Inside TeamPCP's Sophisticated Supply Chain Attack on Trivy

On 19 March 2026, a major cybersecurity incident involving Aqua Security’s Trivy sent shockwaves across the industry.

Trivy, a popular open source vulnerability scanner, was hijacked in a multi-phase supply chain attack that targeted sensitive credentials within CI/CD pipelines, planted persistent backdoors and even started the spread of a self-propagating worm. 

For context, CI or Continuous Integration, refers to the automated building and testing of code while CD or Continuous Deployment/Delivery, automates the release of software into production. 

“The Trivy supply chain compromise is a stark reminder that even ‘trusted’ security tools can become attack vectors,” says Faisal Hussain, Senior Cyber Security Advisor and Cyber Risk Management EMEA at Microsoft.

“Microsoft uncovered a sophisticated CI/CD attack where poisoned GitHub Actions and a malicious Trivy release silently stole cloud and Kubernetes secrets. 

“This is the new reality: pipelines are targets, tags are not trust and least‑privilege CI/CD is non‑negotiable. 

“If you haven’t already, pin your actions, rotate your secrets and update Trivy now.”

How the attack unfolded 

The root cause of the breach can be traced three weeks prior to the incident when a misconfiguration in Trivy’s GitHub Actions workflow was exploited by an automated bot called hackerbot-claw. 

In this breach, a personal access token (PAT) was stolen by the bot. While Aqua Security discovered the breach and rotated the credentials, as Palo Alto Networks notes “the rotation was not complete”. 

This allowed attackers linked to the TeamPCP group – also known as DeadCatx3, PCPcat, ShellForce and CipherForce – to regain access weeks later.

From there the attack escalated rapidly. Malicious code was inserted into official repositories, while version tags were manipulated so that 75 out of 76 version tags now pointed to malicious commits, which developers unknowingly executed.

The attackers then harvested sensitive data directly from memory – including SSH keys, cloud credentials (AWS, GCP, Azure), Kubernetes tokens, Docker registry credentials, database passwords, TLS private keys and cryptocurrency wallet files.  

This data was then encrypted and exfiltrated through deceptive domains and trusted platforms or as Ory Segal, Technical Evangelist at Cortex Cloud, Palo Alto Networks notes on his LinkedIn: “Trusted security tooling became a credential-harvesting weapon, enabling a cascading breach across environments. 

“We should also highlight that this Trivy supply chain attack appears to have been a root from which additional attacks are emerging in the last few days and we believe that we are not completely over this attack campaign.” 

Persistent backdoors and CanisterWorm

Perhaps most concerning was the deployment of a persistent backdoor on developer machines. 

Once installed, it enabled ongoing remote control using decentralised infrastructure that is difficult to detect or shut down.

As Palo Alto Network notes: “When the malicious Trivy binary ran on a developer workstation, it deployed a system service (sysmon.py) that polled an Internet Computer (ICP) blockchain canister every 50 minutes for command-and-control instructions. 

“This decentralised C2 infrastructure is resistant to takedown.”

The stolen credentials were then used by the TeamPCP attackers to deploy a lethal CanisterWorm that compromised over 47 node package manager (npm) packages.

The npm Registry is used to distribute JavaScript libraries, allowing the breach to spread rapidly through developer environments and automation workflows.

“Later variants added token theft and malicious publishing in the post-install hook, making every developer or CI pipeline that installed an affected package an unwitting propagation vector," according to research carried out by Palo Alto Networks. 

“Twenty-eight packages were compromised in under 60 seconds”

A new level of supply chain sophistication

The Trivy breach stands out, even amongst recent high profile attacks such as SolarWinds and Codecov. 

It combined multiple techniques including credential theft, tag poisoning, binary tampering and worm-like propagation into a single coordinated campaign.

This level of sophistication reflects a clear shift in attacker strategy. Rather than targeting individual organisations, threat actors are moving upstream to compromise shared tools and infrastructure. 

As Palo Alto Networks notes, these tools often run with elevated privileges and are rarely scrutinised at runtime, making them highly attractive targets.

“Given the volume of stolen credentials across likely thousands of downstream environments, expect an increase in breach disclosures, follow-on intrusions and extortion attempts in the coming weeks,” warns Brett Leatherman, FBI Assistant Director of the Cyber Division on his LinkedIn.

“TeamPCP is deliberately targeting security tools that run with elevated privileges by design. 

“Compromising them gives the attacker access to some of the most sensitive environments in the organisation, because security tools are typically granted broad access by design.”

For developers and security teams alike, the message is clear that trust alone is no longer enough. 

Continuous monitoring, strong configuration practices and integrated security platforms are now essential to stay ahead of evolving threats.