Executive Summary
On March 19, 2026, the widely adopted container vulnerability scanner Trivy (developed by Aqua Security) was compromised in a major supply chain attack tracked as CVE-2026-33634 (GHSA-69fq-xp46-6x23) GitHub Advisory Database opens in a new tab. Executed by the cybercrime group TeamPCP (also tracked as UNC6780, PCPcat, DeadCatx3, ShellForce, and CipherForce) Wiz.io Threat Research opens in a new tab, the attack targeted key Trivy distribution channels GitHub Advisory Database opens in a new tab. The threat actors force-pushed malicious commits to 76 of 77 version tags in aquasecurity/trivy-action and all 7 tags in aquasecurity/setup-trivy GitHub Advisory Database opens in a new tab. Simultaneously, they released a compromised official Trivy binary (v0.69.4) and poisoned container images (v0.69.5 and v0.69.6) on Docker Hub GitHub Advisory Database opens in a new tab. The injected payload acted as a memory-scraping credential stealer, harvesting secrets from CI/CD runners via /proc/*/mem and exfiltrating them to an attacker-controlled typosquatted C2 domain scan.aquasecurtiy[.]org Legit Security opens in a new tab. If outbound access to the C2 domain failed, the malware deployed a fallback technique, leveraging stolen GitHub tokens to create a public repository named tpcp-docs on the victim's organization to store encrypted exfiltrated data Palo Alto Networks Unit 42 opens in a new tab. Start with the runner-memory, tag-drift, and fallback-repository hunts below, then rotate identities exposed during confirmed runs GitHub Advisory Database opens in a new tab.