MegaGame10418

TeamPCP is the threat actor name self-identified in reporting on a multi-stage supply chain attack against Aqua Security’s Trivy ecosystem on March 19, 2026. In the provided content, the actor is associated with the name megagame10418 and is described as having retained access from an earlier incompletely contained incident. The operation compromised the Trivy core scanner, aquasecurity/trivy-action, and aquasecurity/setup-trivy GitHub Actions, and also affected related Aqua assets including tfsec and traceeshark via the compromised aqua-bot service account. The actor used spoofed commits in upstream repositories, malicious release/tag manipulation, and credential theft. Reported activity included pushing imposter commits while spoofing the users rauchg and DmitriyLewen, publishing a malicious Trivy v0.69.4 release, and force-pushing 75 of 76 trivy-action tags and 7 setup-trivy tags to malicious versions. Backdoored Trivy binaries were published to GitHub Releases, Docker Hub, GHCR, and ECR; later reporting also stated that malicious Docker Hub images 0.69.5 and 0.69.6 were published. The malicious GitHub Actions payload harvested secrets from runners by dumping Runner.Worker process memory via /proc/<pid>/mem and searching for secret patterns, and by collecting data from more than 50 sensitive file paths. Stolen material reportedly included SSH keys, AWS, GCP, and Azure credentials, Kubernetes tokens, cryptocurrency wallets, and additional Aqua secrets such as GPG keys and credentials for Docker Hub, Twitter, Slack, and other internal resources. The payload encrypted stolen data using AES-256-CBC and RSA-4096 hybrid encryption into tpcp.tar.gz and exfiltrated it primarily to the typosquatted domain scan.aquasecurtiy.org, with additional exfiltration to the Cloudflare Tunnel endpoint plug-tab-protective-relay.trycloudflare.com. A fallback exfiltration mechanism created a GitHub repository named tpcp-docs in victim accounts and uploaded stolen data there. The malicious Trivy binary executed legitimate Trivy functionality in parallel with malicious code, gathered environment variables, filesystem credentials, and network interface information, then compressed, encrypted, and exfiltrated the data. On systems identified as developer machines by checking that GITHUB_ACTIONS was not true, it attempted persistence by writing ~/.config/systemd/user/sysmon.py and creating a systemd unit to run it persistently. The persistence component polled the ICP-hosted endpoint tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io for follow-on payloads. The content also states that TeamPCP expanded activity into the npm ecosystem with a worm called CanisterWorm and publicly exposed internal Aqua repositories, indicating continued access after the initial compromise. No nation-state attribution is provided in the content. Known names directly supported by the content are TeamPCP and megagame10418.