On March 19, 2026, Trivy, Aqua Security's widely adopted open-source vulnerability scanner, became the target of a sophisticated supply chain attack focused on CI/CD infrastructure. Threat actors utilized access gained from an unremediated prior incident to inject credential-stealing malware into official releases of the scanner.
The campaign, attributed to the threat actor TeamPCP, compromised GitHub Actions workflows used in continuous integration and deployment pipelines. Attackers with write access to version tags force-pushed malicious commits, redirecting trusted references to harmful code without visible changes to release metadata.
In addition to workflow compromise, threat actors published malicious binary v0.69.4 to official distribution channels. The compromised code executed credential-harvesting logic alongside legitimate scanning functionality, enabling successful scans while exfiltrating secrets from downstream workflows.
Git's mutable tag system enabled the abuse, with attackers replacing the target commit behind 76 of 77 tags in trivy-action and all 7 tags in setup-trivy. The campaign subsequently expanded to additional frameworks, including Checkmarx KICS and LiteLLM, with additional details expected as the investigation progresses. Maintainers removed malicious artifacts from distribution channels later that day. Microsoft Defender for Cloud observed the complete attack chain in compromised self-hosted GitHub Actions runners. Organizations should strengthen supply chain security measures against mutable references and impersonation tactics.