AgenceEvana
Back to bulletins
Critical2026-03-21CVSS 9.4CVE-2026-33634 (2026-03-21)trivysupply-chainci-cdgithub-actions

Trivy Supply Chain Compromise — Scanner Turned Infostealer

A multi-stage supply chain attack compromised the Trivy release pipeline and GitHub Actions ecosystem, turning the security scanner into an infostealer targeting CI/CD environments.

Context

Trivy, the popular open-source vulnerability scanner by Aqua Security, was the target of a sophisticated supply chain attack tracked as CVE-2026-33634 (GHSA-69fq-xp46-6x23). A threat actor (TeamPCP / DeadCatx3) injected malicious code into Trivy binaries, container images, and GitHub Actions.

Attack Timeline

Phase 1 — Initial Access (late February 2026)

The attacker exploited a misconfiguration in Trivy's GitHub Actions environment to extract a privileged access token, gaining a foothold into release automation.

Phase 2 — Tag Hijacking (March 19, ~17:43 UTC)

  • Force-pushed 76 of 77 version tags in aquasecurity/trivy-action and all 7 tags in aquasecurity/setup-trivy, redirecting trusted references to malicious commits.
  • Published a malicious Trivy binary as v0.69.4 via compromised aqua-bot service account.
  • The malicious commit swapped actions/checkout to an imposter commit containing a composite action that downloaded malicious Go source from a typosquatted domain.
  • Release validation was bypassed via --skip=validate in goreleaser.

Phase 3 — Docker Hub Compromise (March 22)

Pushed malicious Docker Hub images v0.69.5 and v0.69.6 using compromised Docker Hub credentials.

Root Cause

Credential rotation following the initial February breach was not atomic — not all credentials were revoked simultaneously — allowing the attacker to exfiltrate newly rotated secrets during the rotation window.

Impact

  • Payload executed within GitHub Actions runners before legitimate Trivy scanning logic — compromised workflows appeared normal.
  • Exfiltrated data: SSH keys, AWS/GCP/Azure credentials, database credentials, Git and Docker configs, Kubernetes tokens, crypto wallets.
  • Exposure windows: ~3 hours (Trivy binary), ~12 hours (trivy-action).

Indicators of Compromise (IOCs)

C2 infrastructure:

  • Domain: scan.aquasecurtiy.org (typosquatted)
  • IP: 45.148.10.212
  • Fallback: ICP canister tdtqy-oyaaa-aaaae-af2dq-cai (serves kamikaze.sh)

Exfiltration artifacts: payload.enc, tpcp.tar.gz

GitHub indicator: a public repository named tpcp-docs created in the victim's account, with encrypted data uploaded as release assets

Compromised versions: Trivy v0.69.4, trivy-action v0.69.4, setup-trivy (all tags), Docker Hub images v0.69.5 and v0.69.6

Malware self-identification: "TeamPCP Cloud stealer" — data encrypted with AES-256 + RSA-4096

Detection: check if any tpcp-docs repository was created under your GitHub organization accounts. Review GitHub Actions logs for outbound connections to scan.aquasecurtiy.org or 45.148.10.212.

Remediation

  1. Update immediately: Trivy v0.69.2 or v0.69.3, trivy-action v0.35.0, setup-trivy v0.2.6.
  2. Rotate all secrets accessible to any affected workflow — treat them as compromised.
  3. Audit systems for tpcp-docs repositories (attacker fallback exfiltration mechanism).
  4. Pin GitHub Actions to immutable commit SHA hashes instead of mutable version tags.
  5. Verify installations using cosign/sigstore with pre-March 19 signing timestamps.