The Trivy vulnerability scanner, a widely-used open-source security tool, has been compromised in a sophisticated supply chain attack orchestrated by threat actors known as TeamPCP. The attackers successfully infiltrated the project's infrastructure to distribute credential-stealing malware through official releases and GitHub Actions workflows.
The breach represents a significant threat to the cybersecurity community, as Trivy is extensively used by security professionals and organizations worldwide to scan container images, filesystems, and repositories for vulnerabilities. By compromising this trusted security tool, the attackers positioned themselves to target a broad range of victims who rely on Trivy for their security operations.
The attack leveraged GitHub Actions, GitHub's continuous integration and deployment platform, to automatically distribute the malicious payload through what appeared to be legitimate software updates. This technique allowed the threat actors to maintain persistence and reach victims through trusted distribution channels that would typically bypass security controls.
Users of Trivy are advised to immediately verify the integrity of their installations and check for any unauthorized access or credential theft. The project maintainers are working to remediate the compromise and restore the security of the distribution channels. Organizations should review their systems for indicators of compromise and consider temporarily suspending use of affected versions until the breach is fully contained.