Trivy GitHub Action Compromised

Attackers force‑pushed 75 of 76 version tags in the aquasecurity/trivy-action repository, rewrote several setup‑trivy tags, and published a malicious Trivy v0.69.4 release that was later removed. (snyk.io, github.com) (snyk.io) The malicious tags resolved to newly forged commits during an exposure window of roughly 12 hours from March 19, 2026 17:43 UTC to about March 20 05:40 UTC. (snyk.io) (snyk.io) The injected entrypoint performed in‑memory dumping on GitHub Runners to harvest SSH keys, cloud provider credentials and crypto wallets, and the compromised trivy v0.69.4 artifact propagated to Docker Hub, GitHub Container Registry and AWS ECR. (snyk.io, thesecuritypress/stepsecurity) (snyk.io) Maintainers published remediation guidance naming safe releases—trivy v0.69.3, trivy-action v0.35.0 and setup-trivy v0.2.6—and urged immediate rotation of any pipeline secrets and tokens that ran during the window. (github.com, snyk.io) (github.com) Public analysis shows the actor reused credentials obtained in an earlier March 1 incident (and related February 28 activity) to gain the privilege needed to rewrite tags rather than push new commits. (github.com, awesomeagents.ai) (github.com) Security vendors and researchers are attributing the March 19 activity to the group tracked as “TeamPCP” (also reported as DeadCatx3/PCPcat/ShellForce) while Aqua Security and registry operators removed malicious artifacts and rolled back affected distributions. (bleepingcomputer.com, wiz.io) (bleepingcomputer.com)