Securing CI/CD Pipelines: Lessons from the Trivy Supply Chain Attack

The Trivy Supply Chain Attack Overview

The TeamPCP attack on Aqua Security's Trivy vulnerability scanner serves as a stark reminder of the escalating risks in the open-source software supply chain. Attackers exploited misconfigurations in GitHub Actions workflows and leveraged stolen credentials to compromise not only the Trivy project but also several downstream npm and Python packages. This incident demonstrates how a single point of failure in a trusted security tool's CI/CD pipeline can lead to widespread compromise across an ecosystem.

Multi-Phase Attack Chain

1. Phase 1: Credential Reuse and Repository Takeover - Attackers used stolen credentials to hijack an Aqua Bot service account, push malicious tags, and propagate backdoored binaries through various distribution channels (GitHub Releases, Docker Hub, GHCR, Amazon ECR).
2. Phase 2: GitHub Actions Tag Poisoning - Malicious commits were force-updated to existing version tags in `aquasecurity/trivy-action`, silently injecting attacker-controlled code into workflows pinned to these tags. This highlights a critical vulnerability in relying on mutable tags.
3. Phase 3: Three-Stage Credential Theft - Malware executed within CI/CD runners collected sensitive data (SSH keys, cloud credentials, Kubernetes tokens, database passwords) directly from memory, encrypted it using AES-256-CBC and RSA-4096, and exfiltrated it to typosquatted domains or via newly created GitHub repos.
4. Phase 4: Persistent Backdoor on Developer Machines - Compromised Trivy binaries installed a persistent `sysmon.py` backdoor as a systemd service, establishing a command-and-control channel via the Internet Computer (ICP) blockchain.
5. Phase 5: CanisterWorm — Self-Spreading npm Supply Chain Attack - Harvested credentials were used to compromise numerous npm packages. Later iterations added token theft and automatic malicious publishing to `postinstall` hooks, turning victim machines into propagation nodes.