{ "name": "Widespread GitHub Actions Tag Compromise Exposes CI/CD Secrets", "slug": "widespread-github-actions-tag-compromise-exposes-cicd-secrets", "description": "A new supply chain attack targeting Trivy has compromised 75 out of 76 version tags in the aquasecurity/trivy-action GitHub repository. The attacker force-pushed these tags to serve malicious payloads, effectively turning trusted version references into a distribution mechanism for an infostealer. The malicious code executes within GitHub Actions runners, targeting sensitive data in CI/CD environments. It harvests secrets from runner process memory and the filesystem, encrypts the collected data, and exfiltrates it to an attacker-controlled endpoint or a fallback GitHub-based channel. The attack's scope is significant, potentially affecting over 10,000 workflow files on GitHub referencing this action.", "published": "2026-03-20T08:51:35+00:00", "created_at": "2026-03-20T08:51:35+00:00", "modified_at": "2026-03-20T20:18:17+00:00", "created_at_opencti": "2026-03-20T08:51:35+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2026-03-20", "ci/cd", "credential-theft", "exfiltration", "github actions", "infostealer", "supply chain attack", "teampcp cloud stealer", "trivy", "typosquat" ], "related_entities": { "observables": [ { "id": "", "name": "https://scan.aquasecurtiy.org" }, { "id": "", "name": "18a24f83e807479438dcab7a1804c51a00dafc1d526698a66e0640d1e5dd671a" } ], "malware": [ { "id": "legacy:malware:7d0edde27b781280", "name": "TeamPCP Cloud stealer", "slug": "teampcp-cloud-stealer" } ], "intrusion_sets": [ { "id": "5255c6ce-4692-4aea-b599-0e78a6c4c4aa", "name": "TeamPCP", "slug": "teampcp" } ], "attack_patterns": [ { "id": "9f11a241-9abc-4c57-95dd-33955ab08826", "name": "T1078" }, { "id": "a72b6e11-a5d5-4f5a-8f0d-8861e90c34f7", "name": "T1555" }, { "id": "e615d5ec-8d67-4048-b21d-a5fb09925bb9", "name": "T1552.001" }, { "id": "7a8bf945-8646-406e-a19b-103bef356b6a", "name": "T1552.003" }, { "id": "beaa4978-0309-438b-a45e-ec566b643811", "name": "T1505.003" }, { "id": "eb118bf2-fdf2-4b49-a470-0acabf7608ad", "name": "T1505" }, { "id": "9f21708c-24b6-46b5-bf7e-522256e8470c", "name": "T1552.004" }, { "id": "99571c5a-1615-4466-ab0e-f4d9e9219640", "name": "T1552.006" }, { "id": "29397576-b3af-4bac-8cab-de3c2ba4b9a0", "name": "T1552.005" }, { "id": "14e5fcd9-c0ff-44f0-8430-d8942ebb832e", "name": "T1567.002" }, { "id": "6e4e21cc-92cf-4564-920e-d509bd22fd40", "name": "T1574" }, { "id": "1d0d9e67-eb8a-439c-a2c7-cab311bb25c4", "name": "T1195.002" }, { "id": "2e0c6db7-16a7-4bf6-992e-263474014fce", "name": "T1059.004" }, { "id": "e8422fc8-8365-4a6a-a556-d6ec16cb4e5d", "name": "T1574.002" }, { "id": "ee82762a-2958-4901-aade-341277d9b410", "name": "T1078.004" }, { "id": "358e04b8-6f65-48b2-a24b-f101bfc6671a", "name": "T1195" }, { "id": "3245033a-53c4-454c-873a-fb653af0bf8a", "name": "T1552" }, { "id": "232fbdfa-94c6-443d-b575-373e75b4f4c2", "name": "T1567" }, { "id": "fa3b8b48-d97c-4242-83a6-07d435a5a79e", "name": "T1041" } ], "others": [ { "id": "", "name": "scan.aquasecurtiy.org" } ] }, "external_refs": [ "https://otx.alienvault.com/pulse/69bd18a7cc27dfdfaf6f56a4", "https://socket.dev/blog/trivy-under-attack-again-github-actions-compromise" ] }