What Happened
In 2024, TeamPCP compromised the Trivy vulnerability scanner, an open-source tool used by many organizations to detect security issues in containers and dependencies. The attackers published Trivy version 0.69.4, which contained credential-stealing malware. This backdoored version was distributed through GitHub releases and container images, targeting users who pulled updates via automated CI/CD pipelines.
The malicious release was publicly available for about three hours, while compromised GitHub Actions tags remained active for up to 12 hours. During this time, any automated workflow that pulled the latest Trivy version would have downloaded the malicious payload.
The attack was possible because TeamPCP exploited credentials stolen in an earlier breach of Aqua Security's systems in March 2024. These credentials were never fully rotated.
Timeline
March 2024: Initial breach of Aqua Security systems. TeamPCP compromises credentials.
[Date not disclosed] 2024: TeamPCP uses stolen credentials to access Aqua Security's GitHub repository and publish malicious Trivy v0.69.4.
T+0 to T+3 hours: Backdoored release available on GitHub. Container images published to registries. Users running automated updates pull the malicious version.
T+3 hours: Aqua Security removes the malicious GitHub release.
T+12 hours: Compromised GitHub Actions tags fully revoked.
Post-incident: Aqua Security publishes disclosure. Affected users must audit their environments for credential exposure.
Which Controls Failed or Were Missing
Credential Lifecycle Management
The root cause was the failure to fully rotate credentials from the March breach. Your incident response plan must treat every exposed credential as permanently compromised. Partial rotation creates vulnerabilities.
GitHub Actions Secrets Management
The attackers used legitimate GitHub Actions workflows to publish malicious releases, indicating that compromised credentials had write access to release pipelines. Your CI/CD secrets should follow the principle of least privilege. Credentials used for vulnerability scans should not have permission to publish releases.
Release Signing and Verification
There's no indication that Trivy releases were cryptographically signed or that users verified signatures before deployment. Without this control, your team cannot distinguish a legitimate release from a malicious one.
Automated Dependency Updates
Organizations running automated workflows that pull "latest" versions received the backdoored scanner quickly. Your automation should include a verification step before deploying new versions of security tools.
What the Relevant Standard Requires
NIST 800-53 Rev 5
IA-5(1) - Password-Based Authentication: "The organization requires immediate password changes when accounts are compromised."
Credential rotation after a breach must be comprehensive. Every credential in the compromised environment must be treated as exposed.
CM-3 - Configuration Change Control: "The organization reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses."
Automated release pipelines need human approval gates for publishing, especially for security-critical tools.
ISO/IEC 27001
A.5.17 - Authentication Information: "Allocation and management of authentication information shall be controlled by a management process."
This includes documented procedures for credential rotation after security incidents.
A.8.32 - Change Management: "Changes to information processing facilities and information systems shall be subject to change management procedures."
Your CI/CD pipeline is an information processing facility. Changes to what it publishes require change control.
SOC 2 Type II
CC6.1 - Logical and Physical Access Controls: "The entity implements logical access security software, infrastructure, and architectures over protected information assets."
Your GitHub Actions secrets are protected information assets. Access to them should be restricted, monitored, and rotated on a schedule.
Lessons and Action Items for Your Team
Immediate Actions
Audit Your Trivy Usage: If you deployed any version of Trivy between the publication and revocation of v0.69.4, assume compromise. Rotate all credentials accessible to systems where Trivy ran. Check your secret scanning tools for credential exposure.
Review Your Credential Inventory: Document every credential in your CI/CD environment. Set a 90-day maximum lifetime for all of them. Use your identity provider's API to enforce this programmatically.
Pipeline Hardening
Implement Release Verification: Before deploying any third-party tool, verify its cryptographic signature. For tools that don't sign releases, pin to specific SHA256 digests rather than tags.
# Bad - pulls whatever is tagged "latest"
docker pull aquasec/trivy:latest
# Good - pins to immutable digest
docker pull aquasec/trivy@sha256:abc123...
Separate Read and Write Credentials: Your scanning jobs need read access to your code. They do not need write access to your releases. Create separate credentials for each function.
Add Approval Gates: Automated security scans can run on every commit. Publishing releases should require human approval, even if automated.
Incident Response Updates
Define "Credential Compromise" Broadly: Treat every credential in a system with unauthorized access as compromised. Rotate all credentials in the affected boundary immediately.
Set Rotation Deadlines: Specify maximum rotation windows: critical credentials within 4 hours, high-priority within 24 hours, all others within 72 hours.
Test Your Rotation Procedure: Schedule a quarterly exercise to rotate all CI/CD credentials. Document what breaks and fix dependencies that assume static credentials.
The Trivy breach didn't require a zero-day exploit or sophisticated malware. It required stolen credentials that should have been rotated months earlier. Your vulnerability scanner became a vulnerability because basic practices—credential lifecycle, least privilege, release verification—weren't in place. Fix those gaps before the next supply chain compromise targets your toolchain. Supply Chain Security
