Trivy got hijacked: 75 of 76 version tags rewrote to drop a CI secret-stealer

Attackers force-pushed 75 of 76 trivy-action tags to a malicious commit. Pinning by tag turned a trusted scanner into an infostealer for CI pipelines.

Trivy, the open-source vulnerability scanner used in tens of thousands of CI pipelines, was compromised in late February and the full blast radius is only landing now. Aqua Security disclosed that attackers force-pushed 75 of 76 version tags in aquasecurity/trivy-action to a single malicious commit. Anyone pinning by tag, the default in every Trivy quickstart, ran attacker code on their next workflow run.

What we know

The intrusion started around February 23, 2026, when a misconfigured GitHub Actions workflow leaked a privileged token, per Aqua’s update. Aqua rotated credentials on March 1, but the rotation missed at least one valid token.
On March 19, the attacker used the surviving token to force-push 75 of 76 version tags in the trivy-action repo to commits that downloaded and ran a payload, as Wiz’s writeup details.
The payload, analyzed by CrowdStrike, exfiltrates SSH keys, GitHub tokens, AWS/GCP/Azure credentials, Docker config, Kubernetes service-account tokens, .npmrc, and any cryptocurrency wallet files in the runner.
Stolen npm tokens were then used to publish poisoned npm packages carrying CanisterWorm, a self-propagating worm that targets developer machines.
The threat group, tracked as TeamPCP (also DeadCatx3, PCPcat, ShellForce, CipherForce), is the same crew behind the recent npm package compromises and an Iran-targeting wiper, Microsoft’s threat-intel team confirmed.

What we don’t know

The full count of organizations whose CI environments were exposed. Aqua’s telemetry covers customers; the long tail of trivy-action users on plain GitHub is uncountable.
Which tokens TeamPCP still holds. Aqua rotated credentials twice, but the second rotation only happened after the March 19 push.
How the attackers got the original misconfiguration into Aqua’s pipeline. Aqua’s disclosure is vague on the entry vector, and that’s the part defenders need.
Whether any of the npm packages compromised in the cascade are still poisoned. The npm registry has been pulling them, but the worm payload writes itself into node_modules on install.

Sources

Aqua Security is the authoritative timeline. Wiz and CrowdStrike provide the malware analysis. Microsoft Security maps detection rules to Defender for Cloud and Sentinel.

Why pinning by tag is the bug

Every quickstart guide for trivy-action tells you to write uses: aquasecurity/[email protected]. That string resolves to a Git tag at runtime. Tags are mutable. A repo owner, or anyone with a write token, can force-push a tag to point at a different commit. GitHub Actions follows the new pointer without warning.

Commit SHAs are immutable. uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5 survives a tag rewrite, because the SHA is the content. GitHub’s own security hardening guide has recommended SHA pinning since 2020. Almost no one does it, because tags are easier to read and the supply-chain risk felt theoretical. It is no longer theoretical.

There’s a second-order lesson here: rotating a leaked credential is not the same as ensuring no copies remain. Aqua’s first rotation on March 1 missed at least one valid token, which is how TeamPCP held access through to the March 19 push. The fix isn’t “rotate faster.” The fix is treating every secret in your CI pipeline as having a maximum lifetime and an audit trail, so you can prove which credentials are actually current at any point.

What this means for you

If your CI ran aquasecurity/trivy-action between March 19 and Aqua’s takedown, treat every secret that runner had access to as compromised. That means rotating all GitHub PATs, deploy keys, AWS/GCP/Azure creds, Docker registry tokens, and any Kubernetes service-account tokens the workflow could see. If your runner had network access to internal services, audit those too. Then go pin every third-party action in every repo to a full commit SHA. Yes, it’s tedious. Renovate and Dependabot both support pinning to SHAs with a tag comment, so the diff stays readable on review. Do this once and you’re immune to the next force-push attack, which the GPT-5.4-Cyber crowd already expects to follow. The Trivy team did not get sloppy. They got targeted, and the standard practice every shop teaches its juniors made them the distribution channel.