Trivy Supply Chain Compromise: Unpinned Actions & Persistent Credentials in 2026
trivyaquasecuritygithub actionssupply chain attackcybersecurityci/cd securityinfostealercredential compromisegit securitydevsecopsopen vsxvisual studio code

Trivy Supply Chain Compromise: Unpinned Actions & Persistent Credentials in 2026

By Daniel MarshMarch 22, 2026

Understanding the Trivy Supply Chain Compromise: Unpinned GitHub Actions, Persistent Credentials, and the Attack Loop

The cybersecurity community is currently addressing the second distinct Trivy supply chain compromise affecting the Trivy ecosystem within March 2026. This incident, impacting the aquasecurity/trivy-action GitHub Action, highlights the vital role of atomic credential rotation and the inherent risks associated with mutable version tags in CI/CD pipelines. The widespread concern among users, particularly regarding the recurrence of such an event for a security-focused project, demands a closer look at the technical details beyond immediate headlines surrounding this Trivy supply chain compromise.

The Incident

On approximately 19:15 UTC on March 19, 2026, suspicious activity was detected within the aquasecurity/trivy-action GitHub repository. This marked the second significant Trivy supply chain compromise this month, following an earlier incident involving the Trivy Visual Studio Code (VS Code) extension on Open VSX.

The incomplete containment of the prior incident caused this latest breach. In late February/early March 2026, an autonomous bot exploited a misconfigured pull_request_target workflow. This exploit led to the exfiltration of a Personal Access Token (PAT), which was then used to take control of the GitHub repository. The initial compromise resulted in the deletion of several release versions and the publication of two malicious versions of the Trivy VS Code extension to Open VSX, including a compromised version 0.69.4 of aquasecurity/trivy.

The current incident used the remaining access from these same compromised credentials. Attackers utilized the still-valid PAT, which possessed write privileges, to force-push malicious payloads to 75 out of 76 version tags in the aquasecurity/trivy-action GitHub repository. Concurrently, 7 tags in the aquasecurity/setup-trivy GitHub repository were also compromised.

The Mechanism

The attack chain shows a methodical approach to compromising the Trivy supply chain, taking advantage of both credential persistence and mutable Git tags.

The initial compromise, stemming from a pull_request_target workflow vulnerability, provided the attacker with a valid PAT. The main failure point was the incomplete and non-atomic rotation of credentials following this first breach, which directly contributed to the severity of the Trivy supply chain compromise.

With this access, the attacker poisoned the tags. For each of the 75 affected aquasecurity/trivy-action tags and 7 aquasecurity/setup-trivy tags, a new commit was force-pushed. This new commit replaced the legitimate entrypoint.sh script with a malicious infostealer payload. To maintain stealth, the attacker carefully spoofed the original commit metadata, including author, email, committer, and timestamps. However, several indicators betrayed the forgery:

  • Missing Signatures: Attacker's commits were unsigned, whereas original commits were GPG-signed by GitHub.
  • Inconsistent Parent Commits: Malicious commits claimed original release dates (e.g., 2021, 2022) but referenced a parent commit dated March 2026, an impossible temporal relationship.
  • Targeted File Modification: Malicious commits modified only entrypoint.sh, while legitimate releases typically involved changes across multiple files.
  • Misleading GitHub UI: GitHub's "Immutable" badge on release pages does not guarantee tag integrity against force-pushes, leading to a false sense of security.
  • Incorrect Commit Count: The "0 commits to master since this release" counter on GitHub's release page for poisoned tags was incorrect for older versions, which should have shown hundreds of subsequent commits.

The malicious entrypoint.sh payload is an infostealer, designed to collect sensitive data and execute silently before the legitimate Trivy scan, a key component of this Trivy supply chain compromise. It operates in three stages:

  1. Secret Collection:
    • Process Environment Scraping: Harvests environment variables (e.g., env, ssh) from runner processes and reads file paths referenced by these variables.
    • GitHub-Hosted Runner Memory Dump: Dumps Runner.Worker process memory on GitHub-hosted Linux/macOS runners to extract secrets.
    • Self-Hosted Runner Filesystem Stealer: Systematically searches the filesystem for sensitive data, including various credentials, configuration files, and private keys.
  2. Encryption: Collected data is encrypted using AES-256-CBC, with the session material further encrypted by the attacker's embedded RSA-4096 public key. The encrypted bundle is packaged into tpcp.tar.gz.
  3. Exfiltration:
    • Primary Channel: The encrypted bundle is exfiltrated via HTTPS POST to the typosquat domain scan[.]aquasecurtiy[.]org.
    • Fallback Channel: If the primary channel fails and an INPUT_GITHUB_PAT (user-scoped token) is available, the malware creates a public repository named tpcp-docs on the victim's GitHub account, creates a release with a timestamped tag, and uploads tpcp.tar.gz as a release asset.

The malware also includes a persistence mechanism: if executed on a developer machine, it sets up a systemd service to run a Python script ("sysmon.py") that polls an external server for payload execution.

  • Cleanup: All temporary files are removed post-exfiltration.

The Impact of the Trivy Supply Chain Compromise

This Trivy supply chain compromise could affect a significant number of systems, with over 10,000 GitHub workflow files referencing aquasecurity/trivy-action. Any CI/CD pipeline that executed a poisoned tag after approximately 19:00 UTC on March 19, 2026, is considered fully compromised due to the Trivy supply chain compromise. The only unaffected trivy-action tag is @0.35.0.

In practice, this means a wide range of sensitive credentials and configuration data was stolen from affected CI/CD environments. This includes cloud provider credentials (AWS, GCP, Azure), SSH keys, API tokens, database passwords, Docker registry tokens, Kubernetes service account tokens, and even cryptocurrency wallet keys. The extensive data collection suggests the attackers were targeting high-value information, a common goal in a Trivy supply chain compromise.

The malware itself uses the moniker "TeamPCP Cloud stealer." This aligns with the observed tactics of cloud-native threat actors, who frequently exploit cloud infrastructure for data theft, ransomware, and cryptomining. The credential targets are consistent with such operational profiles.

A significant cascading impact has already been observed: threat actors used stolen data to compromise several npm packages, pushing malicious versions containing a self-propagating worm. This demonstrates the immediate and far-reaching consequences of CI/CD supply chain breaches, as seen in the Trivy supply chain compromise.

The incident has caused widespread concern within the developer and security communities. There is significant frustration regarding the inherent security limitations of GitHub Actions, particularly the pull_request_target vulnerability, which has been publicly documented and discussed in security advisories since at least 2021. The repeated nature of the compromise for Aqua Security, a company specializing in container and cloud-native security, has disappointed and created skepticism, particularly regarding the incomplete credential rotation after the first incident.

The community is strongly emphasizing the importance of pinning GitHub Actions to commit SHAs rather than mutable version tags, a lesson reinforced by the Trivy supply chain compromise. Automated dependency update tools like Dependabot or Renovate, which update tags, could inadvertently facilitate the spread of such malware.

The Response

To mitigate ongoing risk and prevent future recurrences, immediate and decisive action is essential.

Immediate Mitigation Steps:

  • Cease Tag Usage: It is crucial for organizations to immediately stop using trivy-action and setup-trivy by mutable version tags.
  • Safe Pinning: For aquasecurity/trivy-action, safe options include pinning to the specific commit SHA 57a97c7e7821a5776cebc9bb87c984fa69cba8f1 or exclusively using tag 0.35.0. For aquasecurity/setup-trivy, tag 0.2.6 is considered safe. The trivy scanner itself has a safe version 0.69.3.
  • Credential Rotation: Any pipeline that executed a poisoned tag should be treated as fully compromised. Rotate all secrets accessible to affected workflows immediately. This includes cloud credentials, SSH keys, API tokens, database passwords, and Docker registry tokens.
  • Network Blocking: Block the exfiltration domain scan[.]aquasecurtiy[.]org and its associated IP address 45.148.10[.]212 at the network level.
  • Audit GitHub: Review GitHub organizations for any newly created public repositories named tpcp-docs, which would indicate successful fallback exfiltration.
  • Log Review: Audit GitHub Actions logs for any trivy-action or setup-trivy runs occurring after approximately 19:00 UTC on March 19, 2026.

Strategic Recommendations for Enhanced CI/CD Security:

This incident highlights significant gaps that require a re-evaluation of CI/CD security practices in light of the Trivy supply chain compromise:

Atomic Credential Rotation

The failure to perform a complete and atomic credential rotation after the initial breach directly enabled this second, more impactful attack. Organizations should implement robust, multi-layered credential rotation strategies that encompass all credentials associated with a compromised environment or user, not just the immediately identified token. This includes API keys, SSH keys, and service accounts, a critical step to prevent future **Trivy supply chain compromise** incidents.

Mandatory SHA Pinning for GitHub Actions

The practice of referencing GitHub Actions by mutable version tags (e.g., `@v1`, `@0.34.2`) introduces a significant supply chain risk. Attackers with repository write access can force-push malicious code to these tags, as demonstrated here. Organizations should mandate pinning actions to their full commit SHAs (e.g., `uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1`). While tools like Dependabot or Renovate can update tags, their configuration should be reviewed to prevent them from inadvertently facilitating the use of mutable references, as vividly demonstrated by the **Trivy supply chain compromise**.

Secure `pull_request_target` Workflows

The initial compromise leveraged a known vulnerability in `pull_request_target` workflows. These workflows execute in the context of the base repository and can be exploited if not carefully configured. Implement strict controls, such as limiting permissions and avoiding untrusted input, when using this workflow type to prevent similar **Trivy supply chain compromise** scenarios.

Principle of Least Privilege

Ensure that all CI/CD credentials, including PATs and service accounts, operate with the absolute minimum necessary permissions. Over-privileged tokens significantly expand the blast radius of a compromise.

Enhanced Monitoring and Alerting

Implement out-of-band monitoring for unusual activity within GitHub repositories, such as force-pushes to protected tags, unexpected repository creation (e.g., `tpcp-docs`), or changes to critical workflow files.

GPG Signature Verification

Enforce GPG signing for all commits and tags, and integrate signature verification into CI/CD pipelines. The absence of GPG signatures on the attacker's commits was a key indicator of compromise.

Supply Chain Security Tools

Leverage specialized supply chain security tools, such as Socket.dev, for continuous monitoring and analysis of dependencies and their behavior.

Trivy supply chain compromise: A server room with a gloved hand typing on a keyboard, code with security warnings on a monitor.

This incident goes beyond a simple breach; it offers crucial insights into the evolving landscape of software supply chain attacks, exemplified by the Trivy supply chain compromise. The technical details reveal an adversary exploiting known weaknesses in CI/CD practices and the persistence of compromised credentials. For the broader open-source and CI/CD security community, the lessons are clear: robust credential management, strict adherence to SHA pinning, and continuous vigilance are no longer optional; they are fundamental to maintaining integrity in modern development pipelines.

Daniel Marsh
Daniel Marsh
Former SOC analyst turned security writer. Methodical and evidence-driven, breaks down breaches and vulnerabilities with clarity, not drama.