The Trivy vulnerability scanner breach, orchestrated by the threat actor TeamPCP, has exposed a sophisticated supply-chain attack strategy. This incident, detailed in a comprehensive report by Socket and later confirmed by Aqua Security, highlights the dangers of compromised credentials and the potential for widespread data exfiltration. The attack's impact extends beyond Trivy, as researchers have linked TeamPCP to a follow-up campaign involving a self-propagating worm named CanisterWorm, which targets npm packages. This multi-layered attack underscores the evolving nature of cyber threats and the need for robust security measures.
The Trivy breach began with a backdoored release of version 0.69.4, which was published to GitHub and contained malicious container images. Threat actors exploited a compromised credential with write access to the repository, allowing them to publish malicious releases and force-push tags to redirect users to malicious commits. The attackers swapped the entrypoint.sh in GitHub Actions with a malicious version, acting as an infostealer across the main scanner and related GitHub Actions. This infostealer collected a vast array of sensitive data, including reconnaissance data, SSH keys, cloud and infrastructure configurations, environment files, database credentials, CI/CD configurations, TLS private keys, VPN configurations, webhooks, system files, cryptocurrency wallets, and more.
The malware's persistence on compromised devices was achieved through the creation of a Python payload at ~/.config/systemd/user/sysmon.py, registered as a systemd service. This payload checked a remote server for additional payloads, providing the threat actor with persistent access. The attack is linked to TeamPCP, a documented cloud-native threat actor known for exploiting misconfigured systems. The breach also involved the deletion of Aqua Security's initial disclosure of the earlier March incident, further obscuring the timeline and scope of the attack.
The CanisterWorm worm, a follow-up to the Trivy breach, targets npm packages and uses stolen npm tokens to publish malicious updates. It employs a decentralized command-and-control mechanism using Internet Computer (ICP) canisters, making it resilient to takedown attempts. The worm's ability to harvest npm authentication tokens from configuration files and environment variables enables it to spread across developer environments and CI/CD pipelines. While some secondary payload infrastructure was inactive or configured with harmless content at the time of analysis, the researchers caution that this could change at any time.
The Red Report 2026 highlights a concerning trend in malware sophistication. New threats use mathematical techniques to detect sandboxes and hide in plain sight, making them even more challenging to detect and mitigate. As malware evolves, security measures must adapt to stay ahead of these threats. The Trivy breach serves as a stark reminder of the importance of secure supply chains, robust credential management, and the need for continuous vigilance in the face of evolving cyber threats.
