Trivi, a popular open-source vulnerability scanner managed by Aqua Security, was compromised for the second time within a month to distribute malware that stole sensitive CI/CD secrets.
The latest incident affected the GitHub Actions “aquasecurity/trivy-action” and “aquasecurity/setup-trivy”, which are used to scan Docker container images for vulnerabilities and set up the GitHub Actions workflow with a specific version of the scanner, respectively.
“We identified that an attacker brute-forced 75 of the 76 version tags in the aquasecurity/trivi-action repository to run Trivi vulnerability scans in CI/CD pipelines,” said Philip Burkhardt, a Socket Security researcher. “These tags were modified to serve a malicious payload, effectively turning trusted version references into a delivery mechanism for an infostealer.”
The payload executes within GitHub Actions Runners and aims to extract valuable developer secrets from CI/CD environments, such as SSH keys, credentials for cloud service providers, databases, Git, Docker configurations, Kubernetes tokens, and cryptocurrency wallets.
This development marks the second supply chain incident involving Trivi. Between late February and early March 2026, an autonomous bot named Hackerbot-Claw exploited the “pull_request_target” workflow to steal a Personal Access Token (PAT), which was then weaponized to seize control of a GitHub repository, remove multiple release versions, and push two malicious versions of its Visual Studio Code (VS Code) extension to OpenVSX Was.
The first sign of compromise was flagged by security researcher Paul McCarthy after a new compromise release (version 0.69.4) was published in the “aquasecurity/trivi” GitHub repository. The rogue version has since been removed. According to Viz, version 0.69.4 introduces both the legitimate Trivi service and malicious code responsible for a series of actions –
- Steal data by scanning the system for environmental variables and credentials, encrypting the data, and exposing it via an HTTP POST request to be scanned.[.]Organization
- After confirming that it is running on the developer machine, set up persistence using the systemd service. The sysmon service is configured to run a Python script (“sysmon.py”) that polls an external server to retrieve the payload and execute it.
In a statement, Itay Shakuri, vice president of open source at Aqua Security, said the attackers misused a compromised credential to publish malicious trivi, trivi-action, and setup-trivi releases. In the case of “aquasecurity/trivy-action”, the adversary forcefully pushed a version 75 tag to indicate malicious commits containing the Python infostealer payload, without creating a new release or pushing to a branch, as per standard practice. Seven “aquasecurity/setup-trivy” tags were forced in the same manner.
“So in this case, the attacker didn’t need to exploit Git,” Burkhardt told The Hacker News. “They had legitimate credentials with sufficient privileges to push the code and rewrite the tag, which enabled the tag poisoning that we observed. What remains unclear is the exact credentials used in this specific step (e.g., a maintainer PAT vs. automation token), but the root cause is now believed to be credential compromise taken from an earlier incident.”
The security vendor also admitted that the latest attack was caused by incomplete containment of the Hackerbot-Claw incident. “We shuffled the secrets and tokens, but the process was not atomic, and attackers could have had knowledge of the refreshed token,” Shakuri said. “We are now taking a more restrictive approach and locking all automated functions and any tokens to completely eliminate the problem.”
Aquasecurtiy works in three steps: collecting environment variables from the runner process memory and file system, encrypting the data, and exfiltrating it to an attacker-controlled server (“scan.aquasecurtiy[.]Organization”).
If the intrusion attempt fails, the victim’s own GitHub account is misused to place the stolen data into a public repository called “tpcp-docs” using the captured INPUT_GITHUB_PAT, which is an environment variable used in GitHub Actions to pass the GitHub PAT for authentication with the GitHub API.
It is not currently known who is behind the attack, although there are indications that a threat actor known as TeamPCP may be behind it. This assessment is based on the fact that Credential Harvester identifies itself as “TMCP Cloud Stealer” in the source code. Also known as DeadCatX3, PCPCat, PerCPCP, Shellforce, and Cipherforce, the group is known to act as a cloud-native cybercrime platform designed to break into modern cloud infrastructure to facilitate data theft and extortion.
“The credentials in this payload are consistent with the broader cloud-native theft-and-monetization profile of the target group,” Sockett said. “The heavy emphasis on Solana validator key pairs and cryptocurrency wallets is less well-documented as a TeamPCP hallmark, although it aligns with the group’s known financial motivations. Self-labeling may be a false flag, but the technical overlap with prior TeamPCP tooling makes the actual attribution plausible.”
Users are advised to ensure that they are using the latest secure release –
“If you suspect you were running a compromised version, treat all pipeline secrets as compromised and rotate immediately,” Shakuri said. Additional mitigation steps include blocking the exfiltration domain and the associated IP address (45.148.10)[.]212) at the network level, and is checking GitHub accounts for the repository named “tcp-docs”, which may indicate successful exfiltration via a fallback mechanism.
“Pin GitHub actions to the full SHA hash, not the version tag,” said Viz researcher Rami McCarthy. “The version tag can be leveraged to point at malicious commits, as shown in this attack.”
(This is a developing story. Please check back for more details.)
