Trivy Compromised by “TeamPCP” | Wiz Blog

On March 19, 2026, threat actors compromised Aqua Security’s Trivy vulnerability scanner, injecting credential-stealing malware into official releases and GitHub Actions. While Aqua reports they have since removed the malicious releases, organizations using Trivy should audit their environments immediately. 

Update March 22, 13:15 UTC: Wiz Research continues to track TeamPCP activity following the initial Trivy compromise. The threat actor has expanded operations to the npm ecosystem via a worm (“CanisterWorm”) leveraging stolen publish tokens. Additionally, the ICP-hosted fallback C2 (tdtqy-oyaaa-aaaae-af2dq-cai) is now actively serving an iteratively developed payload (kamikaze.sh). Aqua has published blog post and GitHub Security Advisory.

Update March 22, 21:40 UTC: ~16:00 UTC, attackers were able to publish malicious images of Trivy (0.69.5, 0.69.6) to Docker Hub. The attacker has also demonstrated continued access to Aqua by publishing internal Aqua repositories publicly on GitHub. As of 21:31 UTC, the IPC Canister has been made “Unavailable Due to Policy Violation.” We continue to monitor the situation.

Note: this incident is distinct from the previous instance earlier this month, where hackbot-claw exploited a PWN request. Customers can refer to the Threat Center Advisory on the previous incident.

What happened?

Wiz Research, in concert with other industry parties, identified a multi-faceted supply chain attack targeting Aqua Security’s Trivy. The attack compromised multiple components of the Trivy project: the core scanner, the trivy-action GitHub Action, and the setup-trivy GitHub Action.

The attack was conducted with access retained following incomplete containment of the earlier incident.

The threat actor, self-identifying as TeamPCP, made imposter commits that were pushed to actions/checkout (while spoofing user rauchg) and to aquasecurity/trivy (while spoofing user DmitriyLewen). At 17:43:37 UTC, the Trivy repository’s v0.69.4 tag was pushed, triggering a release. This resulted in a malicious checkout that fetched credential stealer code from a typosquatted domain (scan.aquasecurtiy[.]org, resolving to 45.148.10.212), and backdoored binaries being published to GitHub Releases, Docker Hub, GHCR, and ECR. The maintainers have since removed these malicious artifacts.

The attacker also compromised the aqua-bot service account and then abused their access push malicious workflows to tfsec, traceeshark, and trivy-action and steal additional credentials from Aqua (including GPG keys and credentials for Docker Hub, Twitter, and Slack). These secrets were exfiltrated to a Cloudflare Tunnel C2 (plug-tab-protective-relay.trycloudflare.com). Furthermore, 75 out of 76 trivy-action tags were force-pushed to malicious versions, and 7 setup-trivy tags were force-pushed as well. 

The malicious versions of these Actions run a tool self-described as “TeamPCP Cloud stealer”, which dumps Runner.Worker process memory, harvests SSH, cloud, and K8s secrets, encrypts the data (using AES-256+RSA-4096), and exfiltrates it to a remote server. The malware is configured to create a repository named tpcp-docs in the victim’s GitHub account as a fallback method.

What did the malicious GitHub workflows do?

The attacker injected the same three-stage payload into both trivy-action (in entrypoint.sh) and setup-trivy (in action.yaml). When a downstream workflow executed either action, the payload ran on the victim’s GitHub Actions runner:

1. Collection: The malware scraped memory from the Runner.Worker process by reading /proc//mem and searching for the pattern 💬. It also swept the filesystem for SSH keys, cloud credentials  (AWS, GCP, Azure), Kubernetes tokens, and cryptocurrency wallets across 50+ sensitive file paths.

2. Encryption: Harvested credentials were encrypted using AES-256-CBC with RSA-4096 hybrid encryption and bundled into tpcp.tar.gz

3. Exfiltration: The malware transmitted the encrypted bundle to a typosquatted domain (scan.aquasecurtiy[.]org). As a fallback, it could create a tpcp-docs repository in the victim’s GitHub account and upload the stolen credentials  as a release asset.

What did the malicious Trivy binary (v0.69.4) do?

When the malicious binary is executed it starts both the legitimate trivy service and the malicious code in parallel. In our initial analysis the malicious code exfiltrates secrets with a primary and backup mechanism. If it detects it is on a developer machine it additionally writes a base64 encoded python dropper for persistence.

Data Theft

The malicious process gathers environmental variables, sweeps the system for any credentials stored in the filesystem and enumerates the network interface. It then compresses and encrypts the data and attempts to exfiltrate it via post request to https://scan.aquasecurtiy[.]org. If that fails (returns a non-2xx status code), the malware then attempts to use a stolen GITHUB_TOKEN to create a repo tpcp-docs and post the data there. 

Set Persistence

The malicious code attempts to identify if it is on a developer machine by checking if the environmental variable GITHUB_ACTIONS != “true”. If that check passes, the malware attempts to create persistence by writing a python script as ~/.config/systemd/user/sysmon.py and creating a systemd unit that persistently runs the python script.

sysmon.py initially sleeps for five minutes and then polls https://tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io/. If a non-youtube link is found there the dropper downloads to /tmp/pglog and executes it in a new session. 

At the time of analysis (10:30 AM EST/15:30 UTC) the malicious site was set to a RickRoll, but it could be changed by the attacker at any time. 

Which actions should security teams take?

1.  Audit Trivy versions: Check whether your organization pulled or executed Trivy v0.69.4 from any source (GitHub Releases, container registries, etc.). Remove any affected artifacts immediately.

2.  Audit GitHub Action references: Review workflows using aquasecurity/trivy-action or aquasecurity/setup-trivy. If you referenced a version tag rather than a SHA, check workflow run logs from March 19-20 for signs of compromise. Specifically, you can look in the Run Trivy step of trivy-action and the Setup environment step of setup-trivy.

3.  Search for exfiltration artifacts: Look for repositories named tpcp-docs in your GitHub organization, which may indicate successful exfiltration via the fallback mechanism. Hunt based on the IOCs provided below.

Long-term hardening: Pin GitHub Actions to full SHA hashes, not version tags. Version tags can be moved to point at malicious commits, as demonstrated in this attack.

How Wiz can help?

Wiz customers should refer to and monitor the advisory in the Wiz Threat Center for ongoing guidance, pre-built queries, and references to relevant detections they can use to assess the risk  in their environment.

Worried you’ve been impacted? Connect with the Wiz Incident Response team.

Learn more about SITF here.

Indicators of compromise

Network Indicators

Malicious Artifacts

Malicious Workflows

Credit to Socket for compiling this data and making it easily available at https://socket.dev/supply-chain-attacks/trivy-github-actions-compromise

References