Over 1,000 organisations' cloud environments have been infected with credential-stealing malware following a compromise of Trivy, an open-source vulnerability scanner maintained by Aqua Security. The attack represents a cascading threat that extends far beyond the immediate victims, with security researchers warning the infection could expand rapidly across the software supply chain.
On 19 March 2026, threat actors compromised Trivy by injecting credential-stealing malware into official releases and GitHub Actions. The group behind the attack, known as TeamPCP, exploited what proved to be an incomplete security response to an earlier breach. Attackers had initially exploited a misconfiguration in Trivy's GitHub Actions environment in late February to extract a privileged access token. When the Trivy team rotated credentials in response, the process was not fully comprehensive, allowing the threat actor to retain residual access via still-valid credentials.
The malware delivery mechanism was sophisticated and difficult to detect. Rather than creating new releases that would trigger alerts, 75 out of 76 trivy-action tags were force-pushed to malicious versions. The malicious versions of these Actions run a tool self-described as "TeamPCP Cloud stealer", which dumps process memory, harvests SSH, cloud, and Kubernetes secrets, encrypts the data using AES-256+RSA-4096, and exfiltrates it to a remote server.
The Cascading Threat
The supply chain attack has also trojanized liteLLM, a critical piece of AI middleware present in 36 percent of all cloud environments. By moving horizontally across the ecosystem, attackers are creating a snowball effect. The threat actor has expanded operations to the npm ecosystem via a worm called CanisterWorm, leveraging stolen publish tokens from the initial Trivy compromise.
Security experts estimate that the 1,000-plus downstream victims could expand into another 500, another 1,000, or potentially another 10,000 organisations. The criminals behind the attack are primarily based in the US, UK, Canada and Western Europe, and are known for being exceptionally aggressive with their extortion.
Criminal Collaboration
The most concerning development is the coordination between supply chain attackers and extortion-focused cybercriminal groups. A dangerous convergence is emerging between supply chain attackers and high-profile extortion groups like Lapsus$. This partnership creates a new risk profile for victims: the initial credential theft is followed by coordinated extortion campaigns that leverage the stolen access.
The attackers defaced all 44 internal repositories associated with Aqua Security's "aquasec-com" GitHub organization by renaming each of them with a "tpcp-docs-" prefix, setting all descriptions to "TeamPCP Owns Aqua Security," and exposing them publicly. The newly compromised organization contains proprietary source code, including source code for Tracee, internal Trivy forks, CI/CD pipelines, Kubernetes operators, and team knowledge bases.
What Organisations Should Do
Organisations should immediately identify any repositories or workflow runs that executed the compromised aquasecurity/trivy-action, review those runs for possible secret exposure and rotate any credentials accessible to affected runners. They should also update workflows so GitHub Actions are pinned to full commit SHA hashes rather than version tags, since GitHub treats SHAs as the safest immutable reference and this attack specifically abused mutable tags.
Teams should reduce runner privileges and limit the secrets available to CI/CD jobs so that if a trusted action is compromised, the downstream impact on SaaS apps, cloud accounts and administrative systems is contained.
The Trivy incident underscores a fundamental vulnerability in modern software development. Rather than targeting victims individually, the attackers compromised the organisation behind a major supply-chain component and used its GitHub repository and mutable version tags to distribute malicious code at scale, reflecting a broader and increasingly common pattern of targeting trusted software supply-chain platforms and maintainers to reach many customers through one upstream compromise.