Guidance for detecting, investigating, and defending against the Trivy supply chain compromise

On March 19, 2026, Trivy, Aqua Security’s widely used open-source vulnerability scanner, was reported to have been compromised in a sophisticated CI/CD-focused supply chain attack. Threat actors leveraged access from a prior incident that was not fully remediated to inject credential-stealing malware into official releases of Aqua Security’s widely adopted open-source vulnerability scanner, Trivy. The attack simultaneously compromised the core scanner binary, the trivy-action GitHub Action, and the setup-trivy GitHub Action, weaponizing trusted security tooling against the organizations relying on it.

The campaign, attributed to the threat actor identifying as TeamPCP, introduces several concerning techniques. This blog walks through the Trivy supply chain attack and explains how Microsoft Defender helps organizations detect, investigate, and respond to this incident.

This activity has since expanded to additional frameworks, including Checkmarx KICS and LiteLLM, with further details to be shared as the investigation continues.

Update (March 25): Microsoft Defender for Cloud has since observed the campaign expanding to Checkmarx KICS (March 23) and LiteLLM (March 24). The core attack chain remained similar: broad credential harvesting with a focus on cloud credentials, including AWS IAM, GCP service account keys, and Azure environment variables, alongside Kubernetes secret enumeration and database credential searches, all exfiltrated to an attacker-controlled domain as an encrypted `tpcp.tar.gz` archive. Each wave used a new C2 domain themed to the compromised project: `checkmarx[.]zone` for the Checkmarx attack and `models.litellm[.]cloud` for LiteLLM. Refer to the updated mitigation table below for affected versions. 

Analyzing the Trivy supply chain compromise

The activity on March 19 represents the execution phase of the campaign, where previously established access was used to weaponize trusted Trivy distribution channels:

• Poisoning GitHub Actions used in CI/CD pipelines: Using compromised credentials with tag write access, the attacker force-pushed 76 of 77 version tags in aquasecurity/trivy-action and all 7 tags in aquasecurity/setup-trivy, redirecting existing, trusted version references to malicious commits. This caused downstream workflows to execute attacker-controlled code without any visible change to release metadata.
• Publishing a malicious Trivy binary: In parallel, the attacker triggered release automation to publish an infected Trivy binary (v0.69.4) to official distribution channels, including GitHub Releases and container registries, exposing both CI/CD environments and developer machines to credential theft and persistence.
• Maintaining stealth and impact window: Both the compromised GitHub Actions and the malicious binary were designed to execute credential-harvesting logic in addition to the legitimate Trivy functionality, allowing workflows and scans to appear successful while secrets were exfiltrated.
• Attack containment by maintainers: Later that day, the Trivy team identified the compromise and removed malicious artifacts from distribution channels, ending the active propagation phase.

How Git’s design was abused in the attack

This attack exploited two aspects of how Git and GitHub operate by design: mutable tags and self-declared commit identity, turning expected platform behavior into an advantage for the attacker.

In Git, a tag is a label that maps to a specific commit in the repository’s history. By default, these references are not immutable – anyone with push access can reassign an existing tag to point to an entirely different commit. The attacker did exactly that, replacing the target commit behind 76 of 77 tags in trivy-action and all 7 in setup-trivy with commits containing malicious payloads. Every CI/CD pipeline that referenced these actions by tag name began running the attacker’s code on its next execution, with no visible change on GitHub to alert maintainers or consumers.

In addition, the threat actor spoofed the identity of the commit, similar to the persona impersonation tactics seen in the Shai-Hulud 2.0 campaign.

For GitHub specific guidance, learn more about strengthening your supply chain.

Exploitation details

Microsoft Defender for Cloud observed the full attack chain in compromised self-hosted GitHub Actions runners.

Upon execution, the entry point performed process discovery to locate runner processes (Runner.Worker, Runner.Listener), then inspected them to identify processes carrying secrets. A base64-encoded Python payload was then decoded and executed to handle the credential harvesting phase.

The Python stealer first fingerprinted the host (“hostname”, “whoami”, “uname -a”, “ip addr”) and dumped all environment variables (via “printenv”). It then conducted broad-spectrum credential harvesting that reveals the attacker’s interest in maximizing the value of each compromised runner:

• Cloud credentials: For each major cloud provider, the stealer combined environment variable extraction with deeper credential access attempts:
  • AWS: Harvested environment variables (“grep AWS_”), then queried both the ECS task metadata endpoint (169.254.170.2) and the EC2 instance metadata service (169.254.169.254) for IAM credentials.
  • GCP: Harvested environment variables (“grep -i google”, “grep -i gcloud”) and attempted to read the service account key file via $GOOGLE_APPLICATION_CREDENTIALS.
  • Azure: Harvested environment variables (“grep -i azure”).
• Kubernetes secrets: Enumeration and exfiltration of mounted service-account files (under “/run/secrets/kubernetes.io/serviceaccount/”), and an attempt to dump all cluster secrets with Kubernetes CLI (“kubectl get secrets –all-namespaces -o json”).
• CI/CD and application secrets: Reading the runner’s internal environment files, recursive filesystem searches for API keys and tokens in “.env”, “.json”, “.yml”, and “.yaml” files, and harvesting of Slack and Discord webhook URLs.
• Infrastructure and access: Extraction of WireGuard VPN configurations (“wg showconf all”), SSH authentication logs (“/var/log/auth.log”, “/var/log/secure”), and database connection strings (MySQL, PostgreSQL, MongoDB, Redis, Vault).
• Cryptocurrency: Searches for Solana wallet variables and RPC authentication credentials (rpcuser, rpcpassword).

The stolen data was then encrypted using a hybrid AES-256-CBC + RSA scheme and bundled into a tpcp.tar.gz archive, then exfiltrated via HTTP POST to the typosquatted domain scan.aquasecurtiy[.]org.

After exfiltration, the malware cleaned up all temporary files and launched the legitimate Trivy scan. The workflow completed successfully with expected output, masking the compromise from pipeline operators.

Detection and investigation

Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, and apps to provide integrated protection against attacks like the threat discussed in this blog.

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.

Mitigation and protection guidance

The recent compromise affecting Trivy and related GitHub Actions highlights how attackers increasingly target CI/CD pipelines, trusted developer tooling and software supply chains. In this campaign, adversaries exploited insecure workflow configurations, abused trusted version tags and leveraged stolen credentials to distribute malicious artifacts and exfiltrate secrets.

Microsoft Defender recommends organizations to adopt the following preventative measures to reduce exposure to similar attacks.

Immediately update to safe versions: Ensure all workflows are running verified safe versions:

Harden CI/CD pipelines against supply chain attacks

Pin all third-party actions to immutable references:

• Pin GitHub Actions to commit SHA rather than version tags (e.g., @v1), as tags can be force-modified by attackers.  
• Regularly audit workflows for tag-based references; replace them with verified SHAs.  

Restrict action usage through policy controls:

• Use organization-level policies to allow only approved actions.  
• Block unverified or newly introduced external actions by default.
• Publish using immutable release to prevent attackers from replacing the commit behind released versions. 
• Review your CI/CD audit logs for unexpected updates to already released versions. 

Enforce least privilege and strong identity controls  

Minimize token and permission scope:

• Configure GITHUB_TOKEN and other credentials with minimum required permissions.  
• Avoid granting write permissions unless strictly necessary.  

Protect secrets and sensitive data in pipelines  

Eliminate implicit secret exposure:

• Avoid injecting secrets into environment variables when not required.  
• Store secrets in dedicated secret managers and retrieve them just-in-time.  

Disable credential persistence on runners:

• Ensure credentials are not persisted to disk or reused across jobs.  
• Use ephemeral runners or clean environments to prevent cross-job secret leakage. 

Reduce lateral movement risk through Attack Path analysis

Organizations can reduce the risk of credential-driven lateral movement by leveraging attack path analysis in Microsoft Defender. This capability provides visibility into how identities, secrets, misconfigurations and resources are interconnected across the environment. By continuously analyzing these relationships, Defender identifies attack paths involving leaked or overprivileged secrets, including those used in CI/CD pipelines.

Security teams can use these insights to proactively remediate risk by removing excessive permissions, rotating credentials, and segmenting access, effectively limiting how far an attacker could move if a pipeline or token is compromised.

Assess blast radius using Advanced Hunting

The Exposure Management graph provides a unified representation of organizational assets and their relationships, including identities, endpoints, cloud resources and secrets.  This graph is also exposed to customers through Advanced Hunting in Microsoft Defender, enabling programmatic exploration of these connections.

Using Advanced Hunting, security teams can query this graph to assess the potential blast radius of any given node, such as a leaked CI/CD secret or compromised identity. By understanding which assets are reachable through existing permissions and trust relationships, organizations can prioritize remediation of the most critical exposure paths.

Additional examples and query patterns are available here as well as in the following Advanced Hunting Queries section below.

If your organization believes it has been impacted by this supply chain compromise, Microsoft Incident Response is available to provide immediate investigation, containment, and recovery support. Contact Microsoft Incident Response

Advanced hunting queries

CloudProcessEvents query to identify malicious commands originating from the recent TeamPCP supply-chain attacks.

CloudProcessEvents 
| where ProcessCommandLine  has_any ('scan.aquasecurtiy.org','45.148.10.212','plug-tab-protective-relay.trycloudflare.com','tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io','checkmarx.zone','/tmp/runner_collected_','tpcp.tar.gz')  
   or (ParentProcessName == 'entrypoint.sh' and ProcessCommandLine  has 'grep -qiE (env|ssh)')

Kubernetes secrets enumeration 

DeviceProcessEvents 
| where FileName == "bash" 
| where InitiatingProcessFileName != "claude" 
| where InitiatingProcessParentFileName != "claude" 
| where ProcessCommandLine !contains "claude" 
| where ProcessCommandLine  has_all ("kubectl get secrets ", " --all-namespaces ", " -o json ", " || true") 

Credential enumeration

let GCP_Enumeration = pack_array('$GOOGLE_APPLICATION_CREDENTIALS', 'cat', '2>/dev/null', '||'); 
let AWS_Enumeration = pack_array('AWS_CONTAINER_CREDENTIALS_RELATIVE_URI', 'curl -s', '2>/dev/null'); 
let Kubernetes_Enumeration = pack_array('kubectl get secrets --all-namespaces', '2>/dev/null'); 
DeviceProcessEvents 
| where FileName in ('dash', 'bash', 'sh') 
| where InitiatingProcessFileName contains "python" 
| where ProcessCommandLine has_all (GCP_Enumeration) 
    or ProcessCommandLine has_all (AWS_Enumeration) 
    or ProcessCommandLine has_all (Kubernetes_Enumeration) 
| where ProcessCommandLine !has_cs 'ADC' 

Exfiltration via curl from a Trivy process 

DeviceProcessEvents 
| where FileName == "curl" 
| where InitiatingProcessCommandLine contains "trivy-action" 
| where ProcessCommandLine contains " POST " 
| where ProcessCommandLine contains " --data-binary" 

Typosquatted C2 Domain in Command Line  

CloudProcessEvents 
| where ProcessCommandLine has_any (   
    // Typosquatted C2 domain 
    "scan.aquasecurtiy.org", "aquasecurtiy.org", 
    // C2 IP 
    "45.148.10.212”) 
| project Timestamp, KubernetesPodName, KubernetesNamespace, AzureResourceId, ContainerName, ContainerId, ContainerImageName, ProcessName, ProcessCommandLine,  ParentProcessName, FileName 

OpenSSL-based encryption operations 

CloudProcessEvents 
| where ProcessName == "openssl" 
    and ProcessCommandLine has_any ( "enc -aes-256-cbc",  "enc -aes-256",) 
    and and ProcessCommandLine has "-pass file:" 
| project Timestamp,  KubernetesPodName, KubernetesNamespace, AzureResourceId, ContainerName, ContainerId, ContainerImageName, ProcessName, ProcessCommandLine, ParentProcessName, FileName 
  
DeviceProcessEvents 
| where ProcessCommandLine has_all ('/dev/null', '--data-binary', '-X POST', 'scan.aquasecurtiy.org ') 
or ProcessCommandLine has_any ('pgrep -f Runner.Listener', 'pgrep -f Runner.Worker') 
or ProcessCommandLine has_any ('tmp/runner_collected_', 'tpcp.tar.gz') and ProcessCommandLine has_any ('curl', 'tar', 'rm', 'openssl enc') and ProcessCommandLine !has 'find' 
or InitiatingProcessCommandLine contains '/entrypoint.sh’ and ProcessCommandLine has ‘grep -qiE (env|ssh)’  
| join kind=leftouter (DeviceNetworkEvents | where RemoteIP == '45.148.10.122') on DeviceId 
| project Timestamp, FileName, ProcessCommandLine, InitiatingProcessCommandLine, InitiatingProcessFolderPath, RemoteIP 

Compromised installations of Trivy

DeviceTvmSoftwareInventory 
| where SoftwareName has "trivy" 
| where SoftwareVersion has_any ("0.69.4", "0.69.5", "0.69.6") 

References

Trivy Compromised a Second Time – Malicious v0.69.4 Release, aquasecurity/setup-trivy, aquasecurity/trivy-action GitHub Actions Compromised – StepSecurity (Step Security)

Update: Ongoing Investigation and Additional Activity (Aqua)

This research is provided by Microsoft Defender Security Research with contributions from  Yossi Weizman, Mathieu Letourneau, Bhakta Pradhan, Hazel Kim, Sagar Patil, Shai Yannai, Gourav Khandelwal, Ofir Mastor, Chinmay Soni, Arlette Umuhire Sangwa, and Ram Pliskin

Learn more   

Review our documentation to learn more about our real-time protection capabilities and see how to enable them within your organization.   

Learn more about Protect your agents in real-time during runtime (Preview) – Microsoft Defender for Cloud Apps

Explore how to build and customize agents with Copilot Studio Agent Builder 

Microsoft 365 Copilot AI security documentation 

How Microsoft discovers and mitigates evolving attacks against AI guardrails 

Learn more about securing Copilot Studio agents with Microsoft Defender