Trivy Under Attack Again: Widespread GitHub Actions Tag Compromise Exposes CI/CD Secrets
Summary
Socket reports a supply chain attack where attackers force-updated 75 of 76 version tags for aquasecurity/trivy-action to point to malicious commits containing an infostealer payload. The campaign exposed CI/CD secrets across pipelines and included a typosquat domain for exfiltration, with a resilient fallback via the victim’s GitHub token. The post details the attack lifecycle, IOCs, remediation guidance, and attribution to TeamPCP Cloud Stealer.