Malicious Script Injection in Trivy Compromise Enables Credential Theft

Home Cyber Security News Malicious Script Injection in Trivy Compromise Enables Credential Theft Malicious Script Injection in Trivy Compromise A sophisticated supply chain attack targeting the official Trivy GitHub Action (aquasecurity/trivy-action) has compromised continuous integration and continuous deployment (CI/CD) pipelines globally. Disclosed in late March 2026, this incident marks the second distinct compromise affecting the Trivy ecosystem within a single month. Threat actors successfully force-pushed 75 out of 76 existing version tags to distribute a malicious infostealer. With over 10,000 GitHub workflow files relying on this action, the potential credential theft blast radius is massive. Mechanics of the Tag Poisoning Attack Instead of pushing code to a branch or creating a new release, the attacker leveraged residual write access from an earlier credential breach to alter existing version tags silently. Screenshot of the Socket package page for of the compromised tags (Source: Socket) The threat actor force-pushed 75 tags, including widely used versions like @0.33.0 and @0.18.0, to point to newly forged commits. This effectively turned trusted and supposedly immutable version references into a direct distribution mechanism for their custom infostealer malware. By completely bypassing the need to create new releases, the attacker minimized the chances of triggering automated security alerts or notifying project maintainers of unauthorized branch updates. To evade detection, the attacker spoofed the Git commit metadata. They cloned the original author names, dates, and commit messages to make the malicious commits appear legitimate in the repository logs. Trivy Notification (Source: Socket) The modified code used the current master file tree but swapped the legitimate entrypoint.sh file with an infected version. Because the malicious commit dates conflicted with the March 2026 parent commit, and the commits lacked GitHub’s web-flow GPG signature, careful inspection reveals the forgery. Notably, version @0.35.0 remained untouched and is the only safe tag. The injected 204-line entrypoint.sh script executes its malicious operations before running the legitimate Trivy scan, allowing it to hide in plain sight. According to Socket, the infostealer operates in three distinct stages: targeted collection, robust encryption, and stealthy exfiltration. During the collection phase, the malware targets both GitHub-hosted and self-hosted runners. On GitHub-hosted Linux environments, it uses passwordless sudo privileges to dump the Runner.Worker process memory and extract secrets directly from the heap. On self-hosted runners, a comprehensive Python script scrapes the filesystem for sensitive data across multiple directories. This script systematically hunts for SSH keys, database credentials, CI/CD configuration files, and even cryptocurrency wallet data, ensuring an extensive haul of valuable information. In the second stage, the stolen data is compressed and encrypted using AES-256-CBC, and the encryption key is wrapped with an RSA-4096 public key. Finally, the malware attempts to exfiltrate the encrypted bundle via an HTTPS POST request to a typosquatted domain, scan[.]aquasecurtiy[.]org. If this primary channel fails, the script uses the victim’s own GitHub Personal Access Token to create a public repository named tpcp-docs and uploads the stolen data as a release asset. The malware self-identifies as the “TeamPCP Cloud stealer”. Security researchers track TeamPCP as a cloud-native threat actor known for exploiting misconfigured infrastructure for ransomware and cryptomining operations. Target Category Specific Files and Variables Hunted SSH and Git id_rsa, authorized_keys, .git-credentials  Cloud Providers AWS_*, AZURE_*, ~/.config/gcloud/*  CI/CD and Docker terraform.tfstate, .docker/config.json  Environment Files .env, .env.production, .env.local  Crypto Wallets wallet.dat, validator-keypair.json  Organizations must immediately stop referencing trivy-action by version tags, with the exception of @0.35.0. To ensure complete security, pipelines should pin the action to the specific safe commit SHA (57a97c7e7821a5776cebc9bb87c984fa69cba8f1). Any environment that executed a poisoned tag must be considered fully compromised. Security teams should urgently rotate all exposed secrets, including cloud credentials and API tokens. Additionally, administrators should audit their GitHub organizations for unauthorized tpcp-docs repositories. Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories. RELATED ARTICLESMORE FROM AUTHOR Cyber Security News FBI, CISA Warn Russian Hackers Are Targeting High-Value Individuals Through Signal Chrome Chrome Security Update Fixes 26 Vulnerabilities Allowing Remote Code Execution Cyber Security News Oracle Issues Urgent Security Update for Critical RCE Flaw in Identity Manager and Web Services Manager Top 10 Essential E-Signature Solutions for Cybersecurity in 2026 January 31, 2026 Top 10 Best Data Removal Services In 2026 January 29, 2026 Best VPN Services of 2026: Fast, Secure & Affordable January 26, 2026 Top 10 Best Data Security Companies in 2026 January 23, 2026 Top 15 Best Ethical Hacking Tools – 2026 January 15, 2026