1K+ cloud environments infected following Trivy supply chain attack

Steven

1K+ cloud environments infected following Trivy supply chain attack

Summary

Researchers say a supply-chain compromise of the open-source Trivy scanner has led to over 1,000 cloud and SaaS environments being infected with secret-stealing malware. The group known as TeamPCP abused a stolen GitHub Actions token to push malicious Trivy releases and container images, and also trojanised related components (trivy-action, setup-trivy). The attack has spread laterally — hitting tools such as liteLLM and even the npm ecosystem with a worm dubbed CanisterWorm — and the criminals appear to be collaborating with high-profile extortion groups including Lapsus$.

Socket, Wiz, Google-owned researchers and others reported force-pushed malicious tags, defacement of Aqua Security repositories, malicious Docker Hub images and evidence that hundreds or thousands more downstream victims could be affected as attackers continue to target popular open source projects.

Key Points

  • TeamPCP compromised Trivy (version 0.69.4) by exploiting a misconfigured GitHub Action and a stolen privileged token.
  • Malicious container images and GitHub releases were published; trivy-action and setup-trivy components were trojanised and many tags force-pushed to malicious versions.
  • Over 1,000 impacted SaaS/cloud environments have been identified; researchers warn the number could expand into thousands more.
  • Attackers have broadened the campaign to other projects — notably liteLLM (present in ~36% of cloud environments) — creating a snowball effect across the ecosystem.
  • The campaign includes lateral moves into npm (CanisterWorm) and Docker Hub, plus defacement of Aqua Security’s internal repos, indicating deep access.
  • Researchers report collaboration between supply-chain attackers and extortion groups such as Lapsus$, increasing risk of loud, aggressive extortion incidents.
  • Organisations that embed Trivy in CI/CD pipelines are at particular risk because the scanner runs with access to secrets and tokens used in builds and deployments.

Why should I read this?

If you touch CI/CD, containers or cloud infrastructure — stop scrolling. This is the kind of supply-chain mess that can quietly hand out your API keys, tokens and creds to criminals and then blow up into noisy extortion. Read the highlights here so you can check pipelines, rotate tokens and shut down the obvious attack paths fast.

Author style

Punchy: This is not a niche bug — it’s a systemic, expanding campaign. If your organisation relies on open-source scanners or AI middleware in pipelines, the details matter. Read on and act; the attackers are moving quickly and collaborating with other high-profile threat groups.

Context and relevance

Supply-chain attacks have been escalating as attackers weaponise developer tooling and CI/CD to reach downstream victims at scale. This incident illustrates how a single compromised token or GitHub Action can cascade across ecosystems (pipelines, Docker Hub, npm) and amplify impact by trojanising widely used components like liteLLM.

Practical steps implied by the reporting: rotate and revoke tokens and credentials, audit CI/CD workflows for use of compromised actions, scan for indicators of compromise in build artefacts and container images, isolate affected projects, and monitor for extortion activity. The episode underlines the need for stricter supply-chain hygiene, tighter token permissions and proactive incident response playbooks.

Source

Source: https://www.theregister.com/2026/03/24/1k_cloud_environments_infected_following/