Trivy GitHub Action hijacked

Malicious Trivy release v0.69.4 was pushed at 17:43:37 UTC on March 19, and community timelines show poisoned artifacts published to GitHub Releases, Docker Hub/GHCR and AWS ECR with an exposure window of roughly 12 hours into March 20. (snyk.io) Investigators say the actor reused credentials obtained during an earlier March 1/late‑February compromise that abused a pull_request_target workflow, and incomplete/non‑atomic secret rotation at the time allowed refreshed tokens to be leveraged. (snyk.io) The intruder self‑identified as “TeamPCP” (aliases reported as DeadCatx3/PCPcat/ShellForce) and delivered the attack by force‑moving tags and committing imposter commits; incident responders have flagged a C2 domain (scan[.]aquasecurtiy[.]org) and IP 45.148.10.212 linked to exfiltration activity. (snyk.io) Distribution combined a backdoored binary release with mutated action references so CI workflows that pulled actions by mutable tags executed the malicious code, and Homebrew automation picked up v0.69.4 within minutes, creating an additional distribution vector. (snyk.io) Aqua maintainers removed the malicious artifacts, restored the last known clean Trivy release (v0.69.3) and recommended specific safe packages — trivy‑action v0.35.0 and setup‑trivy v0.2.6 — while urging teams to pin to commit SHAs and rotate all pipeline secrets. (github.com) Security teams reported a secondary escalation where a self‑spreading module dubbed “CanisterWorm” was observed propagating into npm packages and developer systems, driving community hunting, registry purges and indicator‑of‑compromise sharing across open‑source ecosystems. (thehackernews.com)