Unidentified threat actors have successfully compromised the GitHub repository for “all-in-one” security scanner Trivy, pushing a malicious update to downstream users that can deploy an infostealer.
The attackers gained access to Aqua Security’s GitHub repository, inserted the malicious code into aquasecurity/trivy-action before altering the version tags.
Organisations deploying the code into their workflows would appear to see the code running normally, while in the background, the code pulled malicious Golang files from an attacker-controlled domain with a lookalike name, scan[.]aquasecurtiy[.]org.
Community threat database OpenSourceMalware has an outline of the malware’s capabilities.
“The malware is described by the threat actor as ‘TeamPCP Cloud stealer’,” OpenSourceMalware said.
“The malware attempts to pull a secondary payload from scan.aquasecurtiy.org, and if that fails, it polls https://tdtqy-oyaaa-aaaae-af2dq-cai[.]raw[.]icp0[.]io for additional payloads.”
The malware is capable of harvesting credentials, exfiltrating them, and maintaining persistence for continuous execution.
Cory Michal, CISO of SaaS security firm AppOmni, said the incident – the second compromise this month – “poses a meaningful industry-wide risk because Trivy is a broadly trusted security scanner embedded in many CI/CD workflows”.
The main Trivy project has around 32,000 GitHub stars, while the specifically impacted trivy-action repo has about 1,300 stars. According to Michal, the compromise could “potentially impact many downstream organisations at once”.
“The attack method is especially important. Rather than targeting victims individually, the attackers compromised the organisation behind a major supply-chain component and used its GitHub repository and mutable version tags to distribute malicious code at scale, which reflects a broader and increasingly common pattern of going after trusted software supply-chain platforms and maintainers in order to reach many customers through one upstream compromise,” Michal said.
“Compared with other supply chain attacks, this one stands out less for novel malware and more for the fact that it represents a second compromise affecting Aqua Security’s Trivy ecosystem in roughly a month, which raises concern about repeated attacker access or incomplete containment.
“That makes this incident especially serious because repeated compromises of the same vendor in a short period suggest a persistent weakness even if the overall blast radius may be smaller than the very largest ecosystem-wide attacks.”
Michal said the incident represents a wider concern across the industry – the habit of many organisations to allow build systems and developers to pull in third-party code and its dependencies into production workflows without proper review.
“That creates a situation where a compromise of one widely used upstream project can quickly spread into many downstream environments, even when nothing appears broken,” Michal said.
“The broader lesson is that convenience and speed in modern software delivery have outpaced governance, and organisations need stronger controls around what external code they allow, how it is approved, how it is pinned, and how changes are monitored before that code is trusted inside production or SaaS-connected environments.”
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.