“`html
A complex supply chain breach targeting the official Trivy GitHub Action (aquasecurity/trivy-action) has breached continuous integration and continuous deployment (CI/CD) pipelines worldwide.
Revealed in late March 2026, this event signifies the second unique breach affecting the Trivy ecosystem in a single month.
Malicious actors successfully force-pushed 75 of 76 current version tags to disseminate a harmful infostealer. With more than 10,000 GitHub workflow files that depend on this action, the potential credential heist range is enormous.
Mechanics of the Tag Poisoning Attack
Instead of pushing code to a branch or generating a new release, the assailant exploited residual write access from a previous credential breach to stealthily modify existing version tags.
The threat actor force-pushed 75 tags, including popular versions like @0.33.0 and @0.18.0, directing them towards newly forged commits.
This transformation essentially turned trusted and supposedly immutable version references into a direct distribution avenue for their tailored infostealer malware.
By circumventing the requirement to generate fresh releases, the attacker diminished the likelihood of triggering automated security alerts or informing project maintainers of unauthorized branch modifications.
To avoid detection, the assailant falsified the Git commit metadata. They replicated the original author names, timestamps, and commit messages, making the malicious commits seem authentic in the repository logs.
The altered code utilized the current master file tree but replaced the genuine entrypoint.sh file with a contaminated version.
Given that the malicious commit timestamps clashed with the March 2026 parent commit and the commits lacked GitHub’s web-flow GPG signature, a thorough examination reveals the forgery. Notably, the version @0.35.0 went unaltered and remains the only secure tag.
The inserted 204-line entrypoint.sh script executes its harmful actions prior to running the authentic Trivy scan, enabling it to conceal itself in plain sight.
According to Socket, the infostealer functions in three separate stages: focused collection, strong encryption, and discreet exfiltration.
In the collection phase, the malware concentrates on both GitHub-hosted and self-hosted runners. In GitHub-hosted Linux environments, it utilizes passwordless sudo privileges to dump the Runner.Worker process memory and extract secrets directly from the heap.
On self-hosted runners, a thorough Python script scans the filesystem for confidential data across various directories.
This script systematically searches for SSH keys, database credentials, CI/CD configuration files, and even cryptocurrency wallet information, ensuring a comprehensive collection of crucial data.
In the subsequent stage, the stolen data is compressed and encrypted using AES-256-CBC, with the encryption key being wrapped in an RSA-4096 public key.
Ultimately, the malware seeks to exfiltrate the encrypted package via an HTTPS POST request to a typosquatted domain, scan[.]aquasecurtiy[.]org.
If this primary route fails, the script employs the victim’s own GitHub Personal Access Token to create a public repository named tpcp-docs and uploads the pilfered data as a release asset.
The malware identifies itself as the “TeamPCP Cloud stealer.” Security researchers monitor TeamPCP as a cloud-native threat actor known
“““html
for utilizing improperly configured infrastructure for ransomware and cryptomining activities.
Entities must promptly cease referencing trivy-action by version tags, apart from @0.35.0. For comprehensive security, pipelines should lock the action to the designated secure commit SHA (57a97c7e7821a5776cebc9bb87c984fa69cba8f1).
Any environment that ran a compromised tag needs to be treated as entirely breached. Security teams should urgently change all exposed secrets, encompassing cloud credentials and API tokens.
Moreover, administrators ought to review their GitHub organizations for unauthorized tpcp-docs repositories.
“`