On March 19, 2026, the cybersecurity community found that a tool used to protect the software supply chain could become the attack vector.
Aqua Security’s Trivy, one of the most widely used open-source vulnerability scanners, was compromised in a multi-phase supply chain attack. The breach exposed CI/CD secrets, planted persistent backdoors on developer machines, and spread a self-propagating worm across dozens of npm packages.
Trusted security tooling became a credential-harvesting weapon, enabling a cascading breach across environments.
In this blog we will break down how the attack unfolded, place it in the broader supply chain threat landscape, and show how Cortex Cloud delivers the layered protection needed to detect, prevent, and respond to attacks like this.
We should also highlight that this Trivy Supply Chain Attack appears to have been a root from which additional attacks are emerging in the last few days and we believe that we are not completely over this attack campaign.
What Happened?
Two incidents, one root cause. The March 19 attack did not appear out of nowhere. Three weeks earlier, an autonomous bot called hackerbot-claw exploited a misconfigured pull_request_target workflow in Trivy’s GitHub Actions to steal a Personal Access Token (PAT).
Aqua Security discovered the breach and rotated credentials, but the rotation was not complete. The attackers, a group identifying as TeamPCP (also tracked as DeadCatx3, PCPcat, ShellForce, and CipherForce), retained access to the credentials that survived.
Incomplete containment is a recurring issue in incident response. When breaches are not fully addressed, they create the conditions for the next attack.
The Five-Phase Attack Chain
Phase 1: Credential Reuse and Repository Takeover
Using credentials from the first incident, TeamPCP compromised the aqua-bot service account and made impersonated commits, spoofing legitimate maintainer identities. They pushed a malicious v0.69.4 tag to the Trivy repository (github.com/aquasecurity/trivy), triggering an automated release pipeline that distributed backdoored binaries to GitHub Releases, Docker Hub, GHCR, and Amazon ECR.
Phase 2: GitHub Actions Tag Poisoning
The attackers force-pushed 75 out of 76 version tags in aquasecurity/trivy-action to point to malicious commits. Any GitHub Actions workflow referencing a version tag like @v0.28.0 automatically ran attacker-controlled code at runtime, without changing the workflow file. The malicious commits reused original author metadata and timestamps, creating a deceptive appearance in Git history. Seven setup-trivy tags were also poisoned.
Phase 3: Three-Step Credential Theft
The poisoned actions executed a three-step attack:
- Collection: The malware read directly from GitHub Actions Runner memory (/proc/<pid>/mem), bypassing log-masking. It harvested SSH keys, cloud credentials (AWS, GCP, Azure), Kubernetes tokens, Docker registry credentials, database passwords, TLS private keys, and cryptocurrency wallet files.
- Encryption: Stolen data was encrypted with AES-256-CBC and wrapped with RSA-4096, rendering network-layer inspection ineffective.
- Exfiltration: Data was sent to a typosquatted domain (scan.aquasecurtiy[.]org). As a fallback, the malware used the victim’s GitHub PAT to create a public repository named tpcp-docs and staged the data there, leveraging trusted infrastructure for exfiltration.
Phase 4: Persistent Backdoor on Developer Machines
When the malicious Trivy binary ran on a developer workstation, it deployed a systemd service (sysmon.py) that polled an Internet Computer (ICP) blockchain canister every 50 minutes for command-and-control instructions. This decentralized C2 infrastructure is resistant to takedown.
Phase 5: CanisterWorm — Self-Propagating npm Supply Chain Attack
Using stolen credentials, TeamPCP launched CanisterWorm which compromised 47+ npm packages across multiple scopes. Later variants added token theft and malicious publishing in the postinstall hook, making every developer or CI pipeline that installed an affected package an unwitting propagation vector. Twenty-eight packages were compromised in under 60 seconds
A Pattern, Not an Anomaly: The Supply Chain Threat Landscape
The Trivy attack is part of a clear escalation pattern in supply chain attacks:
- SolarWinds (2020): Compromised build system injected backdoors into signed updates distributed to 18,000 organizations.
- Codecov (2021): Attackers modified a bash uploader script to exfiltrate CI/CD environment variables.
- ua-parser-js (2021): Hijacked npm package with 8M weekly downloads to distribute cryptominers.
- tj-actions/changed-files (2025): GitHub Action compromised to steal CI/CD secrets via tag poisoning — the same technique used against Trivy.
- Trivy (2026): Combined credential theft, tag poisoning, binary tampering, persistent backdoors, and a self-propagating worm — the most sophisticated supply chain attack on a security tool to date.
The trend is clear: attackers are moving upstream, targeting the tools and infrastructure developers trust. Security scanners, CI/CD actions, and package managers are high-value targets because they run with elevated privileges and are rarely scrutinized at runtime.
Immediate Actions for Security Teams
If your organization uses Trivy, take these steps now:
- Verify safe versions: trivy v0.69.3, trivy-action v0.35.0, setup-trivy v0.2.6
- Pin all GitHub Actions to full SHA hashes — not version tags
- Search for tpcp-docs repositories in your GitHub organization (indicates successful exfiltration)
- Block scan.aquasecurtiy[.]org and 45.148.10.212 at the network level
- Check developer machines for sysmon.py or pgmon systemd services
- Rotate all secrets that were accessible from affected CI/CD runners
- Use npm ci with --ignore-scripts in CI pipelines to prevent postinstall hook execution
How Cortex Cloud Can Help
The Defense-in-Depth Advantage
No single security control can stop a sophisticated supply chain attack. The Trivy breach shows why defense-in-depth is essential, with integrated visibility across code, build, deploy, and runtime.
Cortex Cloud delivers a unified security platform that covers every phase of this attack across Software Supply Chain Security, AppSec, Cloud Workload Protection, and Extended Detection and Response.
This includes out-of-the-box Supply Chain Security rules that assure your development floor and pipelines are configured according to security best practices and that your workstations and networks are behaving and communicating as they should and no abnormal activity is recognized.
Below you can find a more detailed analysis of Cortex ability to detect and block every phase of the described attack:
| Attack Phase | Cortex Cloud |
|---|---|
| Phase 1: Credential Reuse and Repository Takeover | Detected by Cortex Cloud Supply Chain Security module via out-of-the-box Poisoned Pipeline Execution (PPE) detection rule |
| Phase 2: GitHub Actions Tag Poisoning | Detected by Cortex Cloud Supply Chain Security module via out-of-the-box unpinned GitHub actions detection rule |
| Phase 3: Three-Step Credential Theft - Encrypted exfiltration to typosquatted domain | Detected by Cortex XDR network analytics |
| Phase 4: systemd persistence on dev machines | Detected by Cortex XDR endpoint analytics |
| Phase 4: ICP blockchain C2 beaconing | Detected by Cortex XDR beaconing detection |
| Phase 5: Self-propagating npm worm | Detected by Cortex SCA and npm install policy |
Software Supply Chain and Application Security
Cortex Cloud’s Supply Chain Security continuously monitors CI/CD configurations, pipeline definitions, and repository settings for misconfigurations that create attack surfaces.
Poisoned Pipeline Execution Detection
The initial credential theft exploited a pull_request_target misconfiguration, a well-known Poisoned Pipeline Execution (PPE) vector. Cortex Cloud’s CI/CD risk engine detects this pattern and alerts security teams before it can be exploited. Its out-of-the-box CI/CD security rules cover direct PPE attacks, command injection in user events, and workflows that bypass required reviews.
Unpinned GitHub Actions Detection
Tag poisoning, the core delivery mechanism of the attack, would have been neutralized if downstream users pinned GitHub Actions to full SHA hashes instead of mutable version tags. Cortex Cloud flags unpinned actions as a CI/CD risk, and prevention policies can block pipelines referencing tag-based actions. This single control would have stopped the attack from reaching any Cortex Cloud-protected pipeline.
Credential Hygiene Enforcement
Cortex Cloud detects unrotated secrets, excessive repository permissions, overly permissive workflow token scopes, and organization secrets not scoped to specific repositories. Each of these conditions contributed to the Trivy breach and can be prevented with supply chain security rules.
SCA Package Integrity
Cortex Cloud’s Software Composition Analysis (SCA) detects malicious packages, typosquatting, dependency confusion, and tampered releases. Against CanisterWorm, which published malicious npm packages, Cortex SCA can recognize and block (or alert) pipelines that install malicious packages and can recognize those malwares even if they propagate to registries or to runtime environments.
Secrets Detection with Active Validation
The attack relied on npm tokens in .npmrc files and environment variables. Cortex Cloud AppSec detects exposed credentials (secrets) and validates whether they are still active, enabling teams to rotate compromised tokens before they are weaponized.
Endpoint and Network Analytics
Endpoint Persistence Detection and Response
The malicious Trivy binary deployed a persistent systemd service (sysmon.py) on developer workstations, masquerading as PostgreSQL tooling. Organizations with endpoint runtime protection deployed on developer machines would detect this unauthorized service creation, flag the anomalous process tree (a vulnerability scanner spawning a Python systemd service), and block execution of unsigned binaries fetched from the internet. In Cortex Cloud, this is provided by the Cortex XDR agent.
Network Threat Detection and Domain Reputation Analysis
The encrypted exfiltration to a typosquatted domain (scan.aquasecurtiy[.]org), periodic beaconing to an ICP blockchain canister, and fallback exfiltration via GitHub all represent detectable network anomalies. Network analytics can detect beaconing patterns and connections to newly registered or typosquatted domains, while DNS security and advanced URL filtering can block connections to known-malicious and suspicious domains at the network layer. In Cortex Cloud, these capabilities are provided by Cortex XSIAM network analytics, DNS Security, and Advanced URL Filtering.
Beaconing Detection
The persistent backdoor polled the ICP canister every 50 minutes. Cortex XDR behavioral analytics detects periodic outbound connections to unusual endpoints, even with low-volume, long-interval traffic.
Typosquatted Domain Detection
Exfiltration used scan.aquasecurtiy[.]org, a typosquat of aquasecurity.org. Cortex XSIAM flags connections to newly registered or visually similar domains.
Endpoint Behavioral Analytics
On developer machines, Cortex XDR detects the full attack chain: new systemd service creation by a non-standard parent process, periodic blockchain connections, and download-and-execute behavior from dynamic URLs.
Strengthen Your Defenses: Lessons from the Trivy Attack
The Trivy supply chain attack is an important moment for DevSecOps. It reminds us that security tools are high-value targets, mutable references like version tags create systemic vulnerabilities, and static analysis alone cannot detect attacks operating at application and network layers.
Cortex Cloud’s integrated platform delivers layered defense across the full spectrum of supply chain attacks. From CI/CD misconfiguration detection to runtime behavioral threat detection and anomaly detection, every phase of the Trivy attack maps to a Cortex Cloud capability that detects or blocks it.
The question is no longer if security tools will be targeted. It’s when. Organizations that survive will have defense-in-depth visibility from code to cloud to endpoint.
Learn More
Request a demo to discover how Cortex Cloud can protect your software supply chain.
Indicators of Compromise
| Domain |
| tdtqy-oyaaa-aaaae-af2dq-cai[.]raw[.]icp0[.]io |
| scan[.]aquasecurtiy[.]org |
| souls-entire-defined-routes.trycloudflare[.]com/ |
| investigation-launches-hearings-copying.trycloudflare[.]com/ |
| championships-peoples-point-cassette.trycloudflare[.]com |
| create-sensitivity-grad-sequence[.]trycloudflare[.]com |
| models[.]litellm[.]cloud |
| checkmarx[.]zone |
| checkmarx[.]zone/raw |
| IPs |
| 63.251.162[.]11 |
| 23.142.184[.]129 |
| 209.34.235[.]18 |
| 45.148.10[.]212 |
| 83.142.209[.]11 |
| CommandLine Operations |
| hostname; pwd; whoami; uname -a; ip addr 2>/dev/null || ifconfig 2>/dev/null; ip route 2>/dev/null |
| env | grep AWS_ |
| curl -s http://169.254.170.2${AWS_CONTAINER_CREDENTIALS_RELATIVE_URI} 2>/dev/null || true |
| curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/ 2>/dev/null || true |
| find /var/secrets /run/secrets -type f 2>/dev/null | xargs -I{} sh -c \'echo "=== {} ==="; cat "{}" 2>/dev/null\' |
| env | grep -i kube; env | grep -i k8s |
| kubectl get secrets --all-namespaces -o json 2>/dev/null || true |
| env | grep -i google; env | grep -i gcloud |
| cat $GOOGLE_APPLICATION_CREDENTIALS 2>/dev/null || true |
| env | grep -i azure |
| grep -rE "api[_-]?key|apikey|api[_-]?secret|access[_-]?token" . --include="*.env*" --include="*.json" --include="*.yml" --include="*.yaml" 2>/dev/null | head -50 |
| grep -r "hooks.slack.com\|discord.com/api/webhooks" |
| env | grep -i solana |
| grep -r "rpcuser\|rpcpassword\|rpcauth" /root /home 2>/dev/null | head -50 |
| cat /var/log/auth.log 2>/dev/null | grep Accepted | tail -200 |
| cat /var/log/secure 2>/dev/null | grep Accepted | tail -200 |
| Filesystem |
| ~/.local/share/pgmon/service.py |
| ~/.config/systemd/user/pgmon.service |
| /var/lib/svc_internal/runner.py |
| /etc/systemd/system/internal-monitor.service |
| /tmp/pglog |
| /tmp/.pg_state |
| /var/lib/pgmon/pgmon.py |
| /etc/systemd/system/pgmonitor.service |
| .config/sysmon/sysmon.py |
| Filenames |
| kamikaze.sh |
| kube.py |
| prop.py |
| proxy_server.py |
| Hashes |
| e9b1e069efc778c1e77fb3f5fcc3bd3580bbc810604cbf4347897ddb4b8c163b |
| 61ff00a81b19624adaad425b9129ba2f312f4ab76fb5ddc2c628a5037d31a4ba |
| 0c0d206d5e68c0cf64d57ffa8bc5b1dad54f2dda52f24e96e02e237498cb9c3a |
| c37c0ae9641d2e5329fcdee847a756bf1140fdb7f0b7c78a40fdc39055e7d926 |
| f398f06eefcd3558c38820a397e3193856e4e6e7c67f81ecc8e533275284b152 |
| 7df6cef7ab9aae2ea08f2f872f6456b5d51d896ddda907a238cd6668ccdc4bb7 |
| 5e2ba7c4c53fa6e0cef58011acdd50682cf83fb7b989712d2fcf1b5173bad956 |
| 18a24f83e807479438dcab7a1804c51a00dafc1d526698a66e0640d1e5dd671a |
| 887e1f5b5b50162a60bd03b66269e0ae545d0aef0583c1c5b00972152ad7e073 |
| f7084b0229dce605ccc5506b14acd4d954a496da4b6134a294844ca8d601970d |
| 822dd269ec10459572dfaaefe163dae693c344249a0161953f0d5cdd110bd2a0 |
| bef7e2c5a92c4fa4af17791efc1e46311c0f304796f1172fce192f5efc40f5d7 |
| e64e152afe2c722d750f10259626f357cdea40420c5eedae37969fbf13abbecf |
| ecce7ae5ffc9f57bb70efd3ea136a2923f701334a8cd47d4fbf01a97fd22859c |
| d5edd791021b966fb6af0ace09319ace7b97d6642363ef27b3d5056ca654a94c |
| e6310d8a003d7ac101a6b1cd39ff6c6a88ee454b767c1bdce143e04bc1113243 |
| 6328a34b26a63423b555a61f89a6a0525a534e9c88584c815d937910f1ddd538 |
| 0880819ef821cff918960a39c1c1aada55a5593c61c608ea9215da858a86e349 |
| Compromised Packages | |
| Package | Version |
| @leafnoise/mirage | 2.0.3 |
| jest-preset-ppf | 0.0.2 |
| babel-plugin-react-pure-component | 0.1.6 |
| eslint-config-service-users | 0.0.3 |
| opengov-k6-core | 1.0.2 |
| cit-playwright-tests | 1.0.1 |
| react-leaflet-marker-layer | 0.1.5 |
| react-leaflet-cluster-layer | 0.0.4 |
| eslint-config-ppf | 0.128.2 |
| @opengov/form-renderer | 0.2.20 |
| @opengov/qa-record-types-api | 1.0.3 |
| @airtm/uuid-base32 | 1.0.2 |
| @opengov/form-builder | 0.12.3 |
| @emilgroup/document-uploader | 0.0.12 |
| @emilgroup/task-sdk-node | 1.0.4 |
| @emilgroup/discount-sdk | 1.5.3 |
| @emilgroup/accounting-sdk | 1.27.3 |
| @emilgroup/docxtemplater-util | 1.1.4 |
| @emilgroup/discount-sdk-node | 1.5.2 |
| @emilgroup/gdv-sdk-node | 2.6.3 |
| @emilgroup/setting-sdk | 0.2.3 |
| @emilgroup/changelog-sdk-node | 1.0.3 |
| @emilgroup/partner-portal-sdk | 1.1.3 |
| @emilgroup/process-manager-sdk | 1.4.2 |
| @emilgroup/numbergenerator-sdk-node | 1.3.3 |
| @emilgroup/task-sdk | 1.0.4 |
| @emilgroup/customer-sdk | 1.54.5 |
| @emilgroup/commission-sdk-node | 1.0.3 |
| @emilgroup/partner-sdk | 1.19.3 |
| @emilgroup/commission-sdk | 1.0.3 |
| @teale.io/eslint-config | 1.8.15 |
| @teale.io/eslint-config | 1.8.14 |
| @teale.io/eslint-config | 1.8.13 |
| @emilgroup/document-sdk-node | 1.43.5 |
| @emilgroup/partner-sdk-node | 1.19.2 |
| @emilgroup/billing-sdk | 1.56.2 |
| @emilgroup/insurance-sdk | 1.97.2 |
| @emilgroup/auth-sdk | 1.25.2 |
| @emilgroup/payment-sdk | 1.15.2 |
| @emilgroup/customer-sdk-node | 1.55.2 |
| @emilgroup/accounting-sdk-node | 1.26.2 |
| @emilgroup/tenant-sdk | 1.34.2 |
| @emilgroup/notification-sdk-node | 1.4.2 |
| @emilgroup/tenant-sdk-node | 1.33.2 |
| @emilgroup/document-sdk | 1.45.2 |
| @emilgroup/payment-sdk-node | 1.23.2 |
| @emilgroup/public-api-sdk | 1.33.2 |
| @emilgroup/auth-sdk-node | 1.21.2 |
| @emilgroup/account-sdk-node | 1.40.2 |
| @emilgroup/process-manager-sdk-node | 1.13.2 |
| @emilgroup/public-api-sdk-node | 1.35.2 |
| @emilgroup/partner-portal-sdk-node | 1.1.2 |
| @emilgroup/translation-sdk-node | 1.1.2 |
| @emilgroup/document-sdk-node | 1.43.2 |
| @emilgroup/gdv-sdk | 2.6.2 |
| @emilgroup/customer-sdk | 1.54.2 |
| @emilgroup/account-sdk | 1.41.2 |
| @emilgroup/claim-sdk-node | 1.39.2 |
| @emilgroup/api-documentation | 1.19.2 |
| @teale.io/eslint-config | 1.8.10 |
| @emilgroup/billing-sdk-node | 1.57.2 |
| @emilgroup/insurance-sdk-node | 1.95.2 |
| react-autolink-text | 2.0.1 |
| @opengov/ppf-backend-types | 1.141.2 |
| react-leaflet-heatmap-layer | 2.0.1 |
| @opengov/form-utils | 0.7.2 |
| @opengov/ppf-eslint-config | 0.1.11 |
| aquasecurity/trivy | 0.69.4
0.69.5 0.69.6 |
| aquasecurity/tfsec | |
| aquasecurity/traceeshark | |
| aquasecurity/trivy-action | |
| aquasecurity/setup-trivy | |
| ast-results | 2.53.0 |
| cx-dev-assist | 1.7.0 |
| cx-plugins-releases | 1 - 2.1.20 |
| Checkmarx/ast-github-action | 2.3.28 |
| litellm | 1.82.7
1.82.8 |