Markets
Trivy GitHub Action Compromised Twice in March — 10,000 CI/CD Workflows Hit, Credentials Exfiltrated Across AWS/GCP/Azure
On March 19, attacker 'TeamPCP' compromised the trivy-action GitHub Action for the second time in March, force-pushing 75 of 76 tags with malicious binaries that exfiltrated AWS, GCP, and Azure credentials, SSH keys, and Kubernetes tokens from CI/CD pipelines. Root cause was incomplete credential rotation after the March 1 incident. Approximately 10,000 GitHub workflows referenced the compromised action. A Datadog DevSecOps report revealed 71% of organizations never pin GitHub Actions to commit hashes. For builders: this supply chain vulnerability is exactly what the new RSAC AI security products are racing to address.
Source
↳ Follow the thread