Trivy Supply Chain Attack: 33K-Star GitHub Scanner Hacked

In a targeted supply chain attack, on March 24, 2026, a hacking group called TeamPCP used stolen credentials to inject malicious code into Trivy — a vulnerability scanner (a tool that automatically checks software for known security holes) with 33,200 GitHub stars and millions of daily users worldwide. The attack converted one of the most trusted security tools in software development into a malware delivery vehicle, meaning every developer who ran a Trivy scan in the days surrounding that date may have unknowingly executed attacker-controlled code inside their own infrastructure.

The CI/CD Scanner That Became a Supply Chain Attack Vector

Trivy, maintained by Aqua Security, is the most widely adopted open-source security scanner for containers (self-contained software packages that bundle an app and all its dependencies) and code repositories. It integrates natively into CI/CD pipelines (automated workflows that build, test, and deploy code on every change) — which is precisely what made it an elite target. Compromise the scanner, and you compromise every automated workflow that trusts it.

TeamPCP first appeared on researchers' radar in December 2025, documented by Flare security firm. What distinguishes this group from typical criminal hackers is a two-part arsenal: their malware is self-propagating (it spreads automatically from one machine to the next without any further action from the attackers, like a biological virus in a network), and they have built a dedicated data wiper — software engineered to permanently destroy files — specifically targeting machines in Iran. That suggests state-level geopolitical objectives running alongside financial crimes like ransomware extortion and cryptocurrency theft.

How a Stolen Password Poisoned 33,200 Stars of Developer Trust

The attack was precise and fast. TeamPCP obtained stolen credentials (login details, likely acquired through a prior data breach or targeted phishing attack) for Aqua Security's GitHub account. With that access, they executed a forced git push — a command that overrides the safety locks (protections that prevent unauthorized rewrites of a repository's commit history) normally enforced by GitHub's default branch protection settings.

Here is exactly what was compromised:

• 7 setup-trivy GitHub tags were poisoned with malicious dependencies (third-party code libraries that execute automatically when Trivy installs)
• trivy-action — the official GitHub Action (a reusable automation script plugged directly into developer pipelines) — was also infected
• Only 1 tag was successfully shielded from the forced-push attack by an additional safeguard
• Trivy maintainer Itay Shakury confirmed the compromise publicly on March 20, 2026, four days before the full scope was understood

The attack has "wide-ranging consequences for developers and organizations," security analysts warned — because Trivy runs with elevated system permissions during scans, giving attacker-injected code deep access to every system it touched.

# WARNING: Affected Trivy versions contain malicious code
# Only use officially patched releases from Aqua Security

# Step 1: Check your current installed version
trivy --version

# Step 2: Update to the latest patched release
# Verify at: https://github.com/aquasecurity/trivy/releases
# Pin by digest (SHA hash), not by tag — tags can be overwritten

Supply Chain Attack Warning: Assume Your CI/CD Pipeline Is Compromised

Security researchers' advice after the Trivy incident was unambiguous: "Assume your pipelines are compromised." Supply-chain attacks (attacks targeting the developer tools that build software, rather than the software itself) exploit the deepest form of institutional trust. When an automated workflow runs Trivy, it does so without suspicion — and an attacker hidden inside Trivy inherits all of that trust instantly.

A compromised Trivy scan running inside a corporate pipeline could have enabled TeamPCP to:

• Exfiltrate source code, API keys, and database passwords stored as environment variables (background configuration values invisible to end users)
• Deploy ransomware (malware that encrypts every file on a system and demands cryptocurrency payment to restore access)
• Install cryptominers (programs that secretly hijack server computing power to generate cryptocurrency for the attacker at the victim's expense)
• Build distributed proxy networks (chains of compromised machines used to disguise attacker locations and stage future attacks)

The worm's self-propagating design makes containment especially urgent. Once installed on a single machine, it autonomously scans for other cloud-hosted systems with weak configurations and spreads — no further attacker involvement required. Flare researchers found that TeamPCP had already built distributed proxy and scanning infrastructure for criminal operations well before the Trivy attack, indicating a methodical, long-running campaign rather than an opportunistic smash-and-grab.

Meanwhile: Broadcom Just Cut 99.3% of VMware's Partners

In a parallel development with equally stark ecosystem consequences, Broadcom's handling of the VMware partner network is now triggering a formal antitrust (anti-monopoly) investigation at the EU European Commission. Since acquiring VMware in February 2024, Broadcom slashed the cloud service provider (CSP) partner ecosystem from over 4,000 global partners to just 28 — a 99.3% reduction in under two years. The current breakdown:

• 4,000+ VMware CSP partners globally before Broadcom's acquisition
• 19 approved CSP partners remaining in the United States today
• 9 approved CSP partners remaining in the United Kingdom today
• 3,500 minimum processor cores now required to qualify as a CSP partner — a threshold that eliminated hundreds of smaller providers overnight
• A trade association representing affected providers filed a formal antitrust complaint with the EU European Commission in March 2026

For organizations running VMware-based cloud infrastructure (virtualized servers, enterprise storage, and software-defined networking that powers most corporate data centers), this consolidation means dramatically fewer vendors, higher prices, and reduced negotiating power — at exactly the moment when supply-chain attacks are demonstrating how dangerous over-reliance on any single toolchain can be. The antitrust complaint argues Broadcom has erected insurmountable barriers for smaller cloud providers, effectively funneling VMware's global customer base into a 28-company oligopoly with no viable alternatives.

Your Immediate Trivy Incident Response Checklist

If you run any automated software build or deployment process — even for a personal project — the Trivy compromise warrants a response today. If you work at a company with engineering teams, flag this immediately to your security lead or DevOps engineers:

• Identify which version of Trivy your workflows use and verify it against Aqua Security's official patched releases
• Audit pipeline execution logs from March 20–24, 2026 for unexpected outbound network connections or anomalous file access patterns
• Rotate all secrets — API keys, access tokens, database passwords — that may have been accessible to Trivy during the compromised window
• Enable GitHub branch protection rules to block forced-push attacks on any repositories you maintain
• Pin tool and dependency versions by SHA hash (a unique cryptographic fingerprint that cannot be silently overwritten, unlike version tags) rather than tag name alone

The Trivy attack is the clearest possible reminder that in modern software development, security tools are the highest-value targets precisely because they run trusted and unchallenged. The best defense is a habit of verification — routinely confirming that the tools checking your code have not themselves been compromised. To learn how teams are using AI automation to detect anomalous pipeline behavior before it becomes a breach, explore our security automation guides — and action the Trivy audit today, before the next TeamPCP campaign finds your infrastructure first.

Related Content — Get Started | Guides | More News