Trivy GitHub Action + Docker images compromised — start of TeamPCP cascade
Aqua Security's Trivy scanner was compromised on 19 March 2026 by the threat actor self-identifying as TeamPCP. The attacker force-pushed 76 of 77 tags in aquasecurity/trivy-action (only @0.35.0 survived) and all 7 tags in aquasecurity/setup-trivy to malicious commits, then published trojanised Trivy binary 0.69.4 + Docker images 0.69.5/0.69.6/latest. A stolen Argon-DevOps-Mgt service-account token seeded the downstream LiteLLM, Telnyx, Bitwarden CLI, and Checkmarx compromises.
- Threat actor
- TeamPCP
- Detected by
- Aqua Security · Microsoft Threat Intelligence
- Also known as
- TeamPCP Trivy cascade
- Ecosystems
- DockerGitHub Actions
- Packages tracked
- 3
What happened
On 2026-03-19 the threat actor self-identifying as TeamPCP compromised Aqua Security and used the access to publish trojanised versions of the widely-used Trivy vulnerability scanner. The attacker force-pushed 76 of 77 tags in aquasecurity/trivy-action (only @0.35.0 survived because it was pinned in a popular template), every one of the 7 tags in aquasecurity/setup-trivy, and pushed Docker images aquasec/trivy:0.69.4, :0.69.5, :0.69.6, and :latest. The trojanised binary Trivy 0.69.4 was also pushed to GitHub releases.
Mechanics
The injected code harvests environment variables and secret files from the host runner, then exfiltrates to scan.aquasecurtiy.org (note the typosquatted spelling) and audit.checkmarx.cx. A stolen Argon-DevOps-Mgt service-account token granted the attacker enough access to maintainer accounts at downstream vendors, seeding subsequent compromises.
Blast radius
- An estimated
10,000+GitHub Actions workflows pin Trivy by tag rather than commit SHA, so any pipeline that ran during the window of compromise executed the stealer. - Direct downstream consequences traced to this single token theft:
LiteLLM(PyPI,2026-03-24),TelnyxPython SDK,Bitwarden CLI, and theCheckmarx KICS/ast-github-actioncompromise on2026-03-23. - TeamPCP later claimed roughly
500,000stolen credentials across the cascade.
Response
Aqua Security restored clean tags and rotated their signing infrastructure within hours of disclosure. Microsoft published detailed detection guidance on 2026-03-24, including KQL queries for Defender for Cloud and Sentinel. The incident is now the canonical case study for why GitHub Actions should be pinned to immutable commit SHAs rather than tags.
Affected packages (3)
- Docker
aquasec/trivy0.69.40.69.50.69.6latest - GitHub Actions
aquasecurity/setup-trivy - GitHub Actions
aquasecurity/trivy-action
Impact
- CI/CD secrets (cloud, SSH, K8s tokens) harvested from any pipeline using a compromised tag
- ~10,000+ workflows pinned by tag rather than SHA were affected
- Stolen tokens seeded ≥4 subsequent package compromises across PyPI + npm
What to do
- 1Pin Trivy binary to
v0.69.3or earlier;trivy-actiontov0.35.0commit57a97c7;setup-trivytov0.2.6commit3fb12ec - 2Rotate all CI/CD credentials reachable from any Trivy scan job since 19 March 2026
- 3Hunt for
scan.aquasecurtiy.organdaudit.checkmarx.cxin egress logs - 4Switch GitHub Action references from tags to immutable commit SHAs as standard practice
References
- MicrosoftDetecting, investigating, and defending against the Trivy supply chain compromisemicrosoft.com
- Aqua SecurityUpdate: Ongoing Investigation and Continued Remediation (Trivy supply chain attack)aquasec.com
- Step SecurityTrivy Compromised a Second Time — Malicious v0.69.4 Release, trivy-action and setup-trivy GitHub Actions Compromisedstepsecurity.io