Trivy Supply Chain Compromise: TeamPCP CI/CD Credential Theft

On March 19, 2026, a threat actor identifying as TeamPCP compromised Aqua Security's trivy-action and setup-trivy GitHub Actions by force-pushing 76 release tags to point at malicious commits. The technique silently redirected version references to attacker-controlled code without any visible change on GitHub release pages. The injected entrypoint.sh runs credential theft in the background while the legitimate Trivy scanner completes normally, making the compromise difficult to detect through workflow output alone. On March 22, the attacker demonstrated continued access by publishing malicious Docker Hub images (v0.69.5, v0.69.6) and exposing internal Aqua repositories. As of March 23, Aqua has engaged Sygnia for forensic investigation and confirmed the incident is ongoing with evidence of reestablished access.

The initial foothold originated in late February 2026 when hackerbot-claw exploited a pull_request_target workflow misconfiguration to steal a privileged PAT. Credential rotation after that incident was not atomic, allowing the attacker to retain access. On March 19, the attacker used residual credentials to force-push 76 of 77 trivy-action tags and all 7 setup-trivy tags to malicious commits, simultaneously triggering a release of the backdoored Trivy v0.69.4 binary. On GitHub-hosted runners, a Base64-encoded Python script reads Runner.Worker process memory via /proc/{PID}/mem to extract CI/CD secrets. On self-hosted runners, the malware harvests SSH keys, cloud credentials (AWS, GCP, Azure), Kubernetes configs, Docker registry credentials, cryptocurrency wallets, and API keys from the filesystem. Collected data is encrypted with AES-256-CBC + RSA-4096 hybrid encryption, packaged as tpcp.tar.gz, and exfiltrated to the typosquatted domain scan.aquasecurtiy[.]org. If that fails, the malware uses the runner's GITHUB_TOKEN to create a public repository named tpcp-docs in the victim's org and uploads the bundle as a release asset. The compromised binary additionally writes a Python dropper (sysmon.py) for persistence, polling an ICP blockchain-hosted C2 for follow-on payloads. Stolen NPM publish tokens are being actively weaponized to propagate the CanisterWorm across the npm ecosystem.

The three attached detections cover two detection planes. On GitHub audit logs: the fallback exfiltration path (tpcp-named repo creation) and bot identities publishing releases (catches the exfil upload step regardless of repo name). On CrowdStrike Falcon: DNS resolution of the primary C2 domain scan.aquasecurtiy[.]org, the ICP blockchain fallback canister, and the Cloudflare Tunnel relay — catching the primary exfiltration path and secondary payload delivery on any managed endpoint. The 83 known-compromised commit SHAs are captured as IOCs on this briefing for reference but cannot be matched in GitHub audit log queries since the resolved action commit SHA is not exposed in the audit log schema.