A highly sophisticated supply chain attack has successfully compromised the official Trivy GitHub Actions repository, severely impacting continuous integration environments.
Discovered on March 19, 2026, this breach represents the second major security incident to strike the Trivy ecosystem this month following a prior credential theft.
Attackers effectively hijacked 75 out of 76 version tags, transforming trusted version references into an automated distribution mechanism for powerful infostealer malware.
Attack Methodology and Tag Poisoning
Unlike traditional compromises that involve pushing code to a new branch, the threat actors leveraged residual access from an earlier breach to force-push existing version tags.
By covertly redirecting these established tags to malicious commits, the attackers entirely evaded standard repository notifications and suspicious commit history anomalies.
The attackers meticulously spoofed the commit metadata to precisely mirror original release dates, successfully obscuring the ongoing attack from administrators.
According to Socket, the injected payload is cleverly concealed within a modified script that automatically executes immediately before the legitimate Trivy vulnerability scan begins.
This intelligent sequencing ensures the expected security scan runs normally, leaving developers completely unaware of the underlying pipeline compromise taking place.
Once activated, the sophisticated malware executes its malicious data harvesting operations across three distinct phases to maximize credential extraction.
During the initial collection phase, the malicious script aggressively scrapes runner process memory and the local filesystem for valuable cloud credentials, SSH keys, and tokens.
On GitHub-hosted Linux runners, the malware actively elevates privileges to extract secrets deeply stored in the core process heap.
Meanwhile, on self-hosted runners, it deploys a comprehensive Python credential harvester to systematically extract critical secrets hidden across the entire filesystem.
In the subsequent encryption phase, the malware carefully secures the harvested data by generating a random session key to encrypt the stolen secrets using advanced AES encryption standards.
It securely wraps this session key with a public key, guaranteeing that only the attackers holding the matching private key can access the exfiltrated information.
Finally, the exfiltration phase transmits the encrypted bundle to an external typosquatted domain, or seamlessly utilizes a fallback mechanism to automatically upload data to the victim’s account.
Embedded comments within the malicious script explicitly identify the authors as the TeamPCP Cloud stealer, an advanced group also tracked as DeadCatx3 or ShellForce.
This highly skilled threat group specializes heavily in advanced cloud-native exploitation and widespread automated attacks.
Their established history of aggressively targeting cloud infrastructure strongly correlates with the explicit financial motivations observed within this payload.
Security teams must immediately assume that any continuous integration pipeline referencing the poisoned tags is entirely compromised and leaking data.
Organizations must permanently halt the use of version tags and exclusively pin the action to the verified safe commit hash or unaffected release.
Furthermore, administrators must conduct an immediate rotation of all exposed secrets and audit their accounts for unauthorized data exfiltration repositories.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
