A sophisticated supply chain attack targeting the official Trivy GitHub Action ( Disclosed in late March 2026, this incident marks the second distinct compromise affecting the Trivy ecosystem within a single month. <\/p>\n Threat actors successfully force-pushed 75 out of 76 existing version tags to distribute a malicious infostealer. With over 10,000 GitHub workflow files relying on this action, the potential credential theft<\/a> blast radius is massive.<\/p>\n Instead of pushing code to a branch or creating a new release, the attacker leveraged residual write access from an earlier credential breach to alter existing version tags silently. <\/p>\n The threat actor force-pushed 75 tags, including widely used versions like\u00a0 This effectively turned trusted and supposedly immutable version references into a direct distribution mechanism for their custom infostealer malware<\/a>. <\/p>\n By completely bypassing the need to create new releases, the attacker minimized the chances of triggering automated security alerts or notifying project maintainers of unauthorized branch updates.<\/p>\n To evade detection, the attacker spoofed the Git commit metadata. They cloned the original author names, dates, and commit messages to make the malicious commits appear legitimate in the repository logs. <\/p>\n The modified code used the current master file tree but swapped the legitimate\u00a0 Because the malicious commit dates conflicted with the March 2026 parent commit, and the commits lacked GitHub\u2019s web-flow GPG signature, careful inspection reveals the forgery. Notably, version\u00a0 The injected 204-line\u00a0 According to Socket<\/a>, the infostealer operates in three distinct stages: targeted collection, robust encryption, and stealthy exfiltration.<\/a><\/p>\n During the collection phase, the malware targets both GitHub-hosted and self-hosted runners. On GitHub-hosted Linux environments, it uses passwordless\u00a0 On self-hosted runners, a comprehensive Python script scrapes the filesystem for sensitive data across multiple directories. <\/p>\n This script systematically hunts for SSH keys, database credentials, CI\/CD configuration files, and even cryptocurrency wallet data, ensuring an extensive haul of valuable information.<\/a><\/p>\n In the second stage, the stolen data is compressed and encrypted using AES-256-CBC, and the encryption key is wrapped with an RSA-4096 public key. <\/p>\n Finally, the malware attempts to exfiltrate the encrypted bundle via an HTTPS POST request to a typosquatted domain,\u00a0 If this primary channel fails, the script uses the victim\u2019s own GitHub Personal Access Token <\/a>to create a public repository named\u00a0 The malware self-identifies as the \u201cTeamPCP Cloud stealer\u201d. Security researchers track TeamPCP as a cloud-native threat actor known for exploiting misconfigured infrastructure for ransomware and cryptomining operations.<\/a><\/p>\naquasecurity\/trivy-action<\/code>) has compromised continuous integration and continuous deployment (CI\/CD) pipelines globally. <\/p>\nMechanics of the Tag Poisoning Attack<\/strong><\/h2>\n
![\"Screenshot](\"https:\/\/i0.wp.com\/cybersecuritynews.com\/wp-content\/uploads\/2026\/03\/image-10-1024x590.png?resize=1024%2C590&ssl=1\")
@0.33.0<\/code>\u00a0and\u00a0@0.18.0<\/code>, to point to newly forged commits. <\/p>\n![\"Trivy](\"https:\/\/i0.wp.com\/cybersecuritynews.com\/wp-content\/uploads\/2026\/03\/image-11.png?resize=943%2C624&ssl=1\")
entrypoint.sh<\/code>\u00a0file with an infected version. <\/p>\n@0.35.0<\/code>\u00a0remained untouched and is the only safe tag.<\/a><\/p>\nentrypoint.sh<\/code>\u00a0script executes its malicious operations before running the legitimate Trivy scan, allowing it to hide in plain sight. <\/p>\nsudo<\/code>\u00a0privileges to dump the\u00a0Runner.Worker<\/code>\u00a0process memory and extract secrets directly from the heap. <\/p>\nscan[.]aquasecurtiy[.]org<\/code>. <\/p>\ntpcp-docs<\/code>\u00a0and uploads the stolen data as a release asset.<\/a><\/p>\n