← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Investigating Two Variants of the Trivy Supply-Chain Compromise
WHITE TeamPCP PetrP.73 2026-04-02 Modified: 2026-05-02
14
IOCs
MEDIUM VOLUME
In March 2026, the TeamPCP threat actor compromised the open-source vulnerability scanner Trivy, deploying credential-harvesting malware through both a compromised GitHub Action and a modified container image. This supply-chain attack directly distributed malicious payloads across various platforms, including Docker Hub and npm packages, over a period of nearly a month. The campaign utilized different attack vectors: one variant involved malicious code inserted into the `http://entrypoint.sh` of the GitHub Action, while the other involved modifications to the Trivy container's ELF binary.
marchtrufflehogcloudtrailminiogithubwatchtoweraction variantpythontrivygithub actionlambdaencryptvirustotalstealerkudelskibeyondtrustteampcp
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (14)
All CVE FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL hostname
TYPEINDICATORDESCRIPTIONCREATED
CVE CVE-2025-53521 2026-04-02
CVE CVE-2026-1731 2026-04-02
FileHash-MD5 805c08686e755c063a0bb460bdf9dcc4 MD5 of 822dd269ec10459572dfaaefe163dae693c344249a0161953f0d5cdd110bd2a0 2026-04-02
FileHash-MD5 d761a6a7ae9f2254bd81ac234033a8b8 MD5 of 18a24f83e807479438dcab7a1804c51a00dafc1d526698a66e0640d1e5dd671a 2026-04-02
FileHash-SHA1 4fed54d88f919c675ee2f575f70698a8d3649287 SHA1 of 18a24f83e807479438dcab7a1804c51a00dafc1d526698a66e0640d1e5dd671a 2026-04-02
FileHash-SHA1 d820fc3440e7eadc575315f9a96a34ae450ec457 SHA1 of 822dd269ec10459572dfaaefe163dae693c344249a0161953f0d5cdd110bd2a0 2026-04-02
FileHash-SHA1 e0198fd2b6e1679e36d32933941182d9afa82f6f 2026-04-02
FileHash-SHA256 0880819ef821cff918960a39c1c1aada55a5593c61c608ea9215da858a86e349 2026-04-02
FileHash-SHA256 18a24f83e807479438dcab7a1804c51a00dafc1d526698a66e0640d1e5dd671a 2026-04-02
FileHash-SHA256 6328a34b26a63423b555a61f89a6a0525a534e9c88584c815d937910f1ddd538 2026-04-02
FileHash-SHA256 822dd269ec10459572dfaaefe163dae693c344249a0161953f0d5cdd110bd2a0 2026-04-02
URL https://tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io/ 2026-04-02
hostname scan.aquasecurtiy.org 2026-04-02
hostname tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io 2026-04-02
References (1)
↗ https://kudelskisecurity.com/research/investigating-two-variants-of-the-trivy-supply-chain-compromise