Trivy Supply Chain Attack Steals CI/CD Credentials

Supply chain attacks targeting developer tools are becoming one of the most dangerous threats in modern DevSecOps environments. A recent Trivy supply chain attack has compromised CI/CD pipelines globally by injecting malicious code into the widely used GitHub Action.

The attackers poisoned 75 version tags of the Trivy GitHub Action, turning trusted references into a distribution channel for an infostealer malware. With over 10,000 GitHub workflows depending on this action, the potential credential theft impact is massive.

For security engineers, DevOps teams, and cloud administrators, this incident highlights a critical risk: trusted dependencies can become attack vectors overnight.

In this article, you’ll learn:

How the Trivy attack worked
What secrets were targeted
Real-world impact on CI/CD pipelines
Detection and mitigation strategies
Best practices for supply chain security

What Is the Trivy Supply Chain Attack?

The Trivy supply chain attack is a compromise of the official Trivy GitHub Action that injected malicious code into existing version tags.

Key Facts

75 version tags compromised
10,000+ workflows potentially affected
Attack type: Tag poisoning
Payload: Credential-stealing infostealer
Only safe version: @0.35.0

Why This Is Critical

CI/CD pipelines often run with:

Elevated permissions
Cloud credentials
Deployment secrets

Key takeaway: Compromising CI/CD actions can expose entire cloud environments.

Mechanics of the Tag Poisoning Attack

Instead of creating a new release, attackers:

Used residual write access
Force-pushed existing version tags
Redirected tags to malicious commits
Injected infected script into entrypoint

Why This Is Dangerous

Existing version tags appear trusted
No new release notification triggered
Automated security checks bypassed

This allowed malicious code to spread silently.

How the Malicious Script Works

The injected entrypoint.sh performs malicious activity before running the legitimate scan.

Three-Stage Attack

Stage 1: Data Collection

The malware targets:

SSH keys
Cloud credentials
CI/CD configuration files
Environment variables
Cryptocurrency wallets

On GitHub-hosted runners:

Uses passwordless sudo
Dumps process memory
Extracts secrets

On self-hosted runners:

Python script scans filesystem
Collects sensitive files

Targeted Sensitive Data

Category	Examples
SSH Keys	id_rsa, authorized_keys
Cloud Credentials	AWS_, AZURE_, gcloud configs
CI/CD Secrets	terraform.tfstate, Docker configs
Environment Files	.env, .env.production
Crypto Wallets	wallet.dat, validator-keypair.json

Stage 2: Encryption

Stolen data is:

Compressed
Encrypted using AES-256-CBC
Wrapped with RSA-4096 key

This prevents detection and analysis.

Stage 3: Data Exfiltration

Primary method:

HTTPS POST to typosquatted domain

Fallback method:

Creates public GitHub repository
Uploads stolen data as release asset

This redundancy ensures data theft even if outbound traffic is blocked.

Attribution and Threat Actor

The malware identifies itself as:

TeamPCP Cloud Stealer

Security researchers associate TeamPCP with:

Cloud exploitation
Cryptomining
Ransomware operations

Real-World Risk Scenarios

Scenario 1: Cloud Credential Exposure

CI pipeline runs compromised action
AWS keys extracted
Attacker deploys malicious infrastructure

Scenario 2: Repository Access Theft

Git credentials stolen
Source code exfiltrated
Backdoor injected into builds

Scenario 3: Infrastructure Compromise

Terraform state files stolen
Attacker modifies deployments
Production systems affected

Detection Indicators

Look for:

Use of Trivy tags below 0.35.0
Unexpected outbound HTTPS requests
Unknown GitHub repositories named tpcp-docs
Suspicious CI runner activity

Immediate Mitigation Steps

1. Stop Using Compromised Tags

Only safe version:

@0.35.0

2. Pin to Safe Commit SHA

Use:

57a97c7e7821a5776cebc9bb87c984fa69cba8f1

3. Rotate All Secrets

Rotate:

Cloud credentials
API keys
SSH keys
CI/CD tokens

4. Audit GitHub Organizations

Check for:

Unauthorized repositories
Suspicious releases
Unknown access tokens

Incident Response Checklist

Identify affected workflows
Revoke compromised credentials
Rotate secrets immediately
Audit pipeline logs
Rebuild runners from clean images

Best Practices for Supply Chain Security

1. Pin Dependencies to Commit SHA

Avoid version tags in CI/CD workflows.

2. Implement Least Privilege

Limit CI runner permissions.

3. Use Secret Scanning

Monitor for credential exposure.

4. Enable Dependency Monitoring

Track changes in third-party actions.

5. Monitor Outbound Traffic

Detect suspicious exfiltration attempts.

Framework Mapping

NIST Cybersecurity Framework

Function	Application
Identify	Track CI dependencies
Protect	Pin commit SHAs
Detect	Monitor runner activity
Respond	Rotate credentials
Recover	Rebuild pipelines

MITRE ATT&CK Mapping

T1195 – Supply chain compromise
T1552 – Unsecured credentials
T1041 – Exfiltration over HTTPS

Expert Insight

This incident demonstrates:

Version tags are not immutable security boundaries.

Security teams should:

Treat CI dependencies as untrusted
Continuously verify integrity
Enforce commit pinning

FAQs

1. What is the Trivy supply chain attack?

It is a compromise of Trivy GitHub Action tags that injected credential-stealing malware.

2. How many workflows are affected?

Over 10,000 GitHub workflow files.

3. Which version is safe?

Only version @0.35.0 is confirmed safe.

4. What data is targeted?

Cloud credentials, SSH keys, environment files, and CI secrets.

5. How should organizations respond?

Rotate all secrets and pin to safe commit SHA.

6. Is this attack still active?

Organizations should assume compromise if affected tags were used.

Conclusion

The Trivy supply chain attack highlights the growing risk of CI/CD dependency compromise. By poisoning version tags, attackers turned trusted automation into a credential harvesting tool.

Organizations must:

Pin dependencies
Rotate secrets
Monitor pipelines
Harden CI/CD environments

Final takeaway: Supply chain security is now a core pillar of cloud and DevOps defense.