Key Findings

* Trivy GitHub Actions repositories compromised for second time in a month

* 75 out of 76 version tags force-pushed with malicious payload

* Attacker aims to steal CI/CD secrets including cloud credentials, cryptocurrency wallets

* Likely perpetrated by TeamPCP threat actor group

* Compromise stems from incomplete mitigation of previous security incident

Background

The Trivy vulnerability scanner, maintained by Aqua Security, has experienced a significant security breach in its GitHub Actions repositories. This incident follows a previous compromise in February/March 2026 where an autonomous bot called hackerbot-claw exploited workflow vulnerabilities to steal access tokens.

Attack Methodology

The attackers leveraged compromised credentials to force-push malicious tags across two critical repositories:

* aquasecurity/trivy-action

* aquasecurity/setup-trivy

Instead of creating new releases, the threat actor rewrote existing version tags to point to commits containing a Python-based information stealer. This approach allowed them to distribute malware through trusted version references without triggering standard release mechanisms.

Payload Capabilities

The malicious payload operates through three primary stages:

* Harvest environment variables from runner memory and file system

* Encrypt collected sensitive data

* Exfiltrate information to scan.aquasecurtiy[.]org

If direct exfiltration fails, the stealer can use the victim's GitHub account to stage stolen data in a public repository.

Targeted Credentials

The information stealer specifically targets:

* SSH keys

* Cloud service provider credentials

* Database access tokens

* Git configurations

* Docker credentials

* Kubernetes tokens

* Cryptocurrency wallet details

Threat Actor Profile

Indicators suggest the attack is linked to TeamPCP (also known as DeadCatx3, PCPcat), a cloud-native cybercrime platform specializing in infrastructure breaches and data theft. The payload's self-identification and targeting profile align with the group's known tactics.

Aqua Security's Response

The company acknowledged the breach originated from incomplete containment of the previous incident. Their current remediation steps include:

* Rotating secrets and tokens

* Implementing more restrictive access controls

* Locking down automated actions

Potential Impact

The compromise potentially exposes organizations using Trivy GitHub Actions to significant supply chain risks, with attackers able to harvest sensitive credentials and infrastructure details across multiple environments.

Sources

• https://thehackernews.com/2026/03/trivy-security-scanner-github-actions.html

• https://x.com/Dinosn/status/2035063962203496613

• https://x.com/TheCyberSecHub/status/2035052830432927810

• https://www.reddit.com/r/SecOpsDaily/comments/1rz5303/trivy_security_scanner_github_actions_breached_75/

• https://www.reddit.com/r/cybersecurity/comments/1rz38mv/trivy_security_scanner_github_actions_breached_75/