Summary
On March 19, 2026, Aqua Security's Trivy vulnerability scanner suffered a supply chain attack by "TeamPCP," who exploited incompletely rotated credentials from an earlier breach to push backdoored binaries and silently rewrite 75+ version tags in trivy-action, deploying a multi-stage credential stealer that harvested cloud keys, SSH keys, database credentials, crypto wallets, and other secrets from CI/CD pipelines.
Take Action:
If you use Trivy, trivy-action, or setup-trivy in your pipelines, this is urgent and important! Treat all secrets that ran through affected pipelines as compromised: rotate them now and investigate logs for all systems where those secrets may have given access.
Then immediately pin to the known safe versions GitHub Actions to full commit SHA hashes instead of version tags, since tags can be silently rewritten to point to malicious code.
Read the full article on BeyondMachines
This article was originally published on BeyondMachines
Top comments (0)