SCN-007 / Security Scanner Compromised → CI/CD Secret Stealer / 2026

Trivy / TeamPCP 2026

On Mar 19, 2026 at 17:43 UTC, the threat actor TeamPCP force-pushed 76 of 77 version tags in aquasecurity/trivy-action - and all 7 tags in aquasecurity/setup-trivy - to point at malicious commits. The poisoned entrypoint.sh ran a credential stealer BEFORE the legitimate Trivy scan, with pipelines appearing to work normally.

76/77

tags force-pushed

3-12 h

exposure window

TeamPCP

attributed actor

CVE-

no exploit (residual access)

TeamPCP · 76/77 tags pushed Mar 19 →

A trusted security scanner was turned into a credential stealer overnight - pipelines using @v0 instead of a SHA pulled malware and shipped AWS, GCP, Azure, and Kubernetes secrets to the attacker.

~700 GB / victim

Exposure

Vect ransomware listed Guesty + S&P Global + others; ~700 GB exfil per named victim, 1,000+ SaaS envs affected

76 of 77 tags

Time to detect

all trivy-action version tags force-pushed Mar 19 2026; advisory GHSA-69fq-xp46-6x23 Mar 21

Pin SHA-40

Fix complexity

every GitHub Actions reference pinned to full 40-char commit SHA, not @v0/@v1/@main

Ask your team this Friday

Run grep across all .github/workflows/*.yml - for every third-party action, is it pinned to a full SHA (40 hex chars) or a moving tag like @v1, @v0, or @main?

→ Audit my environment

Select scenario

  
 TEXT   
 STEP 01 TeamPCP retains residual access from Feb 2026 incident 
Aqua Security post-incident timeline
 1# Per Aqua advisory GHSA-69fq-xp46-6x23 + Microsoft Security Blog (Mar 24 2026):
2Feb 2026 : Initial intrusion into Trivy release infrastructure
3Mar 1    : Credential rotation begun (incomplete)
4Mar 19   : TeamPCP leverages residual access for force-push attack
5
6# Threat actor profile (Wiz / Flare / The Hacker News):
7Actor   : TeamPCP (self-labelled)
8Tracking: threats.wiz.io/all-actors/teampcp
9Profile : Cloud-native theft + monetization
10          Worm-driven ransomware history
11          Cryptocurrency wallet targeting
12          ICP-hosted infrastructure 
No CVE, no zero-day · the attack chain depends entirely on incomplete remediation of the February 2026 intrusion. Credential rotation that misses one machine identity = full re-entry.
  1 / 7  

← back

Executive briefing · blast-audit

Trivy / TeamPCP 2026

A trusted security scanner was turned into a credential stealer overnight - pipelines using @v0 instead of a SHA pulled malware and shipped AWS, GCP, Azure, and Kubernetes secrets to the attacker.

~700 GB / victim

Exposure

Vect ransomware listed Guesty + S&P Global + others; ~700 GB exfil per named victim, 1,000+ SaaS envs affected

76 of 77 tags

Time to detect

all trivy-action version tags force-pushed Mar 19 2026; advisory GHSA-69fq-xp46-6x23 Mar 21

Pin SHA-40

Fix complexity

every GitHub Actions reference pinned to full 40-char commit SHA, not @v0/@v1/@main

Ask your team this Friday

Run grep across all .github/workflows/*.yml - for every third-party action, is it pinned to a full SHA (40 hex chars) or a moving tag like @v1, @v0, or @main?

Verified incident

Trivy supply-chain compromise - security scanner became the weapon

TeamPCP (self-labelled). Tracked by Wiz at threats.wiz.io/all-actors/teampcp. Profiled by Flare and The Hacker News in February 2026. Possible false-flag, but cloud-native theft + cryptomining + ICP infrastructure overlap make attribution plausible.

How it happened

On March 19, 2026 at 17:43 UTC, TeamPCP force-pushed 76 of 77 version tags in aquasecurity/trivy-action and all 7 tags in aquasecurity/setup-trivy to point at malicious commits. Docker Hub images for trivy were poisoned simultaneously. The payload was injected into entrypoint.sh and executed BEFORE the legitimate Trivy scan - pipelines appeared to work normally (SARIF output uploaded, exit code 0, duration unchanged) while the stealer exfiltrated environment variables, GitHub Actions tokens, AWS/GCP/Azure credentials, npm publish tokens, and Docker Hub tokens. Per Aqua's post-incident review, the attack was made possible by incomplete remediation of an earlier February 2026 intrusion - credential rotation that did not cover all machine identities left TeamPCP with residual access to Trivy's release infrastructure. Exposure windows ranged 3-12 hours per component before rollback.

Outcome

Aqua published advisory GHSA-69fq-xp46-6x23 and rotated affected credentials a second time. Microsoft Security Blog, Wiz, Palo Alto Networks, Legit Security, Sysdig (TeamPCP expansion to Checkmarx Actions), and Upwind all published detection guidance within days. Halcyon reported the campaign entered an extortion phase with the Vect ransomware operation publishing its first downstream victim using credentials linked to the Trivy compromise. The canonical defense is pinning GitHub Actions by full commit SHA (not by tag) and pinning Docker images by digest. Dependabot and Renovate now auto-pin Actions to SHA by default.

Sources

Open on desktop for the full demo

Trivy / TeamPCP 2026

Trivy / TeamPCP 2026

Generate audit report