Microsoft Unveils New Guidance to Detect and Defend Against Trivy Supply Chain Attack
Aqua Security’s vulnerability scanner, Trivy, faced a sophisticated CI/CD supply chain compromise.
The threat actor, identified as TeamPCP, exploited prior incomplete remediation to inject credential-stealing malware into official releases.
This incident, tracked as CVE-2026-33634, weaponized a trusted security tool against the organizations relying on it to stay safe.
This visualizes the attack propagation timeline and workflow compromise. The TeamPCP campaign executed its strike by abusing standard Git design features, specifically mutable tags and self-declared commit identities.
The attackers force-pushed malicious commits to 76 of 77 version tags in the trivy-action repository and all seven tags in the setup-trivy repository.
Consequently, downstream CI/CD workflows executed attacker-controlled code without altering visible release metadata.
Simultaneously, an infected Trivy binary was published to official GitHub Releases and container registries.
To maintain stealth, the malware allowed the legitimate Trivy scan to complete successfully after exfiltrating data, masking the breach from operators.
The activity has expanded to other frameworks, including Checkmarx KICS and LiteLLM.
Malware Features and Exploitation
Upon execution in a GitHub Actions runner, the Python-based payload conducts process discovery to locate runner processes carrying secrets.
Key credential harvesting features include:
- Cloud Credentials: Targets AWS metadata endpoints, GCP service account keys, and Azure environment variables.
- Kubernetes Secrets: Enumerates and extracts mounted service-account files and cluster secrets.
- Application Tokens: Performs recursive filesystem searches for API keys in configuration files and developer webhooks.
- Infrastructure Access: Extracts WireGuard VPN configurations, SSH authentication logs, and connection strings for databases.
Stolen data is encrypted using an AES-256-CBC and RSA scheme, bundled into an archive, and exfiltrated to a typosquatted domain.
Mitigation and Defender Guidance
Microsoft Defender XDR provides comprehensive coverage across endpoints, identities, and cloud environments to detect this threat.
Defender can identify secret reconnaissance, malicious metadata access, and suspicious DNS queries directed at the TeamPCP command-and-control infrastructure.
Security teams can further assess potential blast radiuses using advanced hunting queries to track compromised installations and data exfiltration events.
To defend against this attack, update software to verified safe versions:
| Component | Safe Version | Compromised Version |
|---|---|---|
| Trivy binary | v0.69.2 – v0.69.3 | v0.69.4 |
| trivy-action | v0.35.0 | Mutated Tags |
| setup-trivy | v0.2.6 | Mutated Tags |
Additional preventative measures include:
- Pinning all third-party GitHub Actions to immutable commit SHAs rather than vulnerable version tags.
- Applying least privilege principles by minimizing the scope of
GITHUB_TOKENpermissions and avoiding unnecessary write access. - Eliminating implicit secret exposure by utilizing dedicated secret managers instead of static environment variables.
- Reducing lateral movement risks through continuous attack path analysis, enabling teams to proactively rotate credentials.