Trivy hit by TeamPCP supply-chain attack through GitHub Actions
The Trivy vulnerability scanner was compromised in a supply-chain attack by threat actors TeamPCP, who backdoored the Trivy GitHub build process and trojanized releases and related GitHub Actions (notably v0.69.4). This allowed an infostealer to harvest credentials and other secrets from GitHub Actions runners, CI configs, and local developer environments, exfiltrating data to a typosquatted C2 server or via a public repo. Attackers gained write access to publish malicious releases and force-push most tags, making detection difficult; Aqua Security linked the breach to an earlier credential exfiltration and noted token rotation wasn't atomic. The incident is connected to a follow-up CanisterWorm npm campaign by the same actor. Remediation includes rotating all secrets, auditing for compromise, and investigating for persistence across environments.
- Trivy vulnerability scanner breach pushed infostealer via GitHub Actions BleepingComputer
- Trivy Compromised by "TeamPCP" wiz.io
- Trivy Hack Spreads Infostealer via Docker, Triggers Worm and Kubernetes Wiper The Hacker News
- Hackers Compromise Trivy Scanner to Inject malicious Scripts and Steal Login Credentials CyberSecurityNews
- "CanisterWorm" supply chain malware attacks npm iTnews
Reading Insights
1
1
6 min
vs 7 min read
91%
1,358 → 121 words
Want the full story? Read the original article
Read on BleepingComputer