Dispatch
Trivy Security Scanner Compromised — TeamPCP Hijacks 75 of 76 GitHub Actions Tags to Steal CI/CD Secrets
Threat actor 'TeamPCP' force-pushed malicious code into 75 of 76 version tags in the aquasecurity/trivy-action repository, injecting a credential stealer into the widely used Trivy vulnerability scanning GitHub Action. Version 0.69.4 runs both the legitimate scanner and malware that scans for environment variables, API tokens, cloud credentials, and SSH keys, encrypts them, and exfiltrates to scan.aquasecurtiy[.]org (typosquat). Any CI/CD pipeline that ran a poisoned tag should be treated as fully compromised — rotate all secrets immediately.
Source
↳ Follow the thread