Trivy
Trivy is Aqua Security’s open-source vulnerability scanner that was compromised in a March 19, 2026 supply-chain attack attributed to TeamPCP. High-confidence reporting in the provided content states that the attackers poisoned the Trivy ecosystem by force-pushing malicious tags in aquasecurity/trivy-action and aquasecurity/setup-trivy and publishing a backdoored Trivy binary release, v0.69.4, to official channels including GitHub Releases, Docker Hub, GHCR, ECR, deb/rpm repositories, and get.trivy.dev. Additional malicious Docker Hub images 0.69.5 and 0.69.6 were later reported. The compromised artifacts preserved normal Trivy functionality while executing credential-stealing logic.
The malicious payload harvested secrets from CI/CD runners and developer systems. Reported behavior includes reading GitHub Actions Runner.Worker memory via /proc/<pid>/mem to recover secrets, scanning numerous sensitive filesystem paths for SSH keys, Git credentials, AWS, GCP, and Azure credentials, Kubernetes tokens, Docker registry credentials, Terraform state, database credentials, .env files, shell histories, TLS keys, VPN material, and cryptocurrency wallets, and collecting host information such as environment variables and network interface data. Stolen data was packaged as tpcp.tar.gz, encrypted with AES-256-CBC using an RSA-4096/RSA-OAEP hybrid scheme, and exfiltrated primarily to the typosquatted domain scan.aquasecurtiy.org, which was reported at 45.148.10.212. Additional attacker infrastructure mentioned in the content includes plug-tab-protective-relay.trycloudflare.com. If direct exfiltration failed, the malware could use a stolen GitHub token to create public repositories such as tpcp-docs and upload the archive as a release asset.
On non-CI Linux developer machines, the backdoored Trivy binary reportedly attempted persistence by writing a Python payload under the user’s config/systemd path and creating a systemd user service; related reporting also describes polling the ICP-hosted endpoint tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io for follow-on payloads. The compromise window described in the content was approximately 12 hours for trivy-action, about 4 hours for setup-trivy, and about 3 hours for the malicious Trivy v0.69.4 release.
The incident is associated with TeamPCP, also referenced in the content under aliases including DeadCatx3, PCPcat, and ShellForce. The Trivy compromise is described as the initial credential-harvesting stage of a broader multi-ecosystem campaign that later enabled downstream compromises affecting Checkmarx KICS, LiteLLM, Telnyx, npm packages, and other targets. Reported downstream impact includes ownCloud confirming its build infrastructure was affected by CVE-2026-33634, while stating no customer data or source code was impacted. The content explicitly ties the Trivy compromise to CVE-2026-33634 and notes theft of CI/CD secrets such as npm tokens, Docker Hub credentials, and PyPI publishing tokens.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
ownCloud published a security notice confirming their build infrastructure -- the systems producing container images and client binaries -- was affected by CVE-2026-33634 (the Trivy compromise).
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
On March 19, TeamPCP force-pushed malicious commits over 75 of 76 version tags of aquasecurity/trivy-action and poisoned Trivy release v0.69.4. Any CI/CD pipeline that ran Trivy that day had its secrets harvested and exfiltrated to the attacker.
On March 19, 2026, aquasecurity/trivy-action — a widely used GitHub Action for running the Trivy vulnerability scanner — was compromised for approximately 12 hours... a malicious trivy binary release (v0.69.4) was published for approximately 3 hours.
Techniques & procedures
26 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
1 techniqueERA Security Scanner ... nmap, nikto, subfinder, subdomain enumeration, IP reputation, DNS, and mail security analysis ... security-tools-mcp ... nmap, nuclei, sqlmap, nikto, dirsearch, httpx, trivy ... NmapService nmapScan
Resource Development
2 techniquesThe v0.69.4 binaries contained malicious code that phones home to a typosquat C2 domain... scan[.]aquasecurtiy[.]org — note the typo ( securtiy vs security ), a typosquat of Aqua Security's domain.
ownCloud published a security notice confirming their build infrastructure -- the systems producing container images and client binaries -- was affected by CVE-2026-33634 (the Trivy compromise).
Initial Access
6 techniques...allowing the hackers to steal its secret API key and use that access to pivot to obtain data stored in the Commission’s AWS account.
...hackers acquired a secret API key associated with the European Commission’s AWS account... use that access to pivot to obtain data stored in the Commission’s AWS account.
Tags and branches are mutable, which means a repo owner can repoint them to a different commit at any time... if the action maintainer's account is compromised, an attacker can repoint that tag to a malicious commit and every downstream workflow picks it up on the next run without a PR or other indication.
The attack almost certainly began when a compromised Trivy CI/CD action ran inside LiteLLM’s own build pipeline... TeamPCP then used that token to push malicious releases directly to PyPI.
Besides the Trivy breach, TeamPCP has been linked to ransomware attacks and crypto-mining campaigns... The hackers have more recently been behind a systematic campaign of supply chain attacks compromising other open source security projects...
ownCloud published a security notice confirming their build infrastructure -- the systems producing container images and client binaries -- was affected by CVE-2026-33634 (the Trivy compromise). ownCloud confirms: no customer data compromised, no source code altered, impact limited to build systems only.
Execution
2 techniquesaccess AWS environments, execute commands in containers... The attackers validated cloud keys... and used them to access cloud services, enumerate infrastructure, run commands inside containers...
Persistence
2 techniques...allowing the hackers to steal its secret API key and use that access to pivot to obtain data stored in the Commission’s AWS account.
Privilege Escalation
3 techniquesReads GitHub Actions Runner worker memory (on Linux) — decodes a base64 Python script that locates the Runner.Worker process and reads its memory via /proc/<pid>/mem to extract secrets marked isSecret: true.
...allowing the hackers to steal its secret API key and use that access to pivot to obtain data stored in the Commission’s AWS account.
Stealth
5 techniquesReads GitHub Actions Runner worker memory (on Linux) — decodes a base64 Python script that locates the Runner.Worker process and reads its memory via /proc/<pid>/mem to extract secrets marked isSecret: true.
After exfiltration, the malware cleaned up all temporary files and launched the legitimate Trivy scan.
...allowing the hackers to steal its secret API key and use that access to pivot to obtain data stored in the Commission’s AWS account.
...hackers acquired a secret API key associated with the European Commission’s AWS account... use that access to pivot to obtain data stored in the Commission’s AWS account.
Credential Access
5 techniquesIt iterated through th e /proc/ directory to isolate the PIDs for the .NET runtime powering the Runner.Worker process. Because the script inherited the runner’s user privileges, it read the /proc/<pid>/mem file descriptor , mapped the memory boundaries via /proc/<pid>/maps, and ran string-matching algorithms across the heap memory segments.
When the compromised action ran, it harvested LiteLLM’s PyPI publishing token.
The attacker's script can easily read any of them with an environment lookup like os.environ.get('MY_SECRET') and send them back to an attacker without leaving evidence.
threat actors used the Trufflehog open source tool to find and validate stolen credentials. Then, TeamPCP performed reconnaissance ... After the organization downloaded a compromised version of Trivy, attackers stole an AWS API key ... From there, they used Trufflehog to discover more AWS credentials
CERT-EU said that the breach originated on March 19 when hackers acquired a secret API key associated with the European Commission’s AWS account... allowing the hackers to steal its secret API key and use that access to pivot to obtain data stored in the Commission’s AWS account.
Discovery
2 techniques...use that access to pivot to obtain data stored in the Commission’s AWS account.
using credentials stolen during earlier compromises to access Amazon Web Services (AWS) accounts, execute commands in containers... Reviewing cloud logs for unexpected Amazon Elastic Container Service Exec activity...
Collection
1 techniquebefore finally accessing various resources, such as S3 buckets and Amazon Elastic Container Service (ECS) instances, to exfiltrate sensitive data ... and then exfiltrated data from the environment
Command and Control
2 techniquesHTTPS POST to C2: Stolen data is encrypted (SHA-256 + base64), then sent to an attacker-controlled domain decoded at runtime via the scramble cipher.
The trivy release automation ( aqua-bot ) published v0.69.4 ... The v0.69.4 binaries contained malicious code that phones home to a typosquat C2 domain.
Exfiltration
3 techniquesThe stolen data was then encrypted ... and bundled into a tpcp.tar.gz archive, then exfiltrated via HTTP POST to the typosquatted domain scan.aquasecurtiy[.]org.
Fallback exfiltration — if the C2 is unreachable and a GitHub PAT is available, creates a public repository called tpcp-docs on the victim's GitHub account and uploads the stolen data as a release asset.
execute commands in containers, and exfiltrate sensitive cloud data... Reviewing cloud logs for unexpected Amazon Simple Storage Service access, and Secrets Manager retrievals.
Recent activity
13 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
CERT-EU said the credentials seemed to have been harvested through the Trivy supply-chain attack.
Named as the compromised component in a supply chain incident affecting build infrastructure; the compromise is tracked as CVE-2026-33634.
A security scanner whose compromise impacted downstream build infrastructure in the TeamPCP supply chain campaign.
Referenced as the compromised component in a supply chain incident affecting downstream build infrastructure, tied to CVE-2026-33634.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.