Weaponizing the Watcher: Analyzing the TeamPCP Trivy Supply Chain Compromise

Executive Summary

On March 19, 2026, a highly sophisticated CI/CD-focused supply chain attack targeted Trivy, the widely adopted open-source vulnerability scanner maintained by Aqua Security. Attributed to the threat actor known as TeamPCP, the campaign leveraged compromised credentials from a previously under-remediated incident to inject malicious code into official distribution channels. By poisoning GitHub Actions and publishing weaponized binaries, the attackers successfully turned a trusted security tool into a vehicle for credential theft and persistence. This incident highlights the critical vulnerability of modern DevOps pipelines, where a single point of failure in a trusted dependency can lead to widespread organizational compromise. SecLookup was actively detecting and blocking the infrastructure associated with this threat prior to the public disclosure.

Threat Analysis

The TeamPCP campaign represents a calculated execution phase of a long-term operation. Rather than attempting to breach thousands of organizations individually, the actors compromised the tooling those organizations use to secure themselves. This "watering hole" approach in the CI/CD space is particularly effective because security scanners like Trivy often run with elevated permissions to access container registries, source code, and cloud environments.

TTPs: CI/CD Pipeline Poisoning

The primary vector for this compromise involved the manipulation of GitHub Actions. TeamPCP gained access to credentials with tag write permissions for the aquasecurity/trivy-action and aquasecurity/setup-trivy repositories.

The attackers utilized a "force-push" technique against existing version tags. In GitHub Actions, many developers reference versions using tags (e.g., uses: aquasecurity/trivy-action@v1). By force-pushing 76 of 77 version tags, TeamPCP redirected these trusted references to malicious commits containing their payload. Because the version number remained unchanged, downstream workflows automatically pulled the malicious code without triggering any alerts or requiring manual updates from the end-user.

Malicious Binary Distribution

Simultaneously, the actors weaponized the release automation process. They triggered the publication of a malicious Trivy binary, specifically version v0.69.4. This version was distributed through official GitHub Releases and container registries. The infected binary contained a credential-stealing module designed to intercept:

• Cloud provider credentials (AWS, Azure, GCP)

• GitHub Personal Access Tokens (PATs)

• Environment variables stored in CI/CD secrets

• Container registry authentication tokens

Infrastructure and Typosquatting

To facilitate Command and Control (C2) and exfiltration, TeamPCP deployed a combination of typosquatted domains and decentralized infrastructure. The domain aquasecurtiy.org (note the transposed 'i' and 't') was used to mimic official communication channels and host malicious scripts.

Furthermore, the actors utilized the Internet Computer Protocol (ICP) to host C2 endpoints, as seen with the domain tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io. Using decentralized hosting makes it significantly harder for traditional security controls to take down the infrastructure, providing the actors with increased resilience.

Expansion to Other Frameworks

Initial investigation by the Microsoft Defender Security Research Team suggests that TeamPCP has expanded this campaign beyond Trivy. Indicators of similar activity have been detected involving Checkmarx KICS and LiteLLM. This suggests a broader strategy targeting the "Security as Code" and "AI Orchestration" layers of the modern tech stack.

MITRE ATT&CK Mapping

The techniques observed in this campaign map to the following MITRE ATT&CK framework categories:

Tactic	Technique	ID
Initial Access	Supply Chain Compromise: Compromise Software Supply Chain	T1195.002
Execution	Command and Scripting Interpreter: Bash/PowerShell	T1059
Persistence	Create or Modify System Process: Systemd Service	T1543.002
Credential Access	Unsecured Credentials: Credentials In Files / Environment Variables	T1552
Command and Control	Application Layer Protocol: Web Protocols	T1071.001
Resource Development	Acquire Infrastructure: Domains	T1583.001

SecLookup Detection

The SecLookup threat intelligence platform was actively monitoring the infrastructure used in this campaign. Our proprietary scanning engines identified the typosquatted aquasecurtiy.org domain and its subdomains shortly after registration. Furthermore, our behavioral analysis systems flagged the anomalous ICP-based C2 infrastructure as high-risk.

SecLookup customers were protected through:

The malicious domains were flagged as "Malicious" in our database, enabling automated blocking at the firewall and DNS levels.

Indicators of Compromise (IOCs)

Domains

aquasecurtiy.org
scan.aquasecurtiy.org
tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io

IP Addresses

45.148.10.122
45.148.10.212
169.254.169.254  # Link-local used for IMDS credential exfiltration
169.254.170.2    # ECS Metadata endpoint targeting

Detection Rules (YARA)

The following YARA rules can be used to scan for presence of the TeamPCP infection within your environment or CI/CD logs.

rule INDICATOR_SUSP_Trivy_Typosquat_Domain {
    meta:
        description = "Detects the typosquatted domain aquasecurtiy.org used in the TeamPCP Trivy supply chain attack"
        author = "SecLookup Threat Research"
        date = "2026-03-25"
        reference = "Trivy Supply Chain Compromise March 2026"
    strings:
        $typo1 = "aquasecurtiy.org" ascii wide
        $typo2 = "scan.aquasecurtiy.org" ascii wide
        $proper = "aquasecurity.org" ascii wide
    condition:
        (\(typo1 or \)typo2) and not $proper
}

rule MALW_TeamPCP_Trivy_Infection_Indicators {
    meta:
        description = "Detects indicators of the TeamPCP malware injection in Trivy binaries and CI/CD configs"
        author = "SecLookup Threat Research"
    strings:
        $c2_icp = "tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io" ascii wide
        $actor = "TeamPCP" ascii wide
        $ver = "v0.69.4" ascii wide
        $action1 = "aquasecurity/trivy-action" ascii wide
        $action2 = "aquasecurity/setup-trivy" ascii wide
    condition:
        \(c2_icp or (\)actor and (\(action1 or \)action2 or $ver))
}

Recommendations

To mitigate the risk posed by the Trivy supply chain compromise and similar CI/CD attacks, SecLookup recommends the following actions:

1. Pin GitHub Actions to Full Commit SHAs: Avoid using tags like @v1 or @v0.69.4. Instead, use the immutable commit SHA (e.g., aquasecurity/trivy-action@646b15099e...). This prevents "tag-shifting" attacks.

2. Audit CI/CD Permissions: Implement the principle of least privilege for GitHub Actions. Use the permissions: key in your YAML files to restrict GITHUB_TOKEN access to read-only where possible.

3. Rotate Secrets: If you have used Trivy version v0.69.4 or the affected GitHub Actions between March 19 and March 25, 2026, assume your CI/CD secrets (AWS keys, PATs, etc.) are compromised and rotate them immediately.

4. Update Tooling: Ensure you are using the latest patched versions of Trivy. Aqua Security has released remediated versions following the incident.

5. Monitor Metadata Access: Monitor for unusual requests to 169.254.169.254 or 169.254.170.2 originating from CI/CD runners, which may indicate an attempt to steal cloud identity credentials.

References

• Guidance for detecting, investigating, and defending against the Trivy supply chain compromise by Microsoft Defender Security Research Team, Microsoft Security Blog