step-security · Crawled Jul 5, 2026

10 Layers Deep: How StepSecurity Stops TeamPCP's Trivy Supply Chain Attack on GitHub Actions

2 IoCs 1 Actors 1 CVEs
Read original article ↗

AI Summary

In March 2026, the threat actor TeamPCP compromised 76 version tags of the aquasecurity/trivy-action GitHub Action by injecting a credential stealer, exploiting elevated privileges to harvest secrets from memory and exfiltrate them to a malicious domain. The same actor targeted other platforms including PyPI packages litellm and telnyx, and previously compromised the Checkmarx KICS GitHub Action using similar tactics. These supply chain attacks highlight a broader trend of targeting CI/CD pipelines to steal credentials and cloud tokens. The attacks leveraged typosquatted domains and memory scraping techniques, underscoring the need for layered defenses in GitHub Actions environments.

AI-extracted · verify before operational use

Extracted Entities 2 found

Indicators of Compromise 2 extracted

Type Value Detail
Domain scan.aquasecurtiy.org Details →
IP 45.148.10.212 Details →

MITRE ATT&CK TTPs 4 techniques