Full Report
On March 19, 2026, threat actors injected credential-stealing malware into Aqua Security’s Trivy scanner and related GitHub Actions. Learn how "TeamPCP" executed this breach and how to audit your environment.
Analysis Summary
# Incident Report: Supply Chain Compromise of Aqua Security Trivy (TeamPCP)
## Executive Summary
On March 19, 2026, the threat actor "TeamPCP" executed a sophisticated supply chain attack against Aqua Security’s Trivy vulnerability scanner. The attackers compromised official GitHub repositories, Docker Hub, and GitHub Actions, injecting credential-stealing malware into legitimate software distributions. The breach resulted from incomplete containment of a previous security incident, allowing the actors to exfiltrate secrets and maintain persistence within the project's CI/CD infrastructure.
## Incident Details
- **Discovery Date:** March 19, 2026
- **Incident Date:** March 19, 2026
- **Affected Organization:** Aqua Security (specifically the Trivy project)
- **Sector:** Cybersecurity / Software Development
- **Geography:** Global (Supply Chain)
## Timeline of Events
### Initial Access
- **Date/Time:** March 19, 2026, leading up to 17:43:37 UTC
- **Vector:** Exploitation of access retained from an "incomplete containment" of a previous security incident (`hackbot-claw` exploit).
- **Details:** Attackers compromised the `aqua-bot` service account, allowing them to bypass protections and push malicious code.
### Lateral Movement
- Attackers utilized the `aqua-bot` account to push malicious workflows across multiple repositories: `tfsec`, `traceeshark`, and `trivy-action`.
- They spoofed high-profile contributors (e.g., `DmitriyLewen` and `rauchg`) to lend legitimacy to malicious commits.
### Data Exfiltration/Impact
- **Credential Theft:** Stole Aqua Security’s GPG keys and credentials for Docker Hub, Twitter, and Slack.
- **Workflow Poisoning:** 75 `trivy-action` tags and 7 `setup-trivy` tags were force-pushed with malicious versions.
- **Infrastructure:** Malicious binaries (v0.69.4) containing a backdoored "TeamPCP Cloud stealer" were published to GitHub Releases, Docker Hub, GHCR, and ECR.
### Detection & Response
- **Discovery:** Identified by Wiz Research and industry partners.
- **Response Actions:** Aqua Security removed malicious releases and artifacts; remediation guidance was issued to the community.
## Attack Methodology
- **Initial Access:** Valid accounts (retained access from prior breach).
- **Persistence:** Injected systemd units (`sysmon.py`) on developer machines; used GitHub repositories (`tpcp-docs`) as fallback C2.
- **Privilege Escalation:** Abuse of administrative service account (`aqua-bot`).
- **Defense Evasion:** Spoofing contributor identities; code was designed to run the legitimate service in parallel with malware.
- **Credential Access:** Scraping `Runner.Worker` process memory for secrets; sweeping 50+ sensitive file paths (SSH, K8s, Cloud CLI).
- **Discovery:** System environment variable checks (specifically `GITHUB_ACTIONS != "true"`) to identify developer machines.
- **Lateral Movement:** Automated workflow injection across project dependencies.
- **Collection:** AES-256-CBC + RSA-4096 hybrid encryption of harvested data.
- **Exfiltration:** POST requests to typosquatted domains and Cloudflare Tunnels; fallback via GitHub Repository creation.
- **Impact:** System compromise, credential theft, and supply chain contamination.
## Impact Assessment
- **Financial:** Undisclosed; substantial potential costs for downstream remediation.
- **Data Breach:** High. Theft of GPG keys, CI/CD secrets, and downstream user cloud credentials.
- **Operational:** Disruption to image scanning workflows; forced rotation of secrets for all affected users.
- **Reputational:** High impact to trust in the Trivy project and Aqua Security’s supply chain integrity.
## Indicators of Compromise
- **Network Indicators:**
- `scan.aquasecurtiy[.]org` (Typosquat)
- `45.148.10[.]212`
- `plug-tab-protective-relay.trycloudflare[.]com`
- **File Indicators:**
- `v0.69.4` (Trivy binary)
- `~/.config/systemd/user/sysmon.py`
- `tpcp.tar.gz`
- **Behavioral Indicators:**
- Creation of a repository named `tpcp-docs` in organization/user accounts.
- Unexpected `git force-push` events on historical tags.
## Response Actions
- **Containment:** Removal of malicious GitHub Action tags and Docker images.
- **Eradication:** Revocation of compromised GPG keys and service account tokens.
- **Recovery:** Restoration of legitimate binaries/tags and publication of a security advisory.
## Lessons Learned
- **Containment Gaps:** Incident response is only effective if all persistence mechanisms (like service account access) are fully identified and revoked.
- **Tag Immutability:** The ability to force-push to existing GitHub Action tags remains a significant supply chain risk.
- **CI/CD Visibility:** Organizations must monitor for abnormal process memory access (e.g., scraping `/proc/mem`) during automated builds.
## Recommendations
- **Pin Actions to SHAs:** Move away from using tags (e.g., `@v1`) to full commit hashes for GitHub Actions.
- **Audit Cloud Credentials:** Any environment that ran Trivy v0.69.4 or the affected actions on March 19, 2026, should treat all environment variables and secrets as compromised.
- **Implement OIDC:** Use OpenID Connect for cloud providers to avoid long-lived secrets in GitHub Actions.