Aqua’s Trivy Vulnerability Scanner Hit by Supply Chain Attack

A threat actor compromised Aqua Security’s Trivy open source vulnerability scanner in a supply chain attack that started in late February. On March 1, Trivy’s maintainers announced that the scanner’s GitHub repository had been compromised in an attack involving a GitHub Actions workflow issue. Some releases were deleted, and malicious versions of the application’s VS Code extensions were published to the Open VSIX marketplace. The attack was part of a larger, automated attack campaign that hit multiple open source repositories via GitHub Actions workflows and resulted in a large natural-language prompt being injected into two malicious versions of Trivy’s VS Code extension. Credentials exfiltrated during the initial incident were used last week in a new supply chain attack that targeted not only the Trivy package but also trivy-action and setup-trivy, Trivy’s maintainers have confirmed in a March 21 advisory. “Following the initial disclosure on March 1, credential rotation was performed, but was not atomic (not all credentials were revoked simultaneously). The attacker could have used a valid token to exfiltrate newly rotated secrets during the rotation window (which lasted a few days),” the maintainers explain. The attackers used the compromised credentials to push a malicious Trivy release (version v0.69.4) that was distributed across all regular channels, including GitHub Container Registry, Amazon ECR Public, and Docker Hub. They also force-pushed 76 of 77 trivy-action version tags to malicious commits, leading to infections with an information stealer designed to dump the Runner.Worker process memory and extract all secrets from it. The malware was also designed to encrypt the harvested data and send it to a remote server. If the exfiltration failed, it created a public GitHub repository and uploaded the data to it. Additionally, the attackers targeted the setup-trivy releases, force-pushing all tags to malicious commits, leading to the same infostealer. Socket and Wiz published technical details on the attack and the malware. Ongoing attack According to Aqua, none of its commercial products that use Trivy have been affected by the attack, as “the forked version of Aqua’s commercial platform lags Trivy open source with a controlled integration process.” On Monday, the company warned that the attack is ongoing and evolving, with suspicious activity identified on March 22, “involving unauthorized changes and repository tampering”. “Based on our current understanding, this activity is consistent with the attacker’s previously observed behavior. Our investigation is actively focused on validating that all access paths have been identified and fully closed,” Aqua said. Trivy’s maintainers released clean iterations of Trivy (versions v0.69.2 and v0.69.3), trivy-action (v0.35.0), and setup-trivy (v0.2.6). Because the original trivy-action tags were deleted during remediation, new tags with a v prefix were published. They urge all users to rotate all credentials, tokens, and other secrets if a compromised version of Trivy, trivy-action, or setup-trivy ran on their environments. “Check whether your organization pulled or executed Trivy v0.69.4 from any source. Remove any affected artifacts immediately. Look for repositories named tpcp-docs in your GitHub organization. The presence of such a repository may indicate that the fallback exfiltration mechanism was triggered and secrets were successfully stolen,” the maintainers note. TeamPCP’s CanisterWorm campaign The attack has been linked to a threat actor named TeamPCP, which has expanded its activity following the Trivy compromise, targeting the NPM ecosystem with the CanisterWorm malware. Last week, Aikido reported that TeamPCP compromised over 45 NPM packages, injecting them with a post-install loader that fetches a persistent Python backdoor, enabling dynamic payload delivery via an ICP canister used for command-and-control (C&C) dead-drop. CanisterWorm, the security firm says, can extract NPM tokens, resolve usernames, enumerate published packages, create new package versions, and publish the payload across all of them. It also establishes persistence, contains evasion capabilities, masquerades as PostgreSQL tooling, polls the ICP canister every 50 minutes, and can be disarmed by pointing the canister to a YouTube link. “If the attacker updates the canister to point to a new URL, every infected machine picks up the new binary on its next poll. The old binary keeps running in the background since the script never kills previous processes,” Aikido explains. The infected packages contain a standalone self-propagating tool that appears to be entirely vibe-coded and does not use obfuscation, and which uses stolen tokens to spread the malicious payload across packages. Financially motivated, TeamPCP emerged in late 2025, targeting cloud-native infrastructure via exposed CI/CD pipelines, Docker APIs, and Kubernetes clusters. The threat actor is known for mounting supply chain attacks and for leveraging credentials stolen from cloud workloads and GitHub Actions runners via memory scrapers. Related: ForceMemo: Python Repositories Compromised in GlassWorm Aftermath Related: Polyfill Supply Chain Attack Impacting 100k Sites Linked to North Korea Related: New ‘Sandworm_Mode’ Supply Chain Attack Hits NPM Related: Over 100 GitHub Repositories Distributing BoryptGrab Stealer WRITTEN BY Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Eclypsium Raises $25 Million for Device Supply Chain Security Navia Data Breach Impacts 2.7 Million Thousands of Magento Sites Hit in Ongoing Defacement Campaign Allure Security Raises $17 Million for Online Brand Protection Critical Langflow Vulnerability Exploited Hours After Public Disclosure Oasis Security Raises $120 Million for Agentic Access Management 1stProtect Emerges From Stealth With $20 Million in Funding Critical ScreenConnect Vulnerability Exposes Machine Keys Latest News RSAC 2026 Conference Announcements Summary (Pre-Event) M-Trends 2026: Initial Access Handoff Shrinks From Hours to 22 Seconds Chip Services Firm Trio-Tech Says Subsidiary Hit by Ransomware  QNAP Patches Four Vulnerabilities Exploited at Pwn2Own  Tycoon 2FA Fully Operational Despite Law Enforcement Takedown Oracle Releases Emergency Patch for Critical Identity Manager Vulnerability Critical Quest KACE Vulnerability Potentially Exploited in Attacks In Other News: New Android Safeguards, Operation Alice, UK Toughens Cyber Reporting Trending Webinar: Securing Fragile OT In An Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the Move 7AI has appointed Israel Barak as its first Chief Information Security Officer. Brian Harrell has been appointed Chief Security Officer at FirstEnergy. eSentire has named James C. Foster as Chief Executive Officer. More People On The Move Expert Insights The Human IOC: Why Security Professionals Struggle With Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How To 10x Your Vulnerability Management Program In The Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose A Critical Flaw In Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat As Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How To Eliminate The Technical Debt Of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Flipboard Reddit Whatsapp Email