Feed
CriticalPublished 19 Mar 20263 packages · 4 versions

Trivy GitHub Action + Docker images compromised — start of TeamPCP cascade

Summary

Aqua Security's Trivy scanner was compromised on 19 March 2026 by the threat actor self-identifying as TeamPCP. The attacker force-pushed 76 of 77 tags in aquasecurity/trivy-action (only @0.35.0 survived) and all 7 tags in aquasecurity/setup-trivy to malicious commits, then published trojanised Trivy binary 0.69.4 + Docker images 0.69.5/0.69.6/latest. A stolen Argon-DevOps-Mgt service-account token seeded the downstream LiteLLM, Telnyx, Bitwarden CLI, and Checkmarx compromises.

ci-cd-compromisecredential-theftmaintainer-takeoverinfostealer
Threat actor
TeamPCP
Detected by
Aqua Security · Microsoft Threat Intelligence
Also known as
TeamPCP Trivy cascade
Ecosystems
DockerGitHub Actions
Packages tracked
3

What happened

On 2026-03-19 the threat actor self-identifying as TeamPCP compromised Aqua Security and used the access to publish trojanised versions of the widely-used Trivy vulnerability scanner. The attacker force-pushed 76 of 77 tags in aquasecurity/trivy-action (only @0.35.0 survived because it was pinned in a popular template), every one of the 7 tags in aquasecurity/setup-trivy, and pushed Docker images aquasec/trivy:0.69.4, :0.69.5, :0.69.6, and :latest. The trojanised binary Trivy 0.69.4 was also pushed to GitHub releases.

Mechanics

The injected code harvests environment variables and secret files from the host runner, then exfiltrates to scan.aquasecurtiy.org (note the typosquatted spelling) and audit.checkmarx.cx. A stolen Argon-DevOps-Mgt service-account token granted the attacker enough access to maintainer accounts at downstream vendors, seeding subsequent compromises.

Blast radius

  • An estimated 10,000+ GitHub Actions workflows pin Trivy by tag rather than commit SHA, so any pipeline that ran during the window of compromise executed the stealer.
  • Direct downstream consequences traced to this single token theft: LiteLLM (PyPI, 2026-03-24), Telnyx Python SDK, Bitwarden CLI, and the Checkmarx KICS / ast-github-action compromise on 2026-03-23.
  • TeamPCP later claimed roughly 500,000 stolen credentials across the cascade.

Response

Aqua Security restored clean tags and rotated their signing infrastructure within hours of disclosure. Microsoft published detailed detection guidance on 2026-03-24, including KQL queries for Defender for Cloud and Sentinel. The incident is now the canonical case study for why GitHub Actions should be pinned to immutable commit SHAs rather than tags.

Affected packages (3)

  • Dockeraquasec/trivy
    0.69.40.69.50.69.6latest
  • GitHub Actionsaquasecurity/setup-trivy
  • GitHub Actionsaquasecurity/trivy-action

Impact

  • CI/CD secrets (cloud, SSH, K8s tokens) harvested from any pipeline using a compromised tag
  • ~10,000+ workflows pinned by tag rather than SHA were affected
  • Stolen tokens seeded ≥4 subsequent package compromises across PyPI + npm

What to do

  1. 1Pin Trivy binary to v0.69.3 or earlier; trivy-action to v0.35.0 commit 57a97c7; setup-trivy to v0.2.6 commit 3fb12ec
  2. 2Rotate all CI/CD credentials reachable from any Trivy scan job since 19 March 2026
  3. 3Hunt for scan.aquasecurtiy.org and audit.checkmarx.cx in egress logs
  4. 4Switch GitHub Action references from tags to immutable commit SHAs as standard practice

References

github-actions-2026-03-19-trivy-teampcp-cascade