TeamPCP's Trivy Attack Is Still Active — Check Your CI/CD Now

CybrPulse

CybrPulse

4 min read

Aqua Security's Trivy scanner has been compromised in a rolling supply chain attack that began quietly in late February and is still escalating as of March 23. If your pipelines use Trivy, assume they're affected until you've verified otherwise.

Here's what happened, in order.

The Timeline

Late February / March 1: Attackers gained initial access to Aqua Security's GitHub environment via a GitHub Actions workflow exploit. They deleted some releases and pushed malicious VS Code extensions to the Open VSIX marketplace. Trivy's maintainers disclosed the incident and rotated credentials — but the rotation wasn't atomic. Over a few days, a valid token stayed live long enough for the attackers to exfiltrate the newly rotated secrets.

March 21: Second wave. The threat actor used those stolen credentials to push Trivy v0.69.4 — a fully trojanized release — across every distribution channel simultaneously: Docker Hub, GitHub Container Registry, and Amazon ECR Public. They also force-pushed malicious commits to 76 of 77 `trivy-action` version tags and all `setup-trivy` tags. The injected malware dumps the `Runner.Worker` process from memory, extracting every secret present in the CI/CD runner. Exfiltrated data is encrypted and sent to a remote server; if that fails, it creates a public GitHub repo and uploads the data there.

March 22: The attack escalated again. New Docker images `0.69.5` and `0.69.6` appeared on Docker Hub with no corresponding GitHub releases — a reliable sign of unauthorized publishing. Both contain the TeamPCP infostealer. The `latest` tag now pointed to `0.69.6`, meaning anyone pulling the default image pulled compromised code. In a separate scripted 2-minute burst between 20:31 and 20:32 UTC, attackers defaced all 44 repositories in Aqua's internal `aquasec-com` GitHub organization, renaming each with a `tpcp-docs-` prefix and setting descriptions to "TeamPCP Owns Aqua Security."

How They Got In

The pivot between organizations came down to a single service account: `Argon-DevOps-Mgt` (GitHub ID 139343333, created 2023-07-12). This account had write and admin access across both of Aqua's GitHub organizations — the public one (`aquasecurity`) and the internal one (`aquasec-com`). It authenticated via a Personal Access Token, not a GitHub App token. No MFA. The TeamPCP Cloud stealer harvested the PAT from CI runner environment variables during an earlier workflow execution. One token, two organizations, full access.

Forensic review of GitHub's Events API confirms the service account was the attack vector. The hackers tested their admin access first by creating and immediately deleting a branch in a public repo — confirming permissions before running the defacement script.

Indicators of Compromise

If any of these exist in your environment, treat it as a confirmed compromise:

  • Trivy versions `v0.69.4`, `0.69.5`, or `0.69.6` executed in any pipeline
  • A repository named `tpcp-docs` in your GitHub organization (the malware's fallback exfiltration mechanism)
  • C2 domain `scan.aquasecurity.org` in network logs (typosquatted to mimic Aqua's real infrastructure)
  • Files `payload.enc` or `tpcp.tar.gz` on runner hosts
  • A systemd service named `pgmon` on Linux systems
  • Files `/tmp/pglog` or `/tmp/.pg_state`

The last three relate to CanisterWorm — TeamPCP's downstream npm campaign that emerged from the stolen credentials. So far, over 45 npm packages have been backdoored, including packages under `@emilgroup` and `@teale.io` namespaces. The worm uses a `postinstall` hook to drop a Python backdoor, then harvests npm tokens from `.npmrc` files and environment variables, publishing tainted patch updates to every package the compromised developer maintains. Command-and-control runs over the Internet Computer Protocol (ICP) — a blockchain-based dead-drop that blends with regular HTTPS traffic.

A separate wiper payload has also surfaced, spreading via SSH and exposed Docker APIs on port 2375. On Kubernetes clusters identified as Iranian, it deploys privileged DaemonSets and runs `rm -rf / --no-preserve-root`. Non-Iranian nodes get CanisterWorm installed as a persistent service.

What You Need to Do

If you run Trivy in CI/CD:

  1. Stop using any image or action tag other than `v0.69.2`, `v0.69.3` (Trivy), `v0.35.0` (trivy-action), or `v0.2.6` (setup-trivy). Pin by digest, not tag — tags are mutable.
  2. Rotate every secret that was present in any runner that executed a compromised version. That means API keys, cloud credentials, GitHub tokens, SSH keys, npm tokens — everything.
  3. Search your GitHub organization for repos with the `tpcp-docs` prefix.
  4. Check network logs for outbound connections to `scan.aquasecurity.org`.

If you use npm packages from affected namespaces:

  1. Stop the `pgmon` systemd service and remove it if found.
  2. Delete `/tmp/pglog` and `/tmp/.pg_state`.
  3. Rotate all npm authentication tokens stored in `.npmrc`, environment variables, and CI/CD secrets.

General hygiene this incident exposes:

Service accounts with long-lived PATs and no MFA are the exact attack surface TeamPCP is targeting. If you have automation accounts with broad repo access authenticated via PATs, convert them to GitHub Apps with fine-grained permissions. Credential rotation is only effective if it's atomic — partial rotations leave windows.

The Bigger Picture

Aqua Security makes Trivy — a tool security teams use to scan for vulnerabilities. Compromising the scanner is a high-leverage move: the attacker gets access to every secret in every CI/CD pipeline that runs a security check. Trivy has over 33,800 GitHub stars and is embedded in pipelines across thousands of organizations. The blast radius here is large.

TeamPCP is not a one-and-done crew. They're escalating, building capabilities, and pivoting quickly between targets as defenders respond. The attack that started with a GitHub Actions misconfiguration has now produced: an infostealer, a self-propagating npm worm, a Kubernetes wiper, and the defacement of a major security vendor's internal repositories. Treat this as an ongoing campaign, not a contained incident.

*CybrPulse tracks TeamPCP and related supply chain threat actors continuously. This post is based on data ingested from Socket, SecurityWeek, The Hacker News, OpenSourceMalware, and Bleeping Computer reporting through March 23, 2026.*

Read more