CP
cyberpings
BreachesHIGH

Trivy Breach - Infostealer Malware Distributed via GitHub

BCBleepingComputer
TrivyTeamPCPGitHub Actionsinfostealersupply chain attack
🎯

Basically, hackers used a trusted tool to spread malware that steals passwords.

Quick Summary

A supply-chain attack compromised the Trivy vulnerability scanner, distributing infostealer malware via GitHub Actions. Developers using affected versions are at risk. Immediate action is required to secure environments and rotate credentials.

What Happened

In a significant breach, the Trivy vulnerability scanner was compromised by a group known as TeamPCP. This supply-chain attack involved distributing credential-stealing malware through both official releases and GitHub Actions. Trivy, widely used by developers and security teams to identify vulnerabilities, became a high-value target for attackers aiming to steal sensitive authentication secrets.

The breach was first reported by security researcher Paul McCarty, who identified that version 0.69.4 of Trivy had been backdoored. Malicious container images and GitHub releases were published, affecting multiple GitHub Actions and nearly all version tags of the trivy-action repository. The attackers exploited compromised credentials to swap the legitimate build scripts with malicious versions, allowing the malware to execute undetected.

Who's Affected

The attack impacts a broad range of developers and organizations that rely on Trivy for security scanning. Given Trivy's popularity, the potential exposure of sensitive data is extensive. The compromised version was available for approximately three hours, but the malicious GitHub Action tags remained active for up to 12 hours, increasing the risk of widespread exploitation.

Organizations that utilized affected versions during this window should treat their environments as fully compromised. This includes those who integrated Trivy into their CI/CD pipelines, as the malware could automatically execute during legitimate scans, making detection challenging.

What Data Was Exposed

The infostealer malware collected a variety of sensitive information, including:

  • SSH keys and configurations
  • Cloud credentials for platforms like AWS, GCP, and Azure
  • Database credentials for systems like PostgreSQL and MySQL
  • Environment files containing sensitive tokens
  • Webhooks for services like Slack and Discord

Additionally, the malware scanned memory regions for secrets and harvested data from local files on developer machines. The stolen data was encrypted and exfiltrated to a command-and-control server, or uploaded to a public repository in the victim's GitHub account if exfiltration failed.

What You Should Do

Organizations should take immediate action to mitigate the impact of this breach. Here are key steps to follow:

  • Rotate all secrets: Change cloud credentials, SSH keys, API tokens, and database passwords.
  • Analyze systems: Conduct thorough investigations to identify any further compromises.
  • Monitor for suspicious activity: Keep an eye on GitHub accounts for unauthorized repositories or changes.

Aqua Security, the company behind Trivy, acknowledged the incident and noted that the attack was a follow-up to a previous breach where credentials were exfiltrated but not adequately contained. This emphasizes the importance of robust security practices in managing credentials and responding to breaches effectively.

🔒 Pro insight: This incident underscores the critical need for robust supply-chain security measures, particularly in open-source projects that rely on community contributions.

Original article from

BleepingComputer · Lawrence Abrams

Read Full Article

Share

Related Pings

HIGHBreaches

Breaches - Cyberattack on Breathalyzer Firm Leaves Drivers Stranded

What Happened This week, Intoxalock, a company that provides breathalyzer devices for drivers, reported a significant cyberattack affecting its systems. The attack has rendered many of its breathalyzers inoperable, causing frustration for approximately 150,000 daily users across the U.S. Drivers have taken to social media to express their helplessness, stating that their vehicles have become "giant paperweights" due to

Wired Security·
HIGHBreaches

French Aircraft Carrier - Location Exposed by Strava Activity

A sailor's Strava activity revealed the location of the French aircraft carrier Charles de Gaulle. This breach raises serious operational security concerns for military assets. It's a stark reminder of the risks associated with fitness tracking apps.

SC Media·
HIGHBreaches

Navia Benefit Solutions - Major Data Breach Exposes Millions

Navia Benefit Solutions faces a major data breach affecting 2.7 million people. Sensitive personal information is exposed, increasing phishing risks. Free identity protection services are being offered to those impacted.

SC Media·
HIGHBreaches

Magento Breach - 7,500 Sites Defaced in Global Attack

A massive hacking campaign has defaced over 7,500 Magento sites, impacting e-commerce and government platforms. This highlights serious security vulnerabilities in widely used web platforms. Immediate action is needed to secure affected sites.

Security Affairs·
HIGHBreaches

Data Breach - Kaplan Affected Amid Major Cyber Operations

A significant breach at Kaplan affects nearly 195,000 individuals, exposing sensitive data. The FBI's actions against hacktivists highlight ongoing cybersecurity threats. Stay informed and take action to protect your data.

CyberWire Daily·
HIGHBreaches

Navia Data Breach - Nearly 2.7 Million Affected

Navia Benefit Solutions experienced a data breach affecting 2.7 million people. Exposed data includes sensitive personal information, raising identity theft concerns. The company is offering free identity protection services to those impacted.

Security Affairs·