Trivy Supply Chain Attack Security Scanner Weaponized, 1,000+ Cloud Environments Infected

• .What: Trivy vulnerability scanner weaponized via CI/CD supply chain attack spanning five ecosystems (GitHub Actions, Docker Hub, npm, Open VSX, PyPI).
• .CVE: CVE-2026-33634 (CVSS v4: 9.4, NVD v3.1: 8.8, CWE-506: Embedded Malicious Code). Note: vendor/researcher scoring assessed CVSS v3.1 at 9.9 - the NVD assessment differs, scoring 8.8 under v3.1 due to a narrower scope determination.
• .Scale: 1,000+ cloud environments infected (Mandiant). 10,000+ GitHub workflow files at risk. 60,000+ servers compromised in prior TeamPCP campaign.
• .Vector: pull_request_target misconfiguration → PAT theft → incomplete credential rotation → GitHub Actions tag poisoning → Docker image poisoning → npm worm (CanisterWorm) → Checkmarx KICS → LiteLLM (PyPI).
• .Data: SSH keys, cloud credentials (AWS/GCP/Azure), Kubernetes tokens, Docker configs, database passwords, crypto wallets, CI/CD secrets, TLS private keys.
• .Actor: TeamPCP (DeadCatx3, PCPcat, PersyPCP, ShellForce). Hybrid motivation: financial + data theft + attention-seeking + geopolitical (anti-Iran).
• .Impact: Credential theft from thousands of CI/CD pipelines; downstream extortion campaigns; Kubernetes cluster destruction (Iranian targets); 44 Aqua Security internal repositories defaced.

Phase 1 - Initial Compromise (February 28, 2026): An autonomous bot called hackerbot-claw exploited a misconfigured pull_request_target workflow in Trivy's GitHub Actions.

The pull_request_target trigger processes untrusted code from external pull requests while granting access to repository secrets - a well-documented security anti-pattern. The bot extracted a Personal Access Token (PAT) that provided write access to Trivy's release automation.

Using this token, the attacker privatized the Trivy repository, deleted all GitHub Releases between v0.27.0 and v0.69.1, and pushed a suspicious artifact to the Trivy VS Code extension on the Open VSX marketplace.

Aqua Security disclosed the incident and began credential rotation on March 1. The rotation was not atomic. " During the multi-day rotation window, the attacker exfiltrated newly issued credentials, retaining unauthorized access.

Phase 2 - The Main Attack (March 19, 2026): Three weeks later, TeamPCP returned.

Using retained credentials, they compromised the aqua-bot service account and executed a coordinated multi-vector attack beginning at approximately 17:43 UTC. At 18:22 UTC, malicious Trivy v0.69.4 binaries were published across all distribution channels: GitHub Releases, GHCR, ECR Public, Docker Hub, deb/rpm packages, and get.trivy.dev.

Binaries were compiled for every supported platform. At approximately 18:45 UTC, trivy-action and setup-trivy were compromised. The attacker force-pushed 76 of 77 version tags in trivy-action to malicious commits.

For each tag, the attacker cloned the original commit's metadata - author name, email, timestamps, commit messages - but replaced entrypoint.sh with a 204-line script embedding a credential stealer before the legitimate Trivy scanning code.

Workflows appeared to complete normally. Only tag v0.35.0 survived because it already pointed to master HEAD. All 7 tags in setup-trivy were similarly poisoned.

The credential harvester operated in three stages. Worker process memory (/proc//mem), bypassing standard log-masking to extract secrets marked isSecret:true. env files, CI/CD configurations, and shell history. It also queried AWS IMDS for IAM credentials.

Encryption: Harvested data was encrypted using AES-256-CBC with RSA-4096 hybrid encryption, packaged as tpcp.tar.gz. Exfiltration: Primary channel was HTTPS POST to scan.aquasecurtiy[.]org (typosquatted domain).

Fallback: if the C2 was unreachable and a GitHub PAT was available, the stealer created a public repository named tpcp-docs on the victim's account and uploaded the encrypted bundle as a release asset.

The Trivy team identified the attack at 20:38 UTC. The malicious binary was removed by 21:42 UTC (~3-hour exposure). setup-trivy was cleaned by 21:44 UTC (~4 hours). trivy-action required until 05:40 UTC the next morning (~12 hours).

Phase 3 - Expansion (March 22-25, 2026): On March 22, CanisterWorm was discovered spreading through npm.

Using stolen npm publish tokens, TeamPCP launched a self-propagating worm that compromised 47+ packages across multiple scopes (@EmilGroup: 28 packages, @opengov: 16, plus others). Twenty-eight packages were compromised in under 60 seconds.

The worm used ICP blockchain canister tdtqy-oyaaa-aaaae-af2dq-cai as a dead-drop resolver for C2 - the first publicly documented abuse of Internet Computer Protocol for this purpose.

Independent verification confirms the canister remains active on the Internet Computer blockchain as of March 27, 2026 - it has not been frozen or deleted by DFINITY governance despite public identification as malicious C2 infrastructure.

The canister is written in Motoko (ICP's native smart contract language), controlled by a single principal, and continues to be updated.

This validates the broader concern about blockchain-based C2 resilience: the decentralized nature of ICP means no single entity can unilaterally shut down the canister. Later analysis identified 141 malicious package artifacts spanning 66+ unique packages.

Passive infrastructure analysis reveals a consistent 1-2 day staging pattern in TeamPCP's operations.

Certificate Transparency logs show the scan.aquasecurtiy[.]org TLS certificate was issued on March 17 - two days before the Phase 2 attack launched on March 19. An npm package named tpcp-sdk (described as "Telepathy Communication Protocol - TypeScript/Node.js SDK for multi-agent AI communication") was also published on March 17 by maintainer etriti00, placing it in the staging window between the Phase 1 compromise and the Phase 2 main attack.

Similarly, the models.litellm[.]cloud certificate was issued on March 23 - one day before the LiteLLM PyPI attack on March 24. This pre-operational infrastructure staging is a consistent TeamPCP signature and a potential early warning indicator for future campaigns.

On March 22, malicious Docker Hub images v0.69.5 and v0.69.6 were published using separately-compromised Docker Hub credentials. That evening, TeamPCP defaced all 44 internal repositories in Aqua Security's aquasec-com GitHub organization in a scripted 2-minute burst.

Each repository was renamed with a "tpcp-docs-" prefix. The attack used the Argon-DevOps-Mgt service account - a single bot account with admin access spanning both the aquasec-com (internal/proprietary) and aquasecurity (public/open-source) GitHub organizations.

This exposed proprietary source code for Tracee, internal Trivy forks, CI/CD pipeline configurations, and Kubernetes operators.

On March 23, TeamPCP pivoted to Checkmarx KICS - compromising the cx-plugins-releases service account, force-pushing 35 tags, and poisoning OpenVSX extensions.

Aikido Security discovered the Iran-targeted Kubernetes wiper: a kamikaze.sh payload deploying privileged DaemonSets that detect Iranian systems (via Asia/Tehran timezone or fa_IR locale) and execute complete cluster destruction.

Non-Iranian Kubernetes clusters received a Python backdoor with systemd persistence. Non-Kubernetes Iranian systems received rm -rf / --no-preserve-root.

On March 24, TeamPCP backdoored LiteLLM versions 1.82.7-1.82.8 on PyPI (95 million monthly downloads, present in 36% of cloud environments). The maintainer's PyPI credentials were stolen through a compromised Trivy action in LiteLLM's CI/CD pipeline.

Microsoft published emergency detection guidance. Mandiant CTO Charles Carmakal disclosed 1,000+ compromised SaaS environments at RSA Conference 2026, projecting growth to 10,000+.

TeamPCP (also tracked as DeadCatx3, PCPcat, PersyPCP, ShellForce) is a hybrid cybercrime group first observed in November 2025, with Telegram channel activity dating to July 30, 2025 (700+ members).

In December 2025, the group launched a mass campaign compromising 60,000+ cloud servers (97% on Azure and AWS) via exposed Docker APIs, Kubernetes clusters, Redis servers, and React/Next.js applications vulnerable to CVE-2025-55182 (React2Shell, CVSS 10.0).

C2 used the open-source Sliver framework.

The Trivy campaign represented a qualitative escalation - from opportunistic cloud exploitation to targeted supply chain compromise of security tooling across five ecosystems in under one week.

The group shows deep expertise in cloud-native technologies, CI/CD pipeline mechanics, and decentralized infrastructure.

The /proc/pid/mem technique for bypassing GitHub Actions log-masking, the ICP blockchain C2, the self-propagating npm worm, and the geopolitically-targeted Kubernetes wiper all represent novel or rarely-observed TTPs.

Motivation is hybrid: financial gain (cryptomining, extortion, credential brokering), data theft, attention-seeking (branded defacement, Telegram boasting: "These companies were built to protect your supply chains yet they can't even protect their own"), and a geopolitical dimension (Iran-targeted destructive wiper).

Leader "DMT" announced retirement; the group continues under new leadership with large stores of stolen credentials.

Mandiant identified downstream extortion actors "primarily based in the US, UK, Canada and Western Europe" who are "very loud, very aggressive." Wiz researcher Ben Read flagged "a dangerous convergence between supply chain attackers and high-profile extortion groups like Lapsus$."

env files, CI/CD configurations, shell history, Slack/Discord webhooks, and VPN configurations.

Beyond credential theft, the defacement of 44 Aqua Security internal repositories exposed proprietary source code for Tracee, internal Trivy forks, CI/CD pipeline configurations, and Kubernetes operator code.

The Iran-targeted Kubernetes wiper destroyed entire cluster infrastructure for systems identified as Iranian.

1. pull_request_target Workflow Misconfiguration. The root cause. Trivy's GitHub Actions used the pull_request_target trigger, which processes untrusted code from external PRs while granting access to repository secrets. GitHub's own documentation explicitly warns against this.

This single misconfiguration enabled everything that followed.

2. Non-Atomic Credential Rotation. After the February 28 compromise, Aqua rotated credentials over a multi-day window rather than executing simultaneous revocation. The attacker exfiltrated newly-rotated secrets during this window.

Emergency credential rotation must be simultaneous - revoke all, then reissue.

3. Overprivileged Service Accounts With Long-Lived Tokens. The aqua-bot service account held write/admin access across release infrastructure. The Argon-DevOps-Mgt account held admin spanning both internal and public GitHub organizations. Both used long-lived PATs.

A single credential granted access to the entire organizational footprint.

4. Mutable Git Tags as Primary Version Pinning. GitHub Actions version tags are mutable pointers. Force-pushing silently redirects all referencing workflows. Over 10,000 workflow files were at risk. SHA-pinning would have rendered the tag poisoning ineffective.

5. No Binary Signature Verification Enforcement. Trivy supported Sigstore/cosign verification, but verification was not enforced by default. The attacker bypassed goreleaser validation with --skip=validate.

6. Passwordless sudo on GitHub Actions Runners. GitHub provides passwordless sudo on hosted runners. This enabled the attacker to read /proc//mem of the Runner.Worker process, bypassing log-masking protections.

7. Insufficient CI/CD Egress Monitoring. The payload made outbound HTTPS connections to a typosquatted domain during pipeline execution. StepSecurity's Harden-Runner detected anomalous connections in 45 public repositories - proving baseline monitoring catches this attack.

CVE IDs:

• .CVE-2026-33634 - CVSS v4: 9.4, NVD v3.1: 8.8, CWE-506 (Embedded Malicious Code)

Malicious Domains:

• .scan.aquasecurtiy[.]org - Typosquatted C2/exfiltration domain
• .models.litellm[.]cloud - LiteLLM exfiltration domain
• .checkmarx[.]zone - C2 polling server (zero CT log entries)

Blockchain C2:

• .ICP Canister ID: tdtqy-oyaaa-aaaae-af2dq-cai (CanisterWorm, Motoko language, still active)

Compromised Packages:

• .aquasecurity/trivy-action - 76 of 77 version tags poisoned
• .aquasecurity/setup-trivy - All 7 version tags poisoned
• .Trivy binary v0.69.4, v0.69.5, v0.69.6 - Malicious binaries
• .npm @EmilGroup scope - 28 packages
• .npm @opengov scope - 16 packages
• .Checkmarx kics-github-action v1.1
• .Checkmarx ast-github-action v2.3.28
• .npm tpcp-sdk v0.4.1 (pre-staging artifact)

Compromised Accounts:

• .aqua-bot - GitHub service account
• .hackerbot-claw - GitHub account for initial exploitation
• .Argon-DevOps-Mgt - Admin access across aquasec orgs
• .cx-plugins-releases - Checkmarx service account

File Artifacts:

• .entrypoint.sh - 204-line credential stealer in poisoned trivy-action
• .tpcp.tar.gz - Encrypted exfiltration package (AES-256-CBC/RSA-4096)

Threat Actor Aliases:

• .TeamPCP / DeadCatx3 / PCPcat / PersyPCP / ShellForce

• .T1195.002 - Supply Chain Compromise
• .T1059.006 - Python scripting
• .T1567.002 - Exfiltration Over Web Service
• .T1027.005 - Double Base64 Encoding

• .CCPA/CPRA - If stolen cloud credentials accessed California resident personal information. $7,500 per intentional violation.
• .HIPAA - Healthcare organizations using Trivy in CI/CD adjacent to PHI face Security Rule violations. Fines up to $2.1M per category per year.
• .SEC 8-K Disclosure - Public companies must disclose material supply chain compromises within 4 business days.
• .GDPR Article 32 - Mutable version pinning, overprivileged service accounts, and absent CI/CD monitoring represent potential "appropriate measures" failures. Fines up to 4% turnover or EUR 20M.
• .UK GDPR / DPA 2018 - ICO enforcement mirrors GDPR. Fines up to GBP 17.5M or 4% turnover.
• .EU Cyber Resilience Act (CRA) - Vulnerability and incident reporting obligations take effect September 11, 2026. Manufacturers must report actively exploited vulnerabilities to CSIRTs and ENISA within 24 hours.
• .US Executive Order 14028 - Federal agencies must meet enhanced supply chain security standards including SBOMs and provenance attestation.
• .NIST SSDF (SP 800-218) - Consuming unverified third-party software violates PW.4 (Verify Third-Party Software).
• .Saudi NCA ECC - Supply chain risk management mandated for critical infrastructure. Fines up to SAR 5M.
• .UAE PDPL - Fines up to AED 10M for telecom operators.
• .SOC 2 Implications - Organizations consuming compromised artifacts without detection face audit opinion qualifications around CC6.1 (Logical Access), CC7.2 (Monitoring), and CC8.1 (Change Management).

The following gaps exist in the public record for this incident:

1. Mandiant's claim of 1,000+ compromised SaaS environments (projected to 10,000+) was disclosed at RSA Conference 2026 but has not been independently verified by a second research firm or supported by a published technical report.

2. The identity and affiliation of TeamPCP members remain unknown - the group's geographic location, nation-state ties (if any), and the relationship between the anti-Iran wiper component and the financially motivated credential theft have not been explained.

3. The total number of organizations that actually executed compromised Trivy actions during the 3-12 hour exposure window has not been published - the 10,000+ workflow file reference count indicates potential exposure, not confirmed compromise.

4. Whether Aqua Security's credential rotation after Phase 1 was genuinely non-atomic or whether TeamPCP had already exfiltrated rotation infrastructure secrets before the process began has not been forensically clarified.

5. The downstream impact of the CanisterWorm npm propagation - specifically which organizations' CI/CD pipelines consumed the 141 malicious artifacts - has not been disclosed.

Independent verification confirms all @EmilGroup and @opengov npm scopes have been removed, and the hackerbot-claw GitHub account has been deleted or suspended.

6. The role of the tpcp-sdk npm package (published March 17 by maintainer etriti00, described as "Telepathy Communication Protocol" SDK) in TeamPCP's operational infrastructure has not been assessed.

Its creation date falls within the confirmed pre-attack staging window but a direct link has not been established.

UPDATE - March 27, 2026: Independent passive OSINT verification by ZERO|TOLERANCE has confirmed all primary claims in this article. The CVSS v3.1 score has been corrected from the vendor-assessed 9.9 to the NVD-assessed 8.8 (CVSS v4 remains 9.4).

Certificate Transparency analysis revealed a 1-2 day infrastructure staging pattern. The ICP C2 canister remains active. Full verification methodology and findings are documented separately.

1. Pin All GitHub Actions to Full SHA Hashes - Never reference actions by mutable version tags. This single control would have rendered the tag poisoning ineffective for every organization that implemented it.

When TeamPCP force-pushed 76 of 77 trivy-action tags to malicious commits, any workflow pinned to the full commit SHA (e.g., aquasecurity/trivy-action@<40-char-sha>) would have continued executing the original, legitimate code.

Mutable tags are pointers that can be redirected at any time by anyone with write access to the repository. SHA pinning converts a mutable reference into an immutable one.

Implement Dependabot or Renovate to automatically propose SHA updates when new action versions are released, preserving both immutability and currency.

2. Eliminate pull_request_target With Secret Access - The pull_request_target trigger was the root cause of this entire campaign.

It processes untrusted code from external pull requests while granting access to repository secrets - a combination GitHub's own documentation explicitly warns against.

Replace with pull_request triggers (which do not have secret access) or the workflow_run event pattern that separates untrusted code execution from secret access into two distinct workflow runs.

If pull_request_target is genuinely required for your use case (e.g., labeling PRs, commenting), ensure the workflow never checks out or executes code from the PR head.

Audit all repositories for pull_request_target usage immediately - this is the single most dangerous GitHub Actions misconfiguration in production today.

3. Implement Atomic Credential Rotation - Aqua Security's credential rotation after the Phase 1 compromise was not atomic. Credentials were revoked and reissued sequentially over multiple days, and the attacker exfiltrated newly issued credentials during the rotation window.

Atomic rotation means: revoke ALL existing tokens and credentials simultaneously, verify revocation is complete, and only then issue replacements through a separate, verified channel.

Use short-lived, narrowly-scoped tokens (OIDC-based GitHub tokens via the permissions key in workflow YAML) rather than long-lived Personal Access Tokens. OIDC tokens expire after the workflow run completes and cannot be reused.

For service accounts that require persistent credentials, use automated rotation on a schedule measured in hours, not months, with the rotation mechanism itself protected by hardware security keys.

4. Enforce CI/CD Egress Monitoring - Deploy StepSecurity Harden-Runner or equivalent to baseline expected network connections from CI/CD workflows and alert on anomalous outbound traffic.

StepSecurity detected this attack in 45 repositories by identifying unexpected DNS resolutions and HTTP connections to attacker-controlled infrastructure during workflow execution.

CI/CD pipelines should have explicit network allowlists - a vulnerability scanner action has no legitimate reason to contact arbitrary external hosts. Block all outbound traffic except to pre-approved package registries, container registries, and reporting endpoints.

5. Supply Chain Integrity Verification - SLSA Provenance and Sigstore - Enforce Sigstore/cosign verification as a mandatory pipeline gate, not optional.

Trivy supported cosign verification, but verification was not enforced by default - the attacker bypassed goreleaser validation with --skip=validate. Require SLSA provenance attestations for all artifacts consumed by your build pipeline.

SLSA Level 3 provenance provides cryptographic proof of where, when, and how an artifact was built - a tampered binary will fail provenance verification even if the version tag appears legitimate.

For container images, enforce image signing policies via admission controllers (Kyverno, OPA Gatekeeper) in Kubernetes clusters. Reject any image that lacks a valid signature or provenance attestation.

This converts trust from "I trust this registry" to "I trust this cryptographic identity" - a fundamentally stronger guarantee.

6. CI/CD Pipeline Hardening Against Tag Poisoning - Beyond SHA pinning (which prevents consuming poisoned tags), implement controls that detect tag manipulation itself.

Enable GitHub audit log streaming and alert on force-push events to release tags, tag deletion/recreation, and release asset replacement. Configure branch protection rules on release branches that prevent force pushes even from administrators.

Use GitHub's tag protection rules (currently in beta) to restrict who can create or modify tags matching release patterns.

For critical open-source dependencies, mirror release artifacts into your own artifact registry and verify checksums before promotion to production pipelines.

7. Monitor for Anomalous GitHub Actions Behavior - Establish baselines for your CI/CD workflow behavior and alert on deviations.

Key indicators include: workflow runs triggered by unexpected events or actors, changes to workflow file content (especially entrypoint scripts), new outbound network connections from workflow runners, workflow duration anomalies (credential-stealing payloads add measurable execution time), and secret access patterns that deviate from historical norms.

Integrate GitHub's audit log API with your SIEM to correlate repository events (tag pushes, release modifications, workflow file changes) with workflow execution patterns.

The Trivy attack was detectable at multiple points - the force-push of 76 tags in rapid succession, the modification of entrypoint.sh across all tags, and the anomalous outbound connections during workflow runs all generated signals that automated monitoring would have captured.

8. Apply Least-Privilege to Service Accounts - No single bot account should have admin access spanning multiple GitHub organizations.

The Argon-DevOps-Mgt service account had admin access across both aquasec-com (internal/proprietary) and aquasecurity (public/open-source) GitHub organizations - a single compromised account gave the attacker access to deface 44 internal repositories and expose proprietary source code.

Scope service accounts to minimum required permissions using fine-grained PATs with repository-level granularity and automatic expiration. Separate CI/CD automation accounts from administrative accounts.

Require multi-party approval for any permission elevation on service accounts.

The Hacker News, The Register, BleepingComputer, Infosecurity Magazine, SecurityWeek, CyberScoop, Dark Reading, Microsoft Security Blog, Aqua Security, Wiz, Palo Alto Networks (Prisma Cloud), CrowdStrike, Socket.dev, StepSecurity, GitGuardian, Mandiant (Google Cloud), Orca Security, Aikido Security, Mend.io, Snyk, ReversingLabs, Datadog Security Labs, Endor Labs, Arctic Wolf, Kaspersky, Sysdig, Cloud Security Alliance, Checkmarx, Docker, GitHub Advisory (GHSA-69fq-xp46-6x23), Tenable (NVD), ZERO|TOLERANCE Independent OSINT Verification (March 27, 2026)