CVE-2026-33634: Trivy Supply Chain Attack

Threat group TeamPCP trojanised the most widely-used cloud-native security scanner — turning every CI/CD pipeline running Trivy into a credential harvester that silently exfiltrated AWS keys, Kubernetes tokens, and SSH keys while appearing to scan normally.

Overview

On 19 March 2026, threat group TeamPCP used compromised Aqua Security credentials to inject malware into Trivy — the most widely adopted open-source container and cloud security scanner in the cloud-native ecosystem. The attack was a textbook supply chain compromise: by poisoning the scanner itself, every CI/CD pipeline that ran Trivy became an unwitting infostealer, silently harvesting cloud credentials and secrets before the legitimate scan output was returned.

CISA added CVE-2026-33634 to its Known Exploited Vulnerabilities catalog on 26 March 2026. CERT-EU subsequently attributed a data breach affecting europa.eu infrastructure to this compromise.

What is Trivy?

Trivy is Aqua Security's open-source vulnerability scanner, designed to detect CVEs in container images, filesystems, Git repositories, Kubernetes clusters, and IaC configurations. It is the de-facto standard scanner in cloud-native CI/CD pipelines — integrated into GitHub Actions, GitLab CI, CircleCI, and Kubernetes admission controllers across thousands of organisations. Its privileged position in the pipeline, with broad read access to build environments and often injected secrets, made it an exceptionally high-value supply chain target.

Attack Timeline

Late February 2026 — Initial Foothold

Attackers exploited a misconfiguration in Trivy's GitHub Actions environment to extract a privileged personal access token from the CI environment. This gave them write access to the aquasecurity/trivy, aquasecurity/trivy-action, and aquasecurity/setup-trivy repositories.

1 March 2026 — Partial Disclosure and Incomplete Rotation

Aqua Security disclosed the initial incident and performed credential rotation. However, post-incident investigation revealed the rotation was not comprehensive — the threat actor retained residual access through at least one still-valid credential path.

19 March 2026 — Malicious Release

TeamPCP executed the primary payload delivery:

Published a malicious Trivy v0.69.4 binary release via the compromised pipeline.
Force-pushed 76 of 77 version tags in aquasecurity/trivy-action to malicious commits containing the infostealer payload.
Replaced all 7 tags in aquasecurity/setup-trivy with malicious commits.

The malicious tag was pushed at approximately 17:43 UTC. Pipelines worldwide began executing the infostealer within minutes of their next scheduled run.

22 March 2026 — DockerHub Poisoning

Using the same access, TeamPCP published malicious Trivy v0.69.5 and v0.69.6 Docker images to DockerHub, extending the reach to pipelines that pulled Trivy as a container rather than via GitHub Actions.

The Payload

The infostealer was designed specifically for CI/CD environments. It executed before the legitimate Trivy scanning logic, ensuring the pipeline appeared to complete normally while data was exfiltrated in the background. Targeted secrets included:

Cloud provider credentials — AWS (~/.aws/credentials, environment variables), GCP service account keys, Azure credentials
Kubernetes service account tokens and kubeconfig files
Docker configuration files (~/.docker/config.json), including registry credentials
SSH private keys
Git credentials and .netrc files
GitHub Actions GITHUB_TOKEN and any secrets injected into the pipeline environment

In containerised environments the payload also attempted to spread via Docker socket access — spawning child containers with worm-like behaviour and, in Kubernetes clusters, executing a wiper that deleted persistent volumes. The combination of credential harvesting, lateral movement, and destructive capability made this one of the most impactful supply chain attacks since SolarWinds.

Blast Radius

The scope of potential impact is difficult to overstate. Trivy is embedded in CI/CD pipelines across industries — fintech, healthcare, government, and critical infrastructure. Any organisation whose pipeline ran a uses: aquasecurity/trivy-action@* step between 19–22 March 2026 without pinning to a specific safe commit SHA should treat their build environment as fully compromised.

ownCloud published a security advisory confirming their build infrastructure was affected. CERT-EU attributed a breach of europa.eu infrastructure directly to this compromise.

Safe Versions

Trivy binary: v0.69.3 or earlier (safe), v0.69.7 or later (clean re-release)
trivy-action: pin to commit 57a97c7 (v0.35.0) or use v0.36.0+ once released
setup-trivy: pin to commit 3fb12ec (v0.2.6) or use v0.2.7+ once released

Remediation

Rotate all secrets immediately if your pipeline ran trivy-action or setup-trivy between 19–22 March 2026 — treat every cloud credential, API key, and token accessible from the build environment as compromised.
Audit pipeline logs for outbound network connections made during Trivy steps to unexpected destinations.
Pin all GitHub Actions to commit SHAs, not tags or version strings. Tags can be force-pushed; commit SHAs are immutable. Use uses: aquasecurity/trivy-action@57a97c7 not @v0.35.0.
Review Kubernetes clusters for unexpected pod deletions, PVC wipes, or new workloads created in the window of compromise.
Implement secret scanning on your CI outputs and rotate any secrets that appear in build logs.
Verify Docker images by digest rather than tag — aquasecurity/trivy@sha256:<digest> rather than aquasecurity/trivy:0.69.x.

Detection Guidance

Unexpected DNS lookups or HTTP requests from build agents to external IP addresses during Trivy scan steps.
Exfiltration of ~/.aws/, ~/.kube/, or ~/.docker/ contents — look for file reads of these paths followed by outbound network activity.
New containers spawned from within pipeline containers via Docker socket access.
Kubernetes audit logs showing pod deletions or PVC destroy events not initiated by known operators.
Cloud provider API calls from unusual source IPs shortly after a pipeline run — a sign harvested credentials were put to use.

Takeaways

This attack illustrates why CI/CD pipelines are among the most dangerous points of trust in a modern software supply chain. A security tool — specifically a tool whose job is to find vulnerabilities — was itself weaponised to harvest the very credentials it was trusted to protect. The irony is operationally significant: pipelines running Trivy for security compliance were the ones most reliably infected.

The core defensive lesson is simple and long-established: never reference a mutable pointer (tag, branch, version string) in a CI/CD dependency. Pin to commit SHAs, verify signatures where available, and treat your build environment with the same adversarial suspicion you would apply to a production system. It holds secrets, has network access, and increasingly — as this incident proved — it is a primary target.