TeamPCP Compromises Trivy Scanner Infrastructure
The Trivy vulnerability scanner, a widely-used open-source security tool, fell victim to a sophisticated supply chain attack orchestrated by the TeamPCP threat group on March 21, 2026. The attackers successfully infiltrated the project's GitHub repository and distribution infrastructure, embedding credential-stealing malware into official releases and automated GitHub Actions workflows.
Trivy, developed by Aqua Security, serves as a comprehensive vulnerability scanner for container images, file systems, and Git repositories. The tool has gained significant adoption among DevOps teams and security professionals for its ability to detect vulnerabilities in multiple formats including OS packages, language-specific packages, and Infrastructure as Code misconfigurations. This widespread usage made it an attractive target for supply chain attackers seeking maximum impact.
The compromise was discovered when security researchers noticed anomalous network traffic patterns from systems running recent Trivy installations. Initial analysis revealed that the malicious code was designed to harvest credentials from development environments, including API keys, database passwords, and cloud service tokens. The malware operated stealthily, maintaining normal scanner functionality while exfiltrating sensitive data to command-and-control servers operated by TeamPCP.
TeamPCP, previously known for targeting software development tools and CI/CD pipelines, demonstrated advanced persistence techniques in this attack. The group modified the project's GitHub Actions workflows to automatically inject malicious payloads during the build process, ensuring that even legitimate releases would contain their credential-harvesting code. This approach allowed the attackers to maintain access even after initial detection and remediation efforts.
Related: Xygeni GitHub Action Compromised in Supply Chain Attack
Related: GitHub Accounts Breached in VS Code GlassWorm Aftermath
The attack timeline shows that the initial compromise occurred approximately 72 hours before public disclosure, during which time thousands of organizations may have downloaded and deployed the compromised scanner versions. CISA's Known Exploited Vulnerabilities catalog has been updated to reflect the supply chain compromise, emphasizing the critical nature of this incident for organizations relying on automated vulnerability scanning in their security workflows.
Widespread Impact Across Development and Security Teams
The Trivy supply chain attack affects a broad spectrum of organizations that have integrated the scanner into their development and security workflows. Primary targets include DevOps teams, security operations centers, and cloud-native organizations that rely on automated vulnerability scanning for container security. Companies using Trivy in their CI/CD pipelines face the highest risk, as the malicious code specifically targets credentials commonly found in development environments.
Organizations running Trivy versions downloaded or updated between March 19-21, 2026, are considered compromised. This includes both direct installations from GitHub releases and deployments through package managers like Homebrew, Docker Hub, and various Linux distribution repositories. The attack particularly impacts Kubernetes environments where Trivy is commonly deployed as a cluster scanner, potentially exposing service account tokens and cluster credentials.
Cloud service providers and managed security service providers (MSSPs) that offer Trivy-based scanning services to their customers face cascading risks. The credential-stealing payload targets AWS access keys, Azure service principal credentials, Google Cloud service account keys, and database connection strings commonly stored in environment variables or configuration files accessible to the scanner process.
Financial services, healthcare, and government organizations using Trivy for compliance scanning face elevated risks due to the sensitive nature of their environments and the potential for lateral movement using harvested credentials. The malware's design suggests that TeamPCP specifically targeted high-value credentials that could facilitate further attacks against critical infrastructure and sensitive data repositories.
Immediate Response and Mitigation Requirements
Organizations must immediately halt all Trivy operations and assume that any credentials accessible to the scanner have been compromised. The first critical step involves identifying all systems where Trivy versions 0.49.0 through 0.49.2 were installed or executed between March 19-21, 2026. System administrators should check package manager logs, container registries, and CI/CD pipeline execution histories to determine exposure scope.
Credential rotation represents the most urgent mitigation requirement. All API keys, database passwords, cloud service credentials, and authentication tokens accessible to Trivy processes must be immediately revoked and regenerated. This includes AWS IAM access keys, Azure service principals, Google Cloud service accounts, database connection strings, and any custom API tokens stored in environment variables or configuration files. Organizations should prioritize credentials with elevated privileges or access to sensitive data repositories.
Network monitoring teams should implement immediate detection rules for the known command-and-control infrastructure used by TeamPCP. The malicious payload communicates with domains following specific patterns and uses encrypted channels to exfiltrate credential data. Security teams should monitor for unusual outbound connections from development environments and implement network segmentation to limit potential lateral movement using compromised credentials.
Aqua Security has released Trivy version 0.49.3 as a clean rebuild from verified source code, available through official security advisories. Organizations should only install this version after completing credential rotation and implementing additional monitoring controls. The new release includes enhanced integrity verification mechanisms and improved supply chain security measures to prevent similar compromises in the future.
