aquasecurity/trivy-action and setup-trivy tags — turning a widely used vulnerability scanner into a credential stealer.TeamPCP force-pushed 76 of 77 version tags in aquasecurity/trivy-action and all 7 tags in setup-trivy to malicious commits; the injected entrypoint.sh harvested CI secrets from runner memory via /proc/<pid>/mem reads, encrypted the haul with AES-256 + RSA-4096, and exfiltrated it as tpcp.tar.gz to scan.aquasecurtiy[.]org, and those stolen credentials were later used to pivot into other vendors — including Checkmarx — as documented in our KICS field note. Aqua Security published remediation guidance, Microsoft issued detection guidance for the Trivy-specific wave, and the broader consensus held that mutable tags plus blind trust in “security” actions created a high-blast-radius supply chain event.
What Garnet observed
Method: Instrumented replay of the compromised Trivy action (TeamPCP Attack Replay (Garnet Instrumented)) in jadoonf/trivy-threat-research — the same /proc/*/mem scrape, encoding, and egress tradecraft TeamPCP used across tags.
The attack chain
Execution lineage
Run 23612133106 · jadoonf/trivy-threat-research
TeamPCP Attack Replay (Garnet Instrumented)
The public run profile shows the full tree: bash → entrypoint.sh → trivy reaches check.trivy.dev (normal scanner traffic) in the same job as bash → bash → curl exfiltrating to scan.aquasecurtiy[.]org (typosquat C2). python3.12 reaches Internet Computer boundary and canister endpoints (*.icp0.io) from the broader TeamPCP campaign; runner node traffic to Azure Blob and GitHub Actions sits beside those flows. Garnet correlates the lineage with behavioral signals — interpreter shell spawns, procfs-backed code modification, hidden ELF execution, exec from unusual paths, and data-encoding stages — the stealer fingerprint while the scan still exits clean.
Real-world impact
Any workflow that resolved a mutable Trivy tag during the compromise window pulled attacker-controlled code. Stolen tokens enabled follow-on compromises across the ecosystem.
Explore the run profile above, or start observing your own workflows with Garnet.
