Attackers look for development secrets: On GitHub Actions runners, the credential stealer reads the process memory to extract secrets and searches the filesystem for SSH keys, cloud provider credentials, Kubernetes tokens, Docker registry configurations, and cryptocurrency wallets.The stolen data is encrypted and sent to a typosquatted domain that mimics Aqua Security’s legitimate site. If this fails, the malware falls back to creating a public repository called “tpcp-docs” on the victim’s own GitHub account and uploading the encrypted data there.According to Wiz, the attack also installs a persistent Python dropper on developer machines that connects to an attacker-controlled server every five minutes in search for additional payloads to execute.
Stealthy tag manipulation technique bypasses detection: Instead of creating new releases, which would trigger notifications, the attackers force-pushed existing version tags to point to new malicious commits. Git tags are pointers that reference a specific commit by its fingerprint. By overwriting where those pointers lead, any workflow referencing the tag begins pulling the attacker’s code.To further avoid detection, the attackers cloned the original commit metadata such as author names, email addresses, timestamps, and messages, making the malicious commits appear identical to the legitimate ones they replaced. The forgery left subtle traces such as missing cryptographic signatures and inconsistent timestamp relationships.The same tag manipulation technique was used in the compromise of the tj-actions/changed-files GitHub Action a year ago which affected 23,000 repositories.
A lesson for victims: The initial Trivy compromise happened in late February when attackers exploited a misconfigured GitHub Actions workflow that had been present in the repository since October 2025. The workflow, triggered by external pull requests, ran with access to repository secrets, a dangerous pattern in GitHub Actions that has been documented before.The attackers stole a personal access token (PAT) with write permissions and used it to delete releases, rename the repository, and publish a malicious Visual Studio Code extension. The Trivy maintainers rotated their credentials, but it seems the process missed some of them.This failure, especially by a company that is specialized in CI/CD security, should serve as a warning to organizations affected by this new attack, especially because the malware is designed to steal the same type of credentials that could enable supply chain compromises in their own pipelines.
A recurring pattern: The Trivy compromise is the latest in a growing pattern of attacks targeting GitHub Actions and developers in general. The tj-actions/changed-files compromise last year used the same tag manipulation approach and was later traced to an upstream compromise of the reviewdog/action-setup action. Other incidents in 2025 included the GhostAction campaign, which stole over 3,000 secrets from 327 GitHub users, and an attack on the nx npm package that exploited a vulnerable pull_request_target workflow.GitHub changed the default behavior of pull_request_target workflows in December 2025 to reduce the risk of exploitation, but the vulnerable workflow in the Trivy repository predated that change.Organizations using Trivy should pin GitHub Actions to the full commit SHA hashes rather than version tags to prevent tag manipulation attacks. The safe versions are Trivy v0.69.3, trivy-action tag 0.35.0, and setup-trivy 0.2.6. Security teams should also search their GitHub accounts for repositories named tpcp-docs, which would indicate successful fallback exfiltration, and block the command-and-control domain and its IP address at the network perimeter.
A recurring pattern: The Trivy compromise is the latest in a growing pattern of attacks targeting GitHub Actions and developers in general. The tj-actions/changed-files compromise last year used the same tag manipulation approach and was later traced to an upstream compromise of the reviewdog/action-setup action. Other incidents in 2025 included the GhostAction campaign, which stole over 3,000 secrets from 327 GitHub users, and an attack on the nx npm package that exploited a vulnerable pull_request_target workflow.GitHub changed the default behavior of pull_request_target workflows in December 2025 to reduce the risk of exploitation, but the vulnerable workflow in the Trivy repository predated that change.Organizations using Trivy should pin GitHub Actions to the full commit SHA hashes rather than version tags to prevent tag manipulation attacks. The safe versions are Trivy v0.69.3, trivy-action tag 0.35.0, and setup-trivy 0.2.6. Security teams should also search their GitHub accounts for repositories named tpcp-docs, which would indicate successful fallback exfiltration, and block the command-and-control domain and its IP address at the network perimeter.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4148317/trivy-vulnerability-scanner-backdoored-with-credential-stealer-in-supply-chain-attack.html
