Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets

Trivy, the popular open source vulnerability scanner maintained by Aqua Security, has been compromised for the second time in a month to deliver malware that stole sensitive CI/CD secrets.

The latest incident affected the GitHub Actions “aquasecurity/trivy-action” and “aquasecurity/setup-trivy,” which are used to scan Docker container images for vulnerabilities and set the GitHub Actions workflow for a specific version of the scanner, respectively.

“We identified that the attacker pushed 75 of the 76 tags in the aquasecurity/trivy-action repository, the official GitHub Action for using Trivy vulnerability scanners in CI/CD pipelines,” said Socket security researcher Philipp Burckhardt. “These tags have been modified to use malicious payloads, effectively turning version references into a distribution mechanism for the information machine.”

The payload runs inside GitHub Actions runners and aims to extract key developer secrets from CI/CD environments, such as SSH keys, cloud service provider credentials, databases, Git configuration, Docker, Kubernetes tokens, and cryptocurrency wallets.

This development marks the second acquisition involving Trivy. In late February and early March 2026, an independent bot called hackerbot-claw exploited the “pull_request_target” workflow to steal a Personal Access Token (PAT), which was then used to seize control of the GitHub site, remove several release versions, and push two malicious versions of VSual Code for Visual Code.

The first sign of compromise was flagged by security researcher Paul McCarty after a new compromised release (version 0.69.4) was published in the “aquasecurity/trivy” GitHub repository. The rogue version has been removed. According to Wiz, version 0.69.4 starts both the official Trivy service and the malicious code responsible for the series of tasks –

• Perform data theft by scanning the system for environment variables and credentials, encrypting the data, and issuing it via an HTTP POST request to scan.aquasecurtiy[.]org.
• Set persistence by using the system service after verifying that it is running on the developer’s machine. The systemd service is configured to run a Python script (“sysmon.py”) that polls an external server to retrieve payloads and execute them.

In a statement, Itay Shakury, vice president of open source at Aqua Security, said that attackers have exploited compromised data to publish malicious, trivy-action, and setup-trivy exploits. In the case of “aquasecurity/trivy-action,” the adversary forced version 75 tags to point to malicious commits containing the Python infostealer payload without creating a new release or pushing to a branch, as is standard practice. Seven “aquasecurity/setup-trivy” tags were forced in the same way.

“So in this case, the attacker didn’t need to exploit Git itself,” Burckhardt told The Hacker News. “They had valid credentials with sufficient privileges to push the code and rewrite the tags, which is what led to the token poisoning we saw. What remains unclear is the exact proof used in this specific step (e.g., PAT to save the automation token), but the core is now understood to be the authentication compromise made in the previous incident.”

The security vendor also admitted that the latest attack was caused by the incompleteness of the hackerbot-claw incident. “We flipped the secrets and tokens, but the process wasn’t atomic, and the attackers might have been privy to the flipped tokens,” Shakury said. “We are now taking a preventative approach and disabling all automated actions and any token to completely eradicate the problem.”

The hacker works in three stages: harvesting local variables from the runner’s process memory and file system, encrypting the data, and exporting it to a server controlled by the attacker (“scan.aquasecurtiy[.]org).

If the exploit attempt fails, the victim’s GitHub account is compromised to upload the stolen data to a public repository called “tpcp-docs” by using the captured INPUT_GITHUB_PAT, a local variable used in GitHub Actions to pass the GitHub PAT for verification via the GitHub API.

It is not yet known who carried out the attack, although there are indications that a threat actor known as TeamPCP may be behind it. This test is based on the fact that the credential harvester identifies itself as “TeamPCP Cloud stealer” in the source code. Also known as DeadCatx3, PCPcat, PersyPCP, ShellForce, and CipherForce, this group is known to operate as a cyber-native cybercrime platform designed to breach modern cloud infrastructure to facilitate data theft and fraud.

“The warrants targeted in this payload are consistent with the group’s broader profile for theft and money laundering,” Socket said. “The heavy emphasis on Solana validator key pairs and cryptocurrency wallets is not well documented as a TeamPCP brand, although it is consistent with the known financial motivations of the group. Self-labeling may be a false flag, but the technical overlap and previous use of TeamPCP makes the real interpretation sound.”

Users are advised to ensure that they are using the latest secure release –

“If you suspect you’ve been using a compromised version, treat all pipeline secrets as compromised and switch immediately,” Shakury said. Additional mitigation measures include blocking the download domain and associated IP address (45.148.10).[.]212) at the network level, and checking GitHub accounts for repositories named “tpcp-docs,” which may indicate a successful rollback.

“Pin GitHub Actions to full SHA hashes, not version tags,” said Wiz researcher Rami McCarthy. “Transmitted version tags can point to malicious actions, as demonstrated in this attack.”

(This is a growing story. Please check back for more details.)