‹ Back to threat feed
CRITICAL Supply Chain Active High confidence

Trivy Supply Chain Compromise: TeamPCP IOCs, Affected Versions, and CI/CD Hunt Guide

Technical SEO post for defenders covering compromised Trivy versions, GitHub Actions exposure, TeamPCP infrastructure, and exact hunt queries for CI/CD and endpoint telemetry.

First seen Mar 19, 2026, 12:00 AM
Last seen Mar 19, 2026, 12:00 AM
IOCs 13
Sources 2
TeamPCPci-cdcredential-theftsupply-chain

Analyst Readout

The structured fields below are intended for technical responders, not just general readers.

Executive Summary

The Trivy compromise shows TeamPCP targeting high-trust security tooling and CI/CD paths where defenders often assume integrity rather than validate it continuously.

Analyst Assessment

This incident is strategically important because it demonstrates attacker interest in software that already has permission to inspect source, containers, and build infrastructure. The GitHub Actions angle expands the blast radius well beyond direct binary installs.

Impact

Trivy installations, GitHub Actions workflows, CI/CD credentials, build telemetry, and any downstream environments that trusted the compromised tooling are exposed.

Exploitation Status

Active campaign reporting with reusable network and host indicators.

Defender Guidance

Inventory Trivy versions, review GitHub Actions usage of Trivy-related actions, and hunt for the listed exfiltration infrastructure, archive names, and temporary collection paths.

Technical Analysis

Agent-authored technical narrative, preserving headings, lists, and code blocks.

Why This Matters

The Trivy incident is strategically important because it shows attackers targeting security tooling and CI/CD workflow plumbing, not just application dependencies. A compromised scanner or setup action can inherit visibility into repositories, build logs, tokens, and deployment material by design.

Affected Package Coordinates

Trivy
trivy@0.69.4
trivy@0.69.5
trivy@0.69.6
GitHub Actions references to review
uses: aquasecurity/trivy-action@<compromised-release-window>
uses: aquasecurity/setup-trivy@<compromised-release-window>

Verified Claims

Claim 1: Multiple Trivy versions and related workflow integrations were exposed as part of the compromise window

Verified.

  • Microsoft publishes the affected Trivy versions and associated hunting guidance.
  • The structured slug data extends that to GitHub Actions references that defenders should inventory alongside direct binary installs.

Why this matters: Teams that only review workstation package versions may miss workflow-based exposure.

Claim 2: The activity used recognizable exfiltration and staging indicators, including typosquatted or campaign-linked domains

Verified.

  • Microsoft lists scan.aquasecurtiy.org, 45.148.10.212, 94.154.172.43, tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io, and other indicators.
  • The dataset also preserves tpcp.tar.gz, /tmp/runner_collected_, and libredtail-http as useful pivot points.

Why this matters: The hunting surface is wider than version inventory. Network and temporary collection artifacts can reveal systems that no longer retain the vulnerable version.

Claim 3: The Trivy incident is part of the larger TeamPCP campaign rather than a standalone scanner-only event

Verified with high confidence.

  • Microsoft documents the core compromise mechanics and indicators.
  • Kodem places Trivy inside a longer campaign timeline spanning additional developer and CI/CD tooling.

Why this matters: Defenders should pivot from Trivy exposure into adjacent campaign indicators instead of scoping only one tool.

Attack Chain

  1. Attackers abused a trusted Trivy distribution or workflow path.
  2. Affected versions or GitHub Actions references executed in CI/CD or developer environments.
  3. Temporary collection and archive behavior aligned with indicators such as /tmp/runner_collected_ and tpcp.tar.gz.
  4. Network communication touched campaign-linked infrastructure.
  5. The attacker leveraged access to harvest secrets or stage exfiltration from build-oriented systems.

Technical Mechanics

Execution Surface

This incident matters because Trivy often runs where build credentials and source visibility already exist. The attacker does not need privilege escalation if the compromised tool already operates inside a privileged workflow.

Indicators

scan.aquasecurtiy.org
45.148.10.212
94.154.172.43
tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io
models.litellm.cloud
plug-tab-protective-relay.trycloudflare.com
audit.checkmarx.cx
tpcp.tar.gz
/tmp/runner_collected_
libredtail-http

Workflow Exposure Model

The most important triage distinction is between:

  • direct Trivy installs on endpoints or runners
  • GitHub Actions workflows that fetched or invoked Trivy-related actions during the compromise window

Both paths can place attacker-controlled logic into environments that have access to secrets and repository contents.

Detection Opportunities

rg -n "trivy@0.69.4|trivy@0.69.5|trivy@0.69.6|aquasecurity/trivy-action|aquasecurity/setup-trivy" .github/workflows package-lock.json
rg -n "scan.aquasecurtiy.org|45.148.10.212|94.154.172.43|tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io|models.litellm.cloud|plug-tab-protective-relay.trycloudflare.com|audit.checkmarx.cx|tpcp.tar.gz|/tmp/runner_collected_|libredtail-http" /var/log "$WORKSPACE"

Analyst focus:

  • GitHub Actions history during the compromised release window
  • runner filesystem traces matching /tmp/runner_collected_
  • outbound traffic to campaign infrastructure
  • repositories or secrets accessible to workflows that ran Trivy

Open Questions And Confidence Notes

  • Microsoft is strongest on concrete indicators and defender hunting guidance.
  • Kodem is strongest on campaign context and linkage to later TeamPCP compromises.
  • Exact code-level behavior inside every affected distribution path is less explicit than the network and artifact evidence, so some lower-level execution detail remains campaign-level rather than package-diff-level.

Sources

  • Microsoft Security Blog
  • Kodem TeamPCP timeline

IOCs

Affected package coordinates and indicators are grouped once for hunting, detections, and review.

GitHub Actions affected coordinates 
uses: aquasecurity/trivy-action, aquasecurity/setup-trivy@March 2026 compromised release window
Affected Artifacts affected coordinates 
trivy 0.69.4
trivy 0.69.5
trivy 0.69.6
domain 
audit.checkmarx.cx
models.litellm.cloud
plug-tab-protective-relay.trycloudflare.com
scan.aquasecurtiy.org
tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io
ip 
45.148.10.212
94.154.172.43
path 
/tmp/runner_collected_
string 
tpcp.tar.gz
user-agent 
libredtail-http

Detection Content

Detection logic is rendered as code so technical users can lift it directly into their own tooling.

Trivy infrastructure hunt · bash 
rg -n "scan.aquasecurtiy.org|45.148.10.212|94.154.172.43|tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io|models.litellm.cloud|plug-tab-protective-relay.trycloudflare.com|audit.checkmarx.cx|tpcp.tar.gz|/tmp/runner_collected_|libredtail-http" /var/log "$WORKSPACE"
Trivy version and workflow hunt · bash 
rg -n "trivy@0.69.4|trivy@0.69.5|trivy@0.69.6|aquasecurity/trivy-action|aquasecurity/setup-trivy" .github/workflows package-lock.json

Timeline

A concise event chronology helps responders anchor first-seen and disclosure timing.

Mar 19, 2026, 12:00 AM discovery

Microsoft documented the Trivy supply chain compromise and published affected versions plus network indicators.

May 9, 2026, 1:25 AM campaign-linkage

Later research tied Trivy into the broader TeamPCP campaign timeline spanning additional tooling compromises.

Sources

Primary references are kept visible so analysts can trace the underlying reporting quickly.

Kodem - TeamPCP campaign timeline May 9, 2026, 1:25 AM

Independent campaign timeline linking Trivy with subsequent TeamPCP tooling compromises.

 Microsoft Security Blog - Trivy supply chain compromise Mar 25, 2026, 12:00 AM

Primary vendor reporting with affected versions, infrastructure, and hunting guidance.