On March 19, 2026, Aqua Security’s Trivy was compromised in a follow-on incident attributed to unrotated credentials from a prior breach. Attackers pushed spoofed commits to both actions/checkout and aquasecurity/trivy, triggering the release of a malicious v0.69.4 version that embedded credential-stealing code retrieved from a typosquatted domain (scan.aquasecurtiy.org, 45.148.10.212) and distributed backdoored binaries via GitHub Releases and major container registries. Additional malicious images (0.69.5, 0.69.6) were later published to Docker Hub. The attackers also compromised the aqua-bot account to push malicious workflows across multiple repositories, exfiltrating secrets (including GPG keys and service credentials) via a Cloudflare Tunnel C2, while force-updating the majority of trivy-action and setup-trivy tags to malicious versions.
The malware deployed in these Actions, referred to as “TeamPCP Cloud stealer,” extracts secrets directly from CI runner memory, harvests credentials and sensitive files across the system, and exfiltrates encrypted data to attacker infrastructure, with fallback exfiltration via attacker-controlled GitHub repositories. When executed, the trojanized Trivy binary runs legitimate functionality alongside malicious routines that collect environment data, scan for credentials, and attempt exfiltration, optionally establishing persistence on developer machines via a systemd-based Python dropper that retrieves payloads from an ICP-hosted endpoint. This infrastructure was later taken down, but was observed serving evolving payloads during the incident.
Shortly after the compromise, related worm-like activity (“CanisterWorm”) was observed targeting npm packages using the same ICP infrastructure, suggesting a broader campaign potentially leveraging stolen publish tokens. While the spread was limited, this activity further indicates coordinated post-compromise exploitation by the same actor.