Full Report
Crims 'creating a snowball effect' across open source projects RSAC 2026 Thousands of organizations' cloud environments have been infected with secret-stealing malware as a result of the Trivy supply-chain attack last week, and now the crims that compromised the open source scanners are working with notorious extortion crews like Lapsus$.…
Analysis Summary
# Incident Report: TeamPCP Trivy Supply Chain Compromise
## Executive Summary
A large-scale supply chain attack targeting the open-source security scanner **Trivy** and the **liteLLM** AI middleware has infected over 1,000 cloud environments with secret-stealing malware. A threat group known as **TeamPCP** compromised build pipelines to distribute malicious versions of Trivy, subsequently stealing API keys and cloud credentials to fuel a "snowball effect" of downstream exploitations. The group is currently working with high-profile extortion crews like **Lapsus$** to monetize the stolen access.
## Incident Details
- **Discovery Date:** March 20, 2026 (Friday)
- **Incident Date:** February 2026 (Initial Token Theft); March 16-22, 2026 (Active Exploitation)
- **Affected Organization:** Aqua Security (Maintainers of Trivy), Users of Trivy GitHub Actions and liteLLM.
- **Sector:** Open Source Software / Cloud Infrastructure
- **Geography:** Global (Attackers based in US, UK, Canada, and Western Europe)
## Timeline of Events
### Initial Access
- **Date/Time:** February 2026
- **Vector:** Exploitation of a misconfiguration in Trivy’s GitHub Action component.
- **Details:** TeamPCP stole a privileged access token from the GitHub Action. This issue was reportedly not fully remediated by the maintainers.
### Lateral Movement
- **March 2026:** Attackers used the stolen token to make "imposter commits" and force-push 75 out of 76 `trivy-action` GitHub tags.
- **Worm Propagation:** TeamPCP deployed "CanisterWorm" via the npm ecosystem using stolen publish tokens to infect further packages.
- **Middleware Expansion:** The group compromised **liteLLM**, a critical AI middleware present in 36% of cloud environments.
### Data Exfiltration/Impact
- **Credential Theft:** Infostealer malware embedded in Trivy scanned and exfiltrated API keys, GitHub tokens, database credentials, and cloud provider secrets.
- **Aqua Security Defacement:** Attacker renamed all 44 internal repositories at Aqua Security and leaked internal source code and CI/CD configurations.
### Detection & Response
- **March 20, 2026:** Socket researchers identified malicious versions of Trivy.
- **March 22, 2026:** Wiz and Mandiant confirmed the broader scope, including the infection of 1,000+ SaaS environments and the liteLLM compromise.
## Attack Methodology
- **Initial Access:** Misconfigured GitHub Action secret exposure.
- **Persistence:** Use of stolen long-lived privileged access tokens and trojanized container images.
- **Privilege Escalation:** Gaining administrative control over the Aqua Security GitHub organization.
- **Defense Evasion:** Force-pushing malicious code over existing legitimate GitHub tags to bypass versioning suspicion.
- **Credential Access:** Automated scanning of CI/CD pipeline environments for secrets.
- **Discovery:** Automated "CanisterWorm" for npm package discovery.
- **Lateral Movement:** Using stolen GitHub and npm tokens to compromise downstream dependencies.
- **Collection:** Exfiltration of internal knowledge bases and source code.
- **Exfiltration:** Public Telegram channel communications and direct data transfer to attacker C2.
- **Impact:** Defacement of repositories and widespread extortion via Lapsus$.
## Impact Assessment
- **Financial:** High potential costs related to remediation for 1,000+ organizations and potential Lapsus$ extortion demands.
- **Data Breach:** Exposure of internal source code for Aqua Security; theft of secrets for thousands of downstream users.
- **Operational:** Disruption of CI/CD pipelines worldwide as organizations are forced to rotate all secrets.
- **Reputational:** Significant brand damage to Trivy and Aqua Security.
## Indicators of Compromise
- **File Indicators:** Trivy version 0.69.4 (compromised GitHub release/container image).
- **Behavioral Indicators:**
- Unexpected `git force-push` events on GitHub Action tags.
- Outbound traffic from CI/CD runners to unauthorized IP addresses.
- GitHub repository renames to "TeamPCP Owns [Organization]".
- **Network Indicators:** (Defanged) Connections to malicious Docker Hub images and Telegram-based C2.
## Response Actions
- **Containment:** Flagging 75 malicious versions of `trivy-action`.
- **Eradication:** Removal of malicious images from Docker Hub; suspension of compromised npm tokens.
- **Recovery:** Aqua Security began restoring repository names and investigating the depth of the organization-level compromise.
## Lessons Learned
- **Token Management:** Privileged tokens used in GitHub Actions must be strictly scoped and rotated immediately upon suspicion of exposure.
- **Implicit Trust:** Relying on GitHub "tags" for security is insufficient, as they can be force-pushed; pinning to specific commit SHAs is safer.
- **Remediation Veracity:** Initial reports of a security flaw (February) were not adequately addressed, allowing the threat actor to return.
## Recommendations
- **Pin Dependencies:** Use full commit hashes (SHAs) for GitHub Actions instead of tags or versions.
- **Secret Rotation:** Any organization that ran Trivy or liteLLM in the last 7 days must rotate all API keys, cloud credentials, and tokens used in their CI/CD environment.
- **CI/CD Hardening:** Implement OIDC (OpenID Connect) for cloud authentication to avoid using long-lived secrets in GitHub Actions.