Trivy Scanner Hit by Major Supply Chain Attack  Aqua Security's popular open-source vulnerability scanner, Trivy, has been compromised in an ongoing supply chain attack that began in late February 2026 and escalated dramatically by mid-March. Threat actors exploited misconfigurations in Trivy's GitHub Actions workflows, stealing privileged tokens to gain persistent access to repositories and release processes.  This breach turned a trusted DevSecOps tool—boasting over 32,000 GitHub stars—into a vector for credential theft across countless CI/CD pipelines worldwide. The attack unfolded in phases, starting with a token theft from a misconfigured GitHub Action on February 28, allowing initial foothold establishment. By March 19, attackers force-pushed malicious code to 76 of 77 tags in aquasecurity/trivy-action and all 7 in setup-trivy, repointing versions like v0.69.4 to infostealer payloads. The malware executed stealthily: it harvested GitHub tokens, cloud credentials, and SSH keys, encrypted them in tpcp.tar.gz archives, exfiltrated to scan.aquasecurtiy[.]org, then ran legitimate Trivy scans to avoid detection. Malicious Docker images under tags like latest, 0.69.5, and 0.69.6 further spread the threat via container registries. Despite Aqua Security's credential rotations after the initial incident, incomplete measures let attackers reestablish access, leading to repository tampering detected on March 22. This persistence mirrors trends in SaaS supply chain attacks, from SolarWinds to recent exploits, where upstream compromises cascade downstream. The "Team PCP" actors have struck Trivy three times in under a month, highlighting eviction challenges in automated environments. Trivy's vast adoption amplifies the blast radius, potentially exposing secrets in thousands of organizations' pipelines. Microsoft and others urge auditing workflows using compromised tags, as successful scans masked the theft. This incident underscores vulnerabilities in mutable tags and over-privileged runners, eroding trust in open-source security tools.  To mitigate, pin GitHub Actions to immutable commit SHAs instead of tags, rotate all exposed secrets, and adopt OIDC for short-lived credentials. Harden CI/CD privileges, monitor SaaS integrations continuously, and audit Trivy executions since March 1. Aqua Security continues remediation with partners like Sygnia, but organizations must proactively secure their supply chains against such "side door" threats.

Trivy Scanner Hit by Major Supply Chain Attack #GitHub #SupplyChainAttack #TrivyScanner

TeamPCP Uses Fake Ringtone File in Tainted Telnyx SDK to Steal Credentials TeamPCP hackers planted malicious code in tainted Telnyx Python SDK versions using a fake ringtone file to steal credentials, crypto wallets, and keys.

#TeamPCP strikes again. Hackers hid credential-stealing malware inside a fake ringtone file in tainted #Telnyx SDK versions, targeting developers via a supply chain attack.

Read: hackread.com/teampcp-fake...

#CyberSecurity #DataBreach #SupplyChainAttack #Malware

Alert: The Telnyx Python SDK on PyPI has been compromised in a major supply chain attack by TeamPCP. Developers, update immediately and rotate credentials! #CyberSecurity #SupplyChainAttack #PyPI Link: thedailytechfeed.com/telnyx-pypi-...

FRIDAY | 27 MARCH 2026 | Cyber Report

#CyberSecurity #InfoSec #CyberFM #TechNews #Linux #Oracle #Trivy #SupplyChainAttack #EthicalHacking #CISA #SysAdmin #Programming #DataBreach #WebLogic #STEM

⚠️ El arma secreta en tu cadena de suministro: atacan con tu propia herramienta

thenewstack.io/teampcp-trivy-supply-cha...

#Seguridad #OpenSource #SupplyChainAttack #DevSecOps

TeamPCP strikes again: Backdoored Telnyx PyPI package delivers malware - Help Net Security TeamPCP continues is supply chain compromise rampage, with telnyx on PyPI being the latest maliciously modified package.

TeamPCP strikes again: Backdoored Telnyx PyPI package delivers malware

📖 Read more: www.helpnetsecurity.com/2026/03/27/t...

#cybersecurity #cybersecuritynews #malware #supplychainattack @pypi.org @endorlabs.bsky.social @aikidosecurity.bsky.social

The LiteLLM Supply Chain Attack: How a Security Scanner Became a Backdoor On March 24, 2026, versions 1.82.7 and 1.82.8 of LiteLLM — with ~97 million monthly downloads — were found to contain a credential-stealing backdoor. Here's what happened, how it worked, and what you ...

The LiteLLM Supply Chain Attack: How a Security Scanner Became a Backdoor

techlife.blog/posts/litell...

#LiteLLM #SupplyChainAttack #PyPI #Security #Malware #Python #TeamPCP #AISecurity

Full Article: www.technadu.com/delve-provid...

👉 Do you think compliance frameworks are keeping up with modern attack vectors? Comment your opinion.
#Cybersecurity #SupplyChainAttack #OpenSource #DevSecOps #InfoSec

New AI Documentation Service Exposes Coders to Poisoning Attack Context Hub lacks safeguards against poisoned documentation, allowing malicious instructions to manipulate AI coding agents

New AI Documentation Service Exposes Coders to Poisoning Attack

#AISecurity #SupplyChainAttack #CyberSecurity #AusNews

thedailyperspective.org/article/2026-03-25-new-a...

Alert: GhostLoader malware infiltrates NPM packages, stealing developer credentials via Remote Dynamic Dependencies. Stay vigilant and secure your development environment. #CyberSecurity #NPM #SupplyChainAttack Link: thedailytechfeed.com/ghostloader-...

⚠️ Ataque de cadena de suministro se expande a Checkmarx y LiteLLM

devops.com/sophisticated-supply-cha...

#Ciberseguridad #SupplyChainAttack #DevSecOps #Checkmarx

Aqua Security's Trivy scanner compromised in a sophisticated supply chain attack, leading to widespread credential theft in CI/CD pipelines. Immediate action required! #CyberSecurity #SupplyChainAttack #TrivyBreach Link: thedailytechfeed.com/supply-chain...

TeamPCP hacks Checkmarx's GitHub Actions, exposing CI/CD secrets in thousands of repositories. A wake-up call for enhanced software supply chain security. #CyberSecurity #SupplyChainAttack #GitHub Link: thedailytechfeed.com/teampcp-brea...

Ghost Campaign Uses npm to Steal Crypto
Read More: buff.ly/N4NYXqk

#GhostCampaign #npmSecurity #SupplyChainAttack #CryptoTheft #MaliciousPackages #DeveloperSecurity #macOSMalware #LinuxSecurity

1,000+ Cloud Environments Infected in Major Trivy Supply Chain Breach Malware campaign expands across cloud infrastructure after compromising widely-used vulnerability scanner. Over 1,000 organisations affected.

1,000+ Cloud Environments Infected in Major Trivy Supply Chain Breach

#SupplyChainAttack #Cybersecurity #CloudSecurity #MalwareAlert #AusNews

thedailyperspective.org/article/2026-03-24-1-000...

Trivy supply chain attack leads to infostealer spread via Docker Hub and Kubernetes wiper deployment. Developers, ensure your tools are secure! #CyberSecurity #SupplyChainAttack #DevOps Link: thedailytechfeed.com/trivy-supply...

Teampcp Hacks Checkmarx via Stolen CI
Read More: buff.ly/6nVcv6O

#TeamPCP #Checkmarx #GitHubActions #CICDSecurity #SupplyChainAttack #SecretsTheft #Typosquatting #DevSecOps

Trivy GitHub Action Breach Hits CI/CD
Read More: buff.ly/tfZnIy8

#Trivy #AquaSecurity #GitHubActions #CICDSecurity #SupplyChainAttack #SecretsTheft #DevSecOps #InfosecNews

Aqua Security Trivy logo on a blue gradient background with a large red “HACKED” stamp overlay, indicating a supply chain compromise of the Trivy security tool.

🚨 Attackers exploited the Trivy supply chain to spread an infostealer, leading to credential theft and Kubernetes attacks.

If you use Trivy, this may impact your environment.

Read the full breakdown:
basefortify.eu/posts/2026/0...

#CyberSecurity #SupplyChainAttack #DevSecOps #CloudSecurity

Alert: Trivy GitHub Action compromised, injecting malicious scripts into CI/CD pipelines. Ensure your workflows are secure. #CyberSecurity #Trivy #SupplyChainAttack Link: thedailytechfeed.com/trivy-github...

Alert: Trivy scanner compromised, leading to the spread of CanisterWorm across 47 npm packages. Developers, ensure your dependencies are secure! #CyberSecurity #SupplyChainAttack #npm #Trivy Link: thedailytechfeed.com/trivy-supply...

Cybersecurity News Review - Week 12 (2026) Supply-chain attacks stole the spotlight this week as attackers compromised a widely-used security scanner, while law enforcement pulled off a record-breaking botnet takedown.

Supply-chain attacks stole the spotlight this week as attackers compromised a widely-used security scanner, while law enforcement pulled off a record-breaking botnet takedown.

#cybersecurity #supplychainattack #AI #ransomware #vulnerability

Widely used Trivy scanner compromised in ongoing supply-chain attack Admins: Sorry to say, but it's likely a rotate-your-secrets kind of weekend.

Widely used Trivy scanner compromised in ongoing supply-chain attack #Technology #Cybersecurity #SupplyChainAttack #Trivy #CyberThreats

arstechnica.com/security/2026/03/widely-...

Speagle Malware Hijacks Cobra Docguard
Read More: buff.ly/tgZGHZk

#Speagle #SupplyChainAttack #SoftwareUpdateAbuse #CobraDocGuard #MalwareCampaign #ThreatIntel #DataExfiltration #InfosecAlert

#OpenClaw #CyberSecurity #Phishing #GitHub #Malware #Infostealer #GhostSocks #SupplyChainAttack #AIsecurity #DeveloperSecurity

Alert: Glassworm malware has compromised popular React Native npm packages, stealing developer credentials and crypto wallets. Ensure your projects are secure! #CyberSecurity #ReactNative #SupplyChainAttack Link: thedailytechfeed.com/glassworm-ma...

📰 Malware GlassWorm Serang 400+ Repository di GitHub, npm, hingga VSCode

👉 Baca artikel lengkap di sini: ahmandonk.com/2026/03/18/malware-glass...

#cyberSecurity #github #keamananSiber #malware #npm #supplyChainAttack #vscode

GlassWorm Supply-Chain Attack Abuses 72 Open VSX Extensions to Target Developers assistance like Google Antigravity read more about GlassWorm Supply-Chain Attack Abuses 72 Open VSX Extensions to Target Developers

GlassWorm Supply-Chain Attack Abuses 72 Open VSX Extensions to Target Developers reconbee.com/glassworm-su...

#GlassWorm #supplychain #supplychainattack #openvsxextension #cybersecurity #cyberattack

Alert: Malicious npm packages disguised as Solara Executor are targeting Discord, browsers, and crypto wallets. Developers, stay vigilant! #CyberSecurity #SupplyChainAttack #npm #Discord #CryptoSecurity Link: thedailytechfeed.com/malicious-np...

Alert: GlassWorm campaign escalates with 72 malicious Open VSX extensions targeting developers. Stay vigilant and review your extensions. #CyberSecurity #GlassWorm #VSCode #SupplyChainAttack Link: thedailytechfeed.com/glassworm-ma...