Seventy-five version tags. That is how much of the Trivy GitHub Actions repository an attacker rewrote in a single operation — not by exploiting a software vulnerability, but by walking in with valid credentials.
According to a report from Socket security researcher Philipp Burckhardt, an attacker force-pushed 75 of 76 version tags in the aquasecurity/trivy-action repository, the official GitHub Action used to run Trivy vulnerability scans inside CI/CD pipelines. Seven tags in the companion aquasecurity/setup-trivy repository were rewritten the same way. Every modified tag pointed to commits carrying a Python-based infostealer designed to harvest developer secrets from the environments where those scans ran.
The targets were specific: SSH keys, cloud provider credentials, database credentials, Git and Docker configurations, Kubernetes tokens, and cryptocurrency wallets — whatever a modern CI/CD runner holds in memory or on disk.
The stealer worked in three stages. First, it harvested environment variables from both runner process memory and the file system. Then it encrypted the collected data. Then it sent everything to an attacker-controlled server registered as scan.aquasecurtiy[.]org — a deliberate misspelling of Aqua Security’s domain. If that exfiltration attempt failed, the malware pivoted to the victim’s own GitHub account, using a captured INPUT_GITHUB_PAT environment variable to stage the stolen data in a public repository named tpcp-docs.
A Second Breach Built on an Incomplete Fix
This was not the first time Aqua Security‘s Trivy project was compromised. Toward the end of February and into early March 2026, an autonomous bot called hackerbot-claw exploited a pull_request_target workflow misconfiguration to steal a Personal Access Token, then used it to seize the repository, delete release versions, and push two malicious versions of a related VS Code extension to Open VSX. Itay Shakury, vice president of open source at Aqua Security, acknowledged in a statement that the latest incident stemmed directly from an incomplete response to that earlier attack. “We rotated secrets and tokens, but the process wasn’t atomic, and attackers may have been privy to refreshed tokens,” Shakury said. The company says it is now locking down all automated actions and every token to address the problem at its root.
Burckhardt was direct about the mechanism. “They had valid credentials with sufficient privileges to push code and rewrite tags,” he said. No Git exploit was needed. What remains unconfirmed, according to Burckhardt, is exactly which credential type — a maintainer PAT or an automation token — enabled the tag rewrites in this second incident.
More Read
A Threat Actor With a Pattern
Attribution remains unconfirmed, but the payload’s source code self-identifies as “TeamPCP Cloud stealer,” pointing toward a group also tracked as DeadCatx3, PCPcat, PersyPCP, ShellForce, and CipherForce. Socket describes the group as a cloud-native cybercrime operation focused on breaching modern cloud infrastructure for data theft and extortion. The credential categories targeted in this payload align with the group’s documented focus on cloud-native environments.
The first public signal of the latest compromise came from security researcher Paul McCarty, who flagged a malicious release — version 0.69.4 — published to the main Trivy repository. That version has since been removed. According to Wiz, it launched both the legitimate Trivy service and the malicious code simultaneously, keeping the scan appearing functional while the theft ran in the background.
Photo by Pixabay
This article is a curated summary based on third-party sources. Source: Read the original article
