💻 AppSec

Trivy Security Scanner Hijacked — 75 GitHub Action Tags Redirected to Credential Stealer

The widely-used Aqua Security Trivy vulnerability scanner was compromised in a supply chain attack that replaced 75 version tags in the official trivy-action and setup-trivy GitHub Actions with credential-stealing malware. Threat actor TeamPCP leveraged non-atomic secret rotation to retain access after an initial February compromise, launching a second attack wave on 19 March. Any CI/CD pipeline that ran trivy-action or setup-trivy during the compromise window may have had cloud credentials, API tokens, and SSH keys exfiltrated.

4 min read
#trivy#github-actions#supply-chain#cicd#credential-theft#teampcp#cve-2026-33634#aqua-security#devops

What Happened

On 19 March 2026, TeamPCP — a threat actor with a pattern of targeting popular developer tools — used stolen credentials to execute a supply chain attack against Aqua Security’s Trivy vulnerability scanner ecosystem. In a single operation, the attackers:

  • Published a malicious Trivy v0.69.4 release to the official GitHub repository
  • Force-pushed 75 of 77 version tags in the aquasecurity/trivy-action GitHub Actions repository to point to credential-stealing malware
  • Replaced all 7 tags in the aquasecurity/setup-trivy repository with malicious commits

A second wave on 22 March replaced Docker Hub images with malicious v0.69.5 and v0.69.6 releases.

Why the Attack Succeeded Twice

The root cause reveals a common and dangerous pattern in credential rotation. Following an initial February 2026 compromise disclosure, Aqua Security rotated its credentials — but the rotation was non-atomic. Not all credentials were invalidated simultaneously, leaving a window of several days during which the attacker could have used a valid token to exfiltrate newly rotated secrets.

StepSecurity confirmed the attacker retained access through the rotation window and used the re-obtained credentials to execute the March 19 attack. This “rotation without revocation” failure is a recurring theme in supply chain incidents.

What the Malicious Actions Did

The embedded infostealer in the malicious Trivy GitHub Actions was purpose-built for CI/CD environments. Unlike malware targeting desktop systems, it:

  • Extracted plain-text secrets directly from runner process memory, bypassing GitHub Actions’ standard environment variable masking
  • Targeted: cloud provider credentials (AWS, GCP, Azure), Kubernetes tokens, Docker credentials, Git credentials, SSH keys, CI/CD service tokens (GitHub, GitLab, CircleCI, Jenkins), and database connection strings
  • Exfiltrated collected secrets to an external attacker-controlled endpoint

Analysis of affected repositories by StepSecurity found that 45 repositories had at least one workflow run that executed a compromised version of trivy-action or setup-trivy during the compromise window.

Why This Matters Beyond Trivy

Trivy is one of the most widely deployed open-source vulnerability scanners in CI/CD pipelines. Compromising it is particularly impactful because:

Position in the pipeline: Security scanning steps run with elevated permissions — they need to inspect containers, access registries, and read build artefacts. The scanner’s position gives it access to a broad range of pipeline secrets.

Trust assumptions: Security tools are generally exempt from the scepticism applied to third-party libraries. Developers assume security tools are safe, making them ideal vectors.

Transitive impact: Organisations that use platforms built on Trivy (Rancher, platform engineering tools, managed DevSecOps services) may be exposed through a provider’s compromised Trivy integration.

CISA added CVE-2026-33634 (the malicious code embedded in Trivy) to the Known Exploited Vulnerabilities catalogue on 26 March 2026.

  1. Audit CI/CD pipeline runs from 19–22 March 2026: identify any workflow that used aquasecurity/trivy-action or aquasecurity/setup-trivy without a pinned SHA — these pipelines may have executed malicious code
  2. Rotate all secrets accessible to affected runners: cloud provider keys, Kubernetes service accounts, Docker hub credentials, and any API tokens available in the pipeline environment
  3. Pin all GitHub Actions to a commit SHA rather than a version tag (uses: aquasecurity/trivy-action@abc1234... not @v0.69.x) — tags are mutable and can be force-pushed; SHAs are immutable
  4. Upgrade to Trivy v0.69.7 or later — Aqua Security has published a clean release after the incident. Verify by checking the release signature
  5. Implement secret scanning across your repository history using tools like truffleHog or GitHub Secret Scanning to detect if credentials were exposed in logs or artefacts from affected pipeline runs
  6. Review your CI/CD credential rotation policy: ensure rotation is atomic — all usages of a credential must be updated before the old credential is considered revoked