Research.

Package or Artifact Manipulation

The attackers modified official distribution points in a multi-pronged attack GitHub Advisory Database:

  • Git Tag Poisoning: The attackers force-pushed modified commits directly to historical Git tags in aquasecurity/trivy-action and aquasecurity/setup-trivy GitHub Advisory Database.
  • Compromised Binaries: They modified the compilation pipelines of the core Trivy scanner to inject malicious assembly into the compiled v0.69.4 binaries GitHub Advisory Database.
  • Container Poisoning: They rebuilt official Docker Hub container images (v0.69.5 and v0.69.6) incorporating the malicious payload GitHub Advisory Database.

Execution Trigger

The execution trigger occurred automatically whenever a downstream developer pipeline pulled and executed a workflow using uses: aquasecurity/trivy-action or uses: aquasecurity/setup-trivy Legit Security. Alternatively, executing the compromised v0.69.4 binary in CLI operations or running the compromised v0.69.5/v0.69.6 containers initiated runtime execution of the payload GitHub Advisory Database.

Payload Behavior

Once executed in a victim’s CI/CD pipeline or host environment, the malicious payload initiated a highly targeted credential harvesting sequence:

  • Memory Scraping: The payload read active host memory via the /proc/*/mem virtual filesystem to parse environment variables and memory space for active credentials Legit Security.
  • Credential Targets: The malware scanned for AWS/GCP/Azure cloud access keys, Kubernetes service account tokens, GitHub Actions OIDC tokens, SSH private keys, and webhook endpoints for Slack and Discord Legit Security.
  • Data Packaging: The collected secrets were compressed and encrypted using a robust hybrid AES-256 and RSA-4096 encryption scheme to evade deep packet inspection Palo Alto Networks Unit 42.

Exfiltration / C2

domains:
  - "scan.aquasecurtiy.org"
ips: []
urls:
  - "https://scan.aquasecurtiy.org/exfil"
protocols:
  - "HTTPS"
endpoints:
  - "/exfil"
confidence: "high"

The encrypted data was transmitted via HTTPS POST to the attacker-controlled typosquat domain scan.aquasecurtiy[.]org Legit Security.

In instances where outbound network queries to the typosquatted C2 domain were blocked or failed, the payload fell back to an alternative exfiltration path: it utilized the harvested GitHub Personal Access Tokens (PATs) or runner OIDC tokens to authenticate to GitHub, create a public repository named tpcp-docs (or variations like docs-tpcp) within the victim’s own organization, and uploaded the encrypted secrets as a release asset Palo Alto Networks Unit 42. This allowed TeamPCP to bypass outbound firewall restrictions by utilizing legitimate GitHub APIs and using the victim’s own infrastructure as a storage medium Palo Alto Networks Unit 42.

Propagation

The attack did not feature self-propagating worm-like code inside the target network; however, the initial attack vector propagated automatically to all downstream pipelines that used mutable version tags Legit Security.

Obfuscation or Evasion

To evade detection, the attackers employed several techniques:

  • Typosquatting C2: The domain name scan.aquasecurtiy[.]org typosquatted Aqua Security’s real domain aquasecurity.org to escape domain blacklist sweeps and inspection Legit Security.
  • Hybrid Encryption: The exfiltrated data was encrypted using hybrid AES-256 and RSA-4096 encryption, hiding the plaintext credentials from network-layer traffic analyzers Palo Alto Networks Unit 42.
  • Reputation Hijacking: The fallback exfiltration wrote encrypted payloads directly to a public GitHub repository (tpcp-docs) created on the victim’s own GitHub organization, masking illegal data transfer under legitimate GitHub traffic Palo Alto Networks Unit 42.

Affected Assets and Blast Radius

affected_assets:
  ecosystems:
    - "github-actions"
    - "container-images"
    - "go"
  packages:
    - "aquasecurity/trivy-action"
    - "aquasecurity/setup-trivy"
    - "aquasec/trivy"
  versions:
    - "trivy-action@v0.0.1-v0.34.2"
    - "setup-trivy@v0.2.0-v0.2.6"
    - "trivy-binary@v0.69.4"
    - "aquasec/trivy:0.69.5"
    - "aquasec/trivy:0.69.6"
  repositories:
    - "github.com/aquasecurity/trivy-action"
    - "github.com/aquasecurity/setup-trivy"
    - "github.com/aquasecurity/trivy"
  container_images:
    - "aquasec/trivy:0.69.5"
    - "aquasec/trivy:0.69.6"
  CI_CD_systems:
    - "GitHub Actions"
  developer_tools:
    - "Trivy CLI"
  environments:
    - developer workstations
    - CI runners
    - build pipelines
    - containers
    - production systems

credentials_at_risk:
  - AWS access keys
  - GCP service account keys
  - Azure access tokens
  - GitHub Actions OIDC tokens
  - GitHub Personal Access Tokens (PATs)
  - SSH private keys
  - Slack/Discord webhook secrets

not_currently_known_to_affect:
  - CI/CD pipelines running on GitLab or Bitbucket that did not fetch the affected Trivy binaries or container images.

Indicators of Compromise

domains:
  - value: "scan.aquasecurtiy[.]org"
    source: "https://www.legitsecurity.com"
    confidence: "high"
ips: []
urls:
  - value: "https://scan.aquasecurtiy[.]org/exfil"
    source: "https://www.legitsecurity.com"
    confidence: "high"
hashes: []
files: []
package_versions:
  - value: "aquasecurity/trivy-action@v0.0.1-v0.34.2"
    source: "https://github.com/advisories/GHSA-69fq-xp46-6x23"
    confidence: "high"
  - value: "aquasecurity/setup-trivy@v0.2.0-v0.2.6"
    source: "https://github.com/advisories/GHSA-69fq-xp46-6x23"
    confidence: "high"
  - value: "aquasecurity/trivy@v0.69.4"
    source: "https://github.com/advisories/GHSA-69fq-xp46-6x23"
    confidence: "high"
  - value: "aquasec/trivy:0.69.5"
    source: "https://github.com/advisories/GHSA-69fq-xp46-6x23"
    confidence: "high"
  - value: "aquasec/trivy:0.69.6"
    source: "https://github.com/advisories/GHSA-69fq-xp46-6x23"
    confidence: "high"

Detection and Hunting

hunt_queries:
  dependency_lockfiles:
    - "aquasecurity/trivy-action@v2"
    - "aquasecurity/setup-trivy@v0.2.5"
  files: []
  network:
    - "scan.aquasecurtiy[.]org"
  ci_cd_checks:
    - "Audit GitHub workflow files for uses of mutable tags (e.g. `uses: aquasecurity/trivy-action@v2`) instead of SHA-256 hashes."
    - "Check GitHub Actions logs for anomalous outbound HTTP POST requests during the scanning step."
    - "Search GitHub organizations for public repositories matching the name pattern `tpcp-docs` or `docs-tpcp`."
  endpoint_checks:
    - "Scan processes accessing `/proc/*/mem` virtual filesystem during build or test runners."

Remediation Workflow

  • Immediate:
    • Rotate all environment variables, SSH keys, webhook endpoints, and cloud service credentials accessible to workflows using Trivy Actions on March 19, 2026.
    • Remove public repositories named tpcp-docs or docs-tpcp from the GitHub organization and audit their commit and release histories.
    • Force-clean runner environments that executed the affected Trivy tools.
  • Short-term:
    • Upgrade aquasecurity/trivy-action workflows to safe release v0.35.0 or higher.
    • Ensure any installations using the Trivy CLI binary or Docker image are upgraded past v0.69.7 or reverted to known-safe versions (v0.69.2 or v0.69.3).
  • Long-term:
    • Transition all third-party GitHub Actions references in workflow files to use immutable commit SHAs instead of mutable version tags.
    • Implement egress network filtering on CI/CD runners to restrict outbound communication to trusted endpoints.

Defensive Lessons

  • prevent: Avoid the use of mutable tags in CI/CD pipeline actions. Pin all actions to their unique, immutable commit SHA hashes.
  • detect: Monitor runner execution paths for unexpected reads of /proc/*/mem and block non-whitelisted outbound network connections from runners.
  • respond: Ensure that credential rotations are treated as atomic processes, fully revoking all legacy tokens immediately to prevent residual footholds.

Open Questions

  • How many specific downstream customer accounts were accessed via the fallback exfiltration repositories (tpcp-docs) before detection?
  • Are there other developer tools compromised by TeamPCP during this campaign that remain undetected?

Sources

  1. GitHub Advisory Database. Role: DIRECT_SOURCE Impact: Detailed the compromised tags, versions, safe releases, and remediation timeline.
  2. Broadcom / Symantec. Role: PRIMARY_RESEARCH Impact: Detailed threat actor TeamPCP and the broader campaign context.
  3. NIST NVD Advisory. Role: ENRICHMENT_DATA Impact: Formally registered the CVE tracking the vulnerability and details of the supply chain compromise.
  4. Legit Security. Role: PRIMARY_RESEARCH Impact: Documented the memory scraping payload targeting /proc/*/mem and exfiltration to scan.aquasecurtiy[.]org.
  5. Wiz.io Threat Research. Role: PRIMARY_RESEARCH Impact: Uncovered the incomplete, non-atomic credential rotation that left a residual write token active.
  6. CrowdStrike Intelligence. Role: PRIMARY_RESEARCH Impact: Identified outbound CI/CD network anomalies and flagged early indicators.
  7. Palo Alto Networks Unit 42. Role: SECONDARY_ANALYSIS Impact: Analyzed the encryption routine (AES-256 + RSA-4096) and fallback exfiltration repository tpcp-docs.