Niclas30m ago

The most interesting supply chain attack I've ever seen: #trivy

The attack is really bizarre. I learned a lot about GitHub Actions and how the attack was performed.

- https://www.aquasec.com/blog/trivy-supply-chain-attack-what-you-need-to-know/
- https://www.stepsecurity.io/blog/hackerbot-claw-github-actions-exploitation
- https://ramimac.me/trivy-teampcp/#timeline
- https://snyk.io/articles/trivy-github-actions-supply-chain-compromise/

#cybersecurity #supplychain #github #glassworm #githubactions #attack #TeamPCP #c2

Update: Ongoing Investigation and Additional Activity

Open Source Security Advisory Update: Monday, March 23, 2026 Boston, MA 2:00 AM ET  We are providing this update to share new developments identified during our ongoing investigation into the Trivy open source incident described below.  Over the weekend, the Trivy team continued analysis of the previously reported incident and started implementing additional security measures across repositories and automation …

Aqua
KrebsOnSecurity RSS4h ago

‘CanisterWorm’ Springs Wiper Attack Targeting Iran

https://krebsonsecurity.com/2026/03/canisterworm-springs-wiper-attack-targeting-iran/

#InternetComputerProtocol #Ne'er-Do-WellNews #ALittleSunshine #LatestWarnings #TheComingStorm #CatalinCimpanu #CharlieEriksen #AquaSecurity #CanisterWorm #Ransomware #AssafMorag #TeamPCP #Aikido #Flare #Trivy #ICP

‘CanisterWorm’ Springs Wiper Attack Targeting Iran – Krebs on Security

Winbuzzer10h ago

https://winbuzzer.com/2026/03/23/trivy-breach-pushed-infostealer-via-github-actions-xcxwbn/

Trivy Breached Twice in a Month via GitHub Actions

#GitHub #GitHubActions #Cybersecurity #Malware #Cybercrime #SecurityBreach #OpenSource #Hackers #npm #Javascript #SoftwareDevelopment #CloudComputing #DataBreaches #Trivy #AquaSecurity #TeamPCP #CanisterWorm

N-gated Hacker News21h ago
🚨 Oh no, not another "supply chain attack"! This time, our heroes, #TeamPCP, have turned Aqua Security's Trivy into a #malware vending machine. 🛒 But don't worry, folks, just a quick #audit will fix everything—because nothing says "secure" like a last-minute scramble. 😂🔒
https://www.wiz.io/blog/trivy-compromised-teampcp-supply-chain-attack #supplychainattack #security #AquaSecurity #HackerNews #ngated
Trivy Compromised by "TeamPCP" | Wiz Blog

Breaking down the March 2026 Trivy supply chain attack. TeamPCP compromised trivy + trivy-action & setup-trivy GitHub Actions, deploying credential stealers.

wiz.io
Miguel Afonso CaetanoFeb 9

"Cybersecurity researchers have called attention to a "massive campaign" that has systematically targeted cloud native environments to set up malicious infrastructure for follow-on exploitation.

The activity, observed around December 25, 2025, and described as "worm-driven," leveraged exposed Docker APIs, Kubernetes clusters, Ray dashboards, and Redis servers, along with the recently disclosed React2Shell (CVE-2025-55182, CVSS score: 10.0) vulnerability. The campaign has been attributed to a threat cluster known as TeamPCP (aka DeadCatx3, PCPcat, PersyPCP, and ShellForce).

TeamPCP is known to be active since at least November 2025, with the first instance of Telegram activity dating back to July 30, 2025. The TeamPCP Telegram channel currently has over 700 members, where the group publishes stolen data from diverse victims across Canada, Serbia, South Korea, the U.A.E., and the U.S. Details of the threat actor were first documented by Beelzebub in December 2025 under the name Operation PCPcat.

"The operation's goals were to build a distributed proxy and scanning infrastructure at scale, then compromise servers to exfiltrate data, deploy ransomware, conduct extortion, and mine cryptocurrency," Flare security researcher Assaf Morag said in a report published last week."

https://thehackernews.com/2026/02/teampcp-worm-exploits-cloud.html

#CyberSecurity #TeamPCP #Ransomware #CloudComputong #Cryptocurrencies

TeamPCP Worm Exploits Cloud Infrastructure to Build Criminal Infrastructure

Worm-driven TeamPCP campaign exploits Docker, Kubernetes, Redis, Ray, and React2Shell to build proxy infrastructure for data theft and ransomware.

The Hacker News