Guidance for detecting, investigating, and defending against the Trivy supply chain compromise
On March 19, 2026, Trivy, an open-source vulnerability scanner, was compromised in a sophisticated CI/CD supply chain attack. Threat actors, identified as TeamPCP, injected credential-stealing malware into official Trivy releases, affecting the core binary and GitHub Actions. The attack exploited mutable tags and commit identity spoofing on GitHub. The malware performed extensive credential harvesting, targeting cloud providers, Kubernetes secrets, and various application credentials. Microsoft Defender provides detection and investigation capabilities for this threat. Recommended mitigations include updating to safe versions, hardening CI/CD pipelines, enforcing least privilege, protecting secrets, and leveraging attack path analysis to reduce lateral movement risks.
AI Analysis
Technical Summary
The Trivy supply chain compromise represents a sophisticated attack targeting the software development lifecycle of a widely used open-source vulnerability scanner. On March 19, 2026, threat actors identified as TeamPCP successfully injected credential-stealing malware into official Trivy releases, affecting both the core binary distributed to users and the GitHub Actions workflows used in continuous integration and deployment (CI/CD) pipelines. The attackers exploited mutable tags and commit identity spoofing on GitHub, techniques that allowed them to masquerade malicious commits as legitimate and bypass typical code signing or verification mechanisms. Once deployed, the malware focused on harvesting sensitive credentials, including those for cloud service providers, Kubernetes secrets, and various application-level credentials. This broad credential theft capability enables attackers to escalate privileges, move laterally within victim environments, and potentially compromise critical infrastructure. Microsoft Defender has developed detection and investigation tools to identify infections and suspicious activity related to this compromise. The attack underscores the risks inherent in supply chain attacks, especially those targeting CI/CD pipelines and open-source software dependencies. Indicators of compromise include specific IP addresses (45.148.10.212 and 45.148.10.122) and domains (such as aquasecurtiy.org and checkmarx.zone) linked to the malware's command and control infrastructure. The attack leverages multiple MITRE ATT&CK techniques, including credential dumping (T1539), data from local system (T1005), process injection (T1567), and credential access via configuration stores (T1552). The absence of a CVE or patch links suggests ongoing investigation and remediation efforts. Organizations using Trivy should prioritize updating to verified safe versions, harden their CI/CD pipelines against commit spoofing and mutable tag exploitation, enforce strict least privilege principles, and protect secrets using vaults or encryption. Additionally, leveraging attack path analysis can help identify and mitigate potential lateral movement within networks.
Potential Impact
This supply chain compromise has significant potential impacts on organizations worldwide that rely on Trivy for vulnerability scanning, particularly those with cloud-native environments and Kubernetes deployments. The injected malware's ability to steal a wide range of credentials can lead to unauthorized access to cloud accounts, container orchestration platforms, and application services, resulting in data breaches, service disruptions, and further malware deployment. The attack undermines trust in the software supply chain, potentially causing organizations to question the integrity of open-source tools critical to their security posture. Credential theft can facilitate lateral movement, privilege escalation, and long-term persistence within victim networks, increasing the difficulty of detection and remediation. The exploitation of mutable tags and commit spoofing highlights vulnerabilities in CI/CD pipeline security, potentially affecting many organizations that use GitHub Actions or similar automation tools. While no known widespread exploitation has been reported yet, the medium severity rating reflects the substantial risk posed by credential theft and supply chain compromise. Organizations failing to detect or mitigate this threat may face operational disruptions, regulatory penalties, reputational damage, and financial losses.
Mitigation Recommendations
1. Immediately update Trivy installations and GitHub Actions workflows to versions verified as safe by the maintainers or security advisories. 2. Harden CI/CD pipelines by enforcing immutability of tags and implementing strict verification of commit authorship and signatures to prevent commit identity spoofing. 3. Enforce least privilege access controls on all systems, especially CI/CD environments, to limit the impact of compromised credentials. 4. Protect secrets by using dedicated secret management solutions or vaults with strong access controls and encryption, avoiding embedding secrets directly in code or configuration files. 5. Implement continuous monitoring and detection using tools like Microsoft Defender to identify suspicious activities related to this compromise. 6. Conduct attack path analysis within the network to identify and mitigate potential lateral movement opportunities that could be exploited by attackers. 7. Regularly audit and rotate credentials, especially those related to cloud providers and Kubernetes clusters. 8. Educate development and DevOps teams on supply chain risks and secure coding and deployment practices. 9. Restrict network egress from build and deployment environments to known safe destinations to limit command and control communications. 10. Maintain incident response readiness to quickly investigate and remediate any signs of compromise.
Affected Countries
United States, Germany, United Kingdom, Canada, Australia, Netherlands, France, Japan, South Korea, India
Indicators of Compromise
- ip: 45.148.10.212
- ip: 45.148.10.122
- domain: aquasecurtiy.org
- domain: checkmarx.zone
- domain: plug-tab-protective-relay.trycloudflare.com
- domain: scan.aquasecurtiy.org
- domain: tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io
Guidance for detecting, investigating, and defending against the Trivy supply chain compromise
Description
On March 19, 2026, Trivy, an open-source vulnerability scanner, was compromised in a sophisticated CI/CD supply chain attack. Threat actors, identified as TeamPCP, injected credential-stealing malware into official Trivy releases, affecting the core binary and GitHub Actions. The attack exploited mutable tags and commit identity spoofing on GitHub. The malware performed extensive credential harvesting, targeting cloud providers, Kubernetes secrets, and various application credentials. Microsoft Defender provides detection and investigation capabilities for this threat. Recommended mitigations include updating to safe versions, hardening CI/CD pipelines, enforcing least privilege, protecting secrets, and leveraging attack path analysis to reduce lateral movement risks.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Trivy supply chain compromise represents a sophisticated attack targeting the software development lifecycle of a widely used open-source vulnerability scanner. On March 19, 2026, threat actors identified as TeamPCP successfully injected credential-stealing malware into official Trivy releases, affecting both the core binary distributed to users and the GitHub Actions workflows used in continuous integration and deployment (CI/CD) pipelines. The attackers exploited mutable tags and commit identity spoofing on GitHub, techniques that allowed them to masquerade malicious commits as legitimate and bypass typical code signing or verification mechanisms. Once deployed, the malware focused on harvesting sensitive credentials, including those for cloud service providers, Kubernetes secrets, and various application-level credentials. This broad credential theft capability enables attackers to escalate privileges, move laterally within victim environments, and potentially compromise critical infrastructure. Microsoft Defender has developed detection and investigation tools to identify infections and suspicious activity related to this compromise. The attack underscores the risks inherent in supply chain attacks, especially those targeting CI/CD pipelines and open-source software dependencies. Indicators of compromise include specific IP addresses (45.148.10.212 and 45.148.10.122) and domains (such as aquasecurtiy.org and checkmarx.zone) linked to the malware's command and control infrastructure. The attack leverages multiple MITRE ATT&CK techniques, including credential dumping (T1539), data from local system (T1005), process injection (T1567), and credential access via configuration stores (T1552). The absence of a CVE or patch links suggests ongoing investigation and remediation efforts. Organizations using Trivy should prioritize updating to verified safe versions, harden their CI/CD pipelines against commit spoofing and mutable tag exploitation, enforce strict least privilege principles, and protect secrets using vaults or encryption. Additionally, leveraging attack path analysis can help identify and mitigate potential lateral movement within networks.
Potential Impact
This supply chain compromise has significant potential impacts on organizations worldwide that rely on Trivy for vulnerability scanning, particularly those with cloud-native environments and Kubernetes deployments. The injected malware's ability to steal a wide range of credentials can lead to unauthorized access to cloud accounts, container orchestration platforms, and application services, resulting in data breaches, service disruptions, and further malware deployment. The attack undermines trust in the software supply chain, potentially causing organizations to question the integrity of open-source tools critical to their security posture. Credential theft can facilitate lateral movement, privilege escalation, and long-term persistence within victim networks, increasing the difficulty of detection and remediation. The exploitation of mutable tags and commit spoofing highlights vulnerabilities in CI/CD pipeline security, potentially affecting many organizations that use GitHub Actions or similar automation tools. While no known widespread exploitation has been reported yet, the medium severity rating reflects the substantial risk posed by credential theft and supply chain compromise. Organizations failing to detect or mitigate this threat may face operational disruptions, regulatory penalties, reputational damage, and financial losses.
Mitigation Recommendations
1. Immediately update Trivy installations and GitHub Actions workflows to versions verified as safe by the maintainers or security advisories. 2. Harden CI/CD pipelines by enforcing immutability of tags and implementing strict verification of commit authorship and signatures to prevent commit identity spoofing. 3. Enforce least privilege access controls on all systems, especially CI/CD environments, to limit the impact of compromised credentials. 4. Protect secrets by using dedicated secret management solutions or vaults with strong access controls and encryption, avoiding embedding secrets directly in code or configuration files. 5. Implement continuous monitoring and detection using tools like Microsoft Defender to identify suspicious activities related to this compromise. 6. Conduct attack path analysis within the network to identify and mitigate potential lateral movement opportunities that could be exploited by attackers. 7. Regularly audit and rotate credentials, especially those related to cloud providers and Kubernetes clusters. 8. Educate development and DevOps teams on supply chain risks and secure coding and deployment practices. 9. Restrict network egress from build and deployment environments to known safe destinations to limit command and control communications. 10. Maintain incident response readiness to quickly investigate and remediate any signs of compromise.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.microsoft.com/en-us/security/blog/2026/03/24/detecting-investigating-defending-against-trivy-supply-chain-compromise/"]
- Adversary
- TeamPCP
- Pulse Id
- 69c363a17209fdf0cea99e8a
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip45.148.10.212 | — | |
ip45.148.10.122 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainaquasecurtiy.org | — | |
domaincheckmarx.zone | — | |
domainplug-tab-protective-relay.trycloudflare.com | — | |
domainscan.aquasecurtiy.org | — | |
domaintdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io | — |
Threat ID: 69c3b5e5f4197a8e3b411ea1
Added to database: 3/25/2026, 10:16:05 AM
Last enriched: 3/25/2026, 10:31:07 AM
Last updated: 3/26/2026, 5:28:59 AM
Views: 49
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.