Guidance for detecting, investigating, and defending against the Trivy supply chain compromise

On March 19, 2026, Trivy, an open-source vulnerability scanner, was compromised in a sophisticated CI/CD supply chain attack. Threat actors, identified as TeamPCP, injected credential-stealing malware into official Trivy releases, affecting the core binary and GitHub Actions. The attack exploited mutable tags and commit identity spoofing on GitHub. The malware performed extensive credential harvesting, targeting cloud providers, Kubernetes secrets, and various application credentials. Microsoft Defender provides detection and investigation capabilities for this threat. Recommended mitigations include updating to safe versions, hardening CI/CD pipelines, enforcing least privilege, protecting secrets, and leveraging attack path analysis to reduce lateral movement risks.

Pulse ID: 69c363a17209fdf0cea99e8a
Pulse Link: https://otx.alienvault.com/pulse/69c363a17209fdf0cea99e8a
Pulse Author: AlienVault
Created: 2026-03-25 04:25:05

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CredentialHarvesting #CyberSecurity #GitHub #InfoSec #Malware #Microsoft #MicrosoftDefender #OTX #OpenThreatExchange #RCE #SupplyChain #Vulnerability #bot #AlienVault