Aqua Security’s Trivy is one of the most widely used open-source vulnerability scanners in the world. It runs inside CI/CD pipelines at thousands of organizations, scanning containers, filesystems, and infrastructure-as-code for security issues. On March 19, 2026, a threat actor tracked as TeamPCP turned that trust into a weapon.
The attack, tracked as CVE-2026-33634 (CVSS 9.4), compromised the Trivy binary, hijacked GitHub Actions tags, poisoned Docker Hub images, and cascaded downstream into Checkmarx KICS and LiteLLM. Over 1,000 cloud environments were confirmed infected, with projections that the number could grow significantly. This is the most consequential open-source supply chain attack since the XZ Utils backdoor in 2024.
Full timeline
Understanding this attack requires seeing how one incomplete credential rotation cascaded across five package ecosystems in under a month.
Late February 2026: Attackers exploited a misconfiguration in Trivy’s GitHub Actions environment, extracting a privileged access token. This gave them a foothold into repository automation and release processes. Aqua Security’s incident report confirmed this as the initial access vector.
March 1, 2026: The Trivy team disclosed the earlier incident and executed credential rotation. However, according to StepSecurity’s analysis, the rotation was not fully comprehensive. The threat actor retained residual access via still-valid credentials.
March 19, 2026 (~17:43 UTC): TeamPCP escalated. They force-pushed 76 of 77 version tags in the aquasecurity/trivy-action repository and all 7 tags in aquasecurity/setup-trivy, redirecting trusted references to malicious commits. Simultaneously, the compromised aqua-bot service account triggered release automation to publish a malicious Trivy binary designated v0.69.4. The only trivy-action tag that survived was 0.35.0, protected by GitHub’s immutable releases feature.
March 19, 2026 (~20:38 UTC): The Trivy team identified and contained the attack, removing malicious artifacts from distribution channels. The active compromise window was approximately three hours.
March 20, 2026: Aqua Security published safe versions, user guidance, and indicators of compromise for defenders.
March 22, 2026 (20:31–20:32 UTC): In a scripted two-minute burst, malicious Docker Hub images were pushed as Trivy v0.69.5 and v0.69.6, with no corresponding GitHub releases. Both images contained the same TeamPCP infostealer and the typosquatted C2 domain.
March 23, 2026 (12:58–16:50 UTC): TeamPCP compromised the Checkmarx KICS GitHub Action using the same technique, deploying credential-stealing malware to users pinning to compromised tags.
March 24, 2026: The campaign reached LiteLLM, where malicious versions 1.82.7 and 1.82.8 were published to PyPI, likely using credentials harvested from LiteLLM’s CI/CD pipeline that used Trivy for security scanning. LiteLLM has over 95 million monthly downloads.
What was compromised
The blast radius spans multiple ecosystems:
| Component | Affected versions | Impact |
|---|---|---|
| trivy-action (GitHub Action) | 76 of 77 tags hijacked (0.35.0 safe) | Any CI workflow referencing a compromised tag ran the malware |
| setup-trivy (GitHub Action) | All 7 tags hijacked | Same credential-stealing payload |
| Trivy binary | v0.69.4 | Malicious release via compromised release automation |
| Trivy Docker Hub images | v0.69.4, v0.69.5, v0.69.6 | Last known clean image: v0.69.3 |
| Checkmarx KICS (GitHub Action) | Tags compromised March 23 | Credential stealer active for ~4 hours |
| LiteLLM (PyPI) | v1.82.7 and v1.82.8 | Credential harvester with .pth startup hook |
According to CrowdStrike’s analysis, 45 repositories were confirmed to have executed a compromised version of trivy-action or setup-trivy during the active window. The Register reported over 1,000 cloud environments were actively dealing with the threat actor.
What the malware does
The malicious payload is a multi-stage attack that Microsoft’s security blog and The Hacker News have documented in detail:
Stage 1 — Credential harvester. Scans the environment for SSH keys, Git credentials, AWS/GCP/Azure credentials, Kubernetes service account tokens, Docker configurations, .env files, database passwords, cryptocurrency wallets, Slack and Discord webhook URLs, and CI/CD secrets. Data is encrypted and exfiltrated via HTTP POST to the typosquatted C2 domain scan.aquasecurtiy[.]org. If exfiltration fails, the malware attempts to use a stolen GITHUB_TOKEN to create a repository called tpcp-docs and post the data there.
Stage 2 — Kubernetes lateral movement. Deploys privileged pods to every node in the cluster via DaemonSets. In specific environments, a destructive wiper component dubbed “kamikaze” mounts the host’s root filesystem, erases top-level content, and forces a reboot across all nodes including the control plane.
Stage 3 — Persistent backdoor. Installs a systemd service for persistence. A worm component spreads through harvested SSH keys and exposed Docker APIs.
Who is TeamPCP
TeamPCP is the threat actor attributed to this campaign by Arctic Wolf, Wiz, and Endor Labs. The group has publicly stated that “many of your favourite security tools and open-source projects will be targeted in the months to come,” suggesting this campaign is not over. The Kubernetes wiper component has been observed targeting Iranian infrastructure specifically, suggesting geopolitical motivation alongside the credential theft operation.
What should you do right now
If any environment ran trivy-action, setup-trivy, Trivy v0.69.4–v0.69.6, or LiteLLM v1.82.7–v1.82.8, treat it as a full compromise.
-
Identify affected environments. Search CI/CD logs for any workflow that referenced
aquasecurity/trivy-actionoraquasecurity/setup-trivyduring or after March 19. Check Docker images for Trivy versions 0.69.4, 0.69.5, or 0.69.6. Check Python environments for LiteLLM 1.82.7 or 1.82.8. -
Rotate all secrets immediately. Every credential accessible to an affected CI runner, container, or host should be considered exposed: AWS keys, GCP service accounts, Azure credentials, Kubernetes tokens, SSH keys, database passwords, API keys,
.envvariables, and webhook URLs. -
Pin GitHub Actions to commit SHAs. Stop referencing version tags. Use the full commit SHA instead (e.g.,
uses: aquasecurity/trivy-action@84f...). A SHA is immutable and cannot be moved by an attacker. GitHub’s documentation on action pinning covers this in detail. -
Audit for IOCs. Look for the C2 domain
scan.aquasecurtiy[.]orgin network logs, files namedpayload.encortpcp.tar.gz, references to thetpcp-docsrepository, and unexpected systemd services on hosts. -
Rebuild affected images from clean bases. If any Docker image was built using a compromised Trivy version, rebuild it. The last known clean Trivy Docker image is v0.69.3.
-
Harden CI/CD runner privileges. Limit secrets available to CI jobs. Use OIDC federation instead of long-lived cloud credentials in GitHub environments.
Why a security scanner was the perfect target
This attack is significant not just for its scale but for what it reveals about supply chain trust models. Trivy is a security tool. Organizations deploy it specifically because they trust it to make their pipelines safer. That trust is what made it the perfect target:
- Trivy runs with access to source code, container images, and infrastructure definitions
- CI/CD pipelines often grant Trivy broad permissions to scan across environments
- Security tools are among the last things organizations suspect when investigating a compromise
- A compromised scanner can harvest credentials from every project it scans
The lesson is that your security tools are part of your attack surface. Dependency pinning, credential scoping, and runtime monitoring should apply to security tools with the same rigor as any other dependency.
Connection to the LiteLLM compromise
The LiteLLM supply chain attack that we covered yesterday is a direct downstream consequence of the Trivy compromise. LiteLLM used Trivy in its CI/CD security scanning workflow. When Trivy was compromised, TeamPCP harvested CI/CD credentials from LiteLLM’s pipeline, then used those credentials to publish malicious LiteLLM packages to PyPI. This cascading pattern — compromising a security tool to reach its users’ pipelines, then using those pipelines to compromise further downstream packages — represents a new level of sophistication in supply chain attacks.
Each attack yielded credentials that unlocked the next target: Trivy → Checkmarx KICS → LiteLLM → potentially more.