aquasecurity/trivy-action and setup-trivy tags — turning a widely used vulnerability scanner into a credential stealer.TeamPCP force-pushed 76 of 77 version tags in aquasecurity/trivy-action and all 7 tags in setup-trivy to malicious commits; the injected entrypoint.sh harvested CI secrets from runner memory via /proc/<pid>/mem reads, encrypted the haul with AES-256 + RSA-4096, and exfiltrated it as tpcp.tar.gz to scan.aquasecurtiy[.]org, and those stolen credentials were later used to pivot into other vendors — including Checkmarx — as documented in our KICS field note. Aqua Security published remediation guidance, Microsoft issued detection guidance for the Trivy-specific wave, and the broader consensus held that mutable tags plus blind trust in “security” actions created a high-blast-radius supply chain event.
What Garnet observed
Method: reconstructed Trivy action lineage in lab conditions — the same /proc/*/mem scrape, encoding, and egress pattern TeamPCP used across tags.
Process lineage
Run 23471711050
The public profile for this run shows hosted-compute and runner ancestry, scanner-adjacent processes (kics, node), and egress to checkmarx.zone, apk.cgr.dev, and GitHub-adjacent IPs — the same stealer-class pattern TeamPCP used from compromised scanner actions, even when the job still looked like a normal scan.
Real-world impact
Any workflow that resolved a mutable Trivy tag during the compromise window pulled attacker-controlled code. Stolen tokens enabled follow-on compromises across the ecosystem.
