10 Layers Deep: How StepSecurity Stops TeamPCP's Trivy Supply Chain Attack on GitHub Actions
TeamPCP compromised 76 Trivy version tags on GitHub Actions in an overnight attack, followed by a similar KICS compromise using the same methodology. The attacks targeted credential exfiltration through malicious GitHub Actions.
- Disclosed
- Last updated
- Blast radius
- GitHub Actions users relying on Trivy and KICS actions
- Ecosystems
- Attack vectors
- Affected entities
- Trivy76 version tags weaponized by TeamPCP
- KICSSimilar attack following same playbook
TeamPCP executed a supply chain attack against the Trivy project by weaponizing 76 version tags overnight. The attack was designed to compromise GitHub Actions workflows that depend on Trivy, with the goal of exfiltrating credentials and secrets from CI/CD pipelines.
Days later, a similar attack using the same playbook was launched against KICS, indicating a coordinated campaign targeting popular security scanning tools in the GitHub Actions ecosystem.
The attacks were detected and contained, with StepSecurity's platform identifying the compromised actions at runtime and preventing credential exfiltration across affected organizations.
Remediation
- Audit all GitHub Actions workflows using Trivy and KICS for suspicious activity or credential exposure
- Rotate any credentials or secrets that may have been exposed through compromised action versions
- Implement runtime detection and monitoring of GitHub Actions execution to identify anomalous behavior
- Pin GitHub Actions to specific commit SHAs rather than version tags to prevent tag-based attacks
- Review GitHub Actions permissions and implement least-privilege access controls
- Monitor for and block execution of known compromised action versions
Sources
Cite this entry
"10 Layers Deep: How StepSecurity Stops TeamPCP's Trivy Supply Chain Attack on GitHub Actions." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed April 9, 2026; last updated June 7, 2026. https://supplychainattack.org/incident/10-layers-deep-how-stepsecurity-stops-teampcp-s-trivy-supply-chain-attack-on-git-1gzwzb
Suggest a correction
Found an error or have a newer source? Corrections to factual errors take priority over new entries.
Related incidents
- activecritical
Shai-Hulud: Here We Go Again. Mass npm Supply Chain Attack Hits the AntV Ecosystem
A new wave of the Mini Shai-Hulud worm has compromised multiple npm packages across Alibaba's AntV data visualization ecosystem, including echarts-for-react and timeago.js. Stolen CI/CD secrets are being exfiltrated and dumped to thousands of public GitHub repositories as the attack spreads.
npmOtherCompromised packageAccount takeover - activecritical
The Worm That Keeps on Digging: TeamPCP Hits @antv in Latest Wave
TeamPCP conducted a multi-ecosystem supply chain compromise targeting the @antv package and associated development infrastructure. The attack leveraged GitHub, NPM, and VSCode to steal credentials and establish persistence mechanisms.
npmOtherAccount takeoverCompromised packageMalicious maintainer - activecritical
Shai-Hulud Worm Pivots to Multi-Cloud: intercom-client@7.0.4 Hijacked — 361,000 Weekly Downloads, AWS, GCP, and Azure Credentials Now in Scope
The Shai-Hulud worm has hijacked intercom-client@7.0.4 (361,510 weekly downloads) via a compromised GitHub Actions OIDC publishing pipeline, 29 hours after compromising mbt@1.2.48 and @cap-js/sqlite@2.2.2. The worm is actively propagating through CI/CD infrastructure stolen from earlier victims, targeting multi-cloud credentials (AWS, GCP, Azure).
npmOtherCompromised packageBuild-system compromiseAccount takeover - activecritical
axios Compromised on npm - Malicious Versions Drop Remote Access Trojan
A maintainer account for the widely-used axios npm package was compromised and used to publish poisoned versions 1.14.1 and 0.30.4. The malicious releases contained a hidden dependency that drops a cross-platform remote access trojan (RAT).
npmAccount takeoverCompromised package