Trivy Under Attack Again: Widespread GitHub Actions Tag Compromise Exposes CI/CD Secrets
A sophisticated supply chain attack compromised the official Trivy GitHub Action (aquasecurity/trivy-action) by force-pushing 75 version tags to malicious commits. The injected infostealer harvests sensitive CI/CD secrets from runner memory and filesystems, exfiltrating them to a typosquat domain or a fallback GitHub repository.
Authors: Paul McCarty
Source:
Socket
- domainscan[[.]]aquasecurtiy[[.]]orgTyposquat C2 domain used as the primary exfiltration endpoint for stolen secrets.
- sha25618a24f83e807479438dcab7a1804c51a00dafc1d526698a66e0640d1e5dd671aHash of the malicious entrypoint.sh payload injected into the GitHub Action.
Key Takeaways
- An attacker force-pushed 75 out of 76 version tags in the aquasecurity/trivy-action repository to serve a malicious infostealer payload.
- The malware extracts CI/CD secrets from runner process memory and filesystems, targeting AWS, GCP, Azure, Kubernetes, and SSH keys.
- The attack was enabled by residual access from an earlier credential compromise in March, allowing authenticated force-pushes without exploiting GitHub.
- Exfiltration occurs via a typosquat domain (scan[.]aquasecurtiy[.]org) or a fallback mechanism that creates a public GitHub repository named 'tpcp-docs' using the victim's token.
- Only tag 0.35.0 and commit SHA 57a97c7e7821a5776cebc9bb87c984fa69cba8f1 are safe; all other tags must be considered compromised.
Affected Systems
- GitHub Actions runners (Linux, macOS, self-hosted)
- CI/CD pipelines referencing aquasecurity/trivy-action by version tags prior to 0.35.0
Attack Chain
The attacker used compromised credentials to force-push 75 version tags of the aquasecurity/trivy-action repository to malicious commits. When a CI/CD pipeline runs a compromised tag, a malicious entrypoint.sh script executes first, scraping environment variables and dumping runner process memory to steal secrets. The stolen data is encrypted using AES-256-CBC and RSA-4096, then exfiltrated via an HTTPS POST to a typosquat domain. If the primary exfiltration fails, the malware uses the victim's GitHub token to create a public repository named 'tpcp-docs' and uploads the encrypted data as a release asset.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide specific detection rules, but lists actionable IOCs including file hashes, C2 domains, and IPs for custom rule creation.
Detection Engineering Assessment
EDR Visibility: Medium — EDR on self-hosted runners would detect anomalous sudo usage, memory dumping (/proc/<pid>/mem), and extensive file reads by entrypoint.sh. However, GitHub-hosted runners typically lack customer EDR visibility. Network Visibility: High — Outbound connections to the typosquat domain or specific IP with the custom header 'X-Filename: tpcp.tar.gz' are highly visible in network logs. Detection Difficulty: Moderate — While network IOCs are clear, execution happens within ephemeral CI/CD runners where logging might be limited. The GitHub fallback exfiltration blends in with normal API traffic.
Required Log Sources
- Network Flow Logs
- DNS Logs
- GitHub Audit Logs
- Process Execution Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for outbound network connections from CI/CD runners to typosquat domains resembling aquasecurity. | DNS Logs, Network Flow Logs | Exfiltration | Low |
| Search GitHub Audit Logs for the creation of public repositories named 'tpcp-docs' by automated tokens. | GitHub Audit Logs | Exfiltration | Low |
| Monitor for processes accessing /proc/<pid>/mem or /proc/<pid>/environ on CI/CD runner instances. | Process Execution Logs, File Access Logs | Credential Access | Medium |
| Identify GitHub Actions workflows referencing aquasecurity/trivy-action versions other than 0.35.0 or the safe commit SHA. | CI/CD Pipeline Configurations | Execution | Low |
Control Gaps
- Lack of EDR visibility on ephemeral GitHub-hosted runners
- Over-permissive GitHub tokens (PATs) exposed to third-party actions
- Blind trust in 'Immutable' release badges on GitHub
Key Behavioral Indicators
- Custom HTTP header 'X-Filename: tpcp.tar.gz'
- Creation of 'tpcp-docs' repository
- Unsigned commits on GitHub tags that were previously signed
- Commits on tags showing '0 commits to master since this release' despite being old versions
False Positive Assessment
- Low. The IOCs provided, such as the typosquat domain, specific file hash, and 'tpcp-docs' repository name, are highly specific to this malicious campaign.
Recommendations
Immediate Mitigation
- Stop using trivy-action by version tag immediately.
- Pin aquasecurity/trivy-action to commit SHA 57a97c7e7821a5776cebc9bb87c984fa69cba8f1 or use tag 0.35.0 exclusively.
- Rotate all secrets (cloud credentials, SSH keys, API tokens, database passwords) accessible to workflows that executed a poisoned tag.
- Block C2 domain scan[.]aquasecurtiy[.]org and IP 45.148.10.212 at the network perimeter.
Infrastructure Hardening
- Enforce the use of commit SHAs instead of version tags for all third-party GitHub Actions.
- Implement least privilege for GITHUB_TOKEN and avoid passing broad Personal Access Tokens (PATs) to actions unless strictly necessary.
User Protection
- Audit GitHub organizations for unauthorized repositories named 'tpcp-docs'.
Security Awareness
- Educate development teams that GitHub's 'Immutable' release badge does not guarantee tag integrity against force-pushes.
- Train engineers to verify commit signatures and metadata when auditing supply chain dependencies.
MITRE ATT&CK Mapping
- T1195.001 - Supply Chain Compromise: Compromise Software Dependencies and Development Tools
- T1078 - Valid Accounts
- T1003 - OS Credential Dumping
- T1552.001 - Unsecured Credentials: Credentials In Files
- T1560.001 - Archive Collected Data: Archive via Utility
- T1048 - Exfiltration Over Alternative Protocol
- T1567.001 - Exfiltration Over Web Service: Exfiltration to Code Repository
Additional IOCs
- Ips:
45[.]148[.]10[.]212- C2 IP address identified by Trivy maintainers
- Domains:
scan[[.]]aquasecurtiy[[.]]org- Typosquat C2 domain for exfiltration
- File Hashes:
18a24f83e807479438dcab7a1804c51a00dafc1d526698a66e0640d1e5dd671a(SHA256) - Malicious entrypoint.sh payload
- File Paths:
/tmp/runner_collected_<pid>.txt- Temporary file used to store scraped environment variables and secretsentrypoint.sh- The compromised entrypoint script within the GitHub Action
- Command Lines:
- Purpose: Extract secrets from runner process memory | Tools:
sudo,python,grep| Stage: Collection |sudo python -c ... grep -E '"isSecret":true' - Purpose: Encrypt collected data before exfiltration | Tools:
openssl| Stage: Encryption |openssl enc
- Purpose: Extract secrets from runner process memory | Tools:
- Other:
57a97c7e7821a5776cebc9bb87c984fa69cba8f1- The only safe commit SHA for aquasecurity/trivy-actionaquasecurity/trivy-action@0.35.0- The only safe tag version for the actionX-Filename: tpcp.tar.gz- Custom HTTP header used during exfiltration