A criminal group weaponized the most popular open-source vulnerability scanner, and every trust signal said the infrastructure was safe.
On March 19, 2026, thousands of CI/CD pipelines ran their routine Trivy security scans and got back clean results. The scanner worked exactly as expected, which is precisely what made the attack so effective. While returning normal output, it was simultaneously harvesting every secret those pipelines could access: cloud credentials, SSH keys, Kubernetes tokens, and GitHub personal access tokens.
The attackers were TeamPCP, a criminal operation that had found something more valuable than a zero-day: access to a tool that organizations run with elevated privileges by design. They force-pushed 76 of 77 version tags in Trivy’s GitHub Action to point at malicious commits, published an infected binary through Trivy’s own release automation, and exfiltrated stolen credentials through the victims’ own GitHub accounts. Workflows appeared to complete successfully because, from every signal security teams rely on, there was nothing to flag.
Within a week, the campaign had cascaded to Checkmarx, litellm on PyPI, and 47+ npm packages, each compromised credential opening the door to the next target. The assigned CVE scored 9.4, and Arctic Wolf estimated that at least 1,000 enterprise SaaS environments were affected. The technical forensics have since been well documented by Microsoft, CrowdStrike, Wiz, and Palo Alto Networks, each focused on the CI/CD implications. What has received less attention is what the attack reveals about a broader and accelerating erosion of infrastructure trust.
The LOTS pattern reaches security tooling
The Trivy attack is the Living Off Trusted Sites pattern applied to the software supply chain. Every component of the campaign leveraged infrastructure that organizations already trust, and the exfiltration was indistinguishable from legitimate developer activity. GitHub Actions distributed the malicious payloads through the same mechanisms as legitimate software updates. Docker Hub served compromised images alongside clean ones. Stolen credentials were staged in public repositories on the victims’ own GitHub accounts, where the traffic blended seamlessly into routine operations.
What makes this worth examining beyond the CI/CD context is that it isn’t an isolated development. It’s the same structural shift playing out across an expanding set of domains, and it’s accelerating. In phishing, attackers have moved from suspicious registrars to GitHub Pages and Cloudflare Workers, exploiting platforms that appear on corporate allow-lists by default. In credential harvesting, they’ve moved to npm CDN-hosted phishing that leverages package registries as delivery infrastructure. In social engineering, ClickFix attacks use gated delivery on compromised legitimate sites to create malicious content that scanners literally cannot see. The pattern across all of these is consistent: the attacker doesn’t build parallel infrastructure, they operate within the infrastructure organizations already trust, because that trust is the vulnerability being exploited.
Trivy extends this logic to the tools organizations use to verify their own security posture, which represents a meaningful escalation. The domain reputation model that once served as a first-line defense has been failing against trusted-platform abuse for years, but the assumption was that the erosion would remain confined to domains, hosting, and CDNs. It hasn’t.
The sophistication of the campaign reinforces another finding from the phishing kit ecosystem: when attack techniques become products, the population of potential operators expands rapidly. TeamPCP’s CanisterWorm, the self-propagating component that hit npm, was by multiple researchers’ assessments “vibe-coded” using AI tools. The worm made no attempt to conceal its functionality, and it didn’t need to, because the delivery mechanism did the concealment work. A compromised trusted package is its own disguise. The sophistication of modern supply chain attacks lies less in the malware itself and more in the strategic choice of where to place it.
One credential, one campaign
The entire Trivy campaign traces back to a single incomplete credential rotation, which is perhaps the most operationally important detail in the story. After an earlier breach in February, Aqua Security did everything the playbook calls for: disclose, rotate credentials, rebuild. But the rotation missed at least one valid access path, and TeamPCP used that residual access to stage everything that followed. As Palo Alto Networks’ analysis noted, “Incomplete containment is a recurring issue in incident response. When breaches are not fully addressed, they create the conditions for the next attack.”
The dynamic will be familiar to anyone tracking brand impersonation. The credential economy that enables impersonation at scale operates on the same principle: one compromised credential cascading through interconnected systems until it reaches something valuable. The ShinyHunters campaign that breached Match Group, Harvard, and SoundCloud earlier this year followed exactly this logic, starting with a single SSO credential obtained through social engineering and pivoting through every connected system it could reach. Whether the credential belongs to a developer’s service account or an employee’s Okta login, the cascade follows the same pattern, and remediation that stops at “credentials rotated” without validating that every access path has been severed is not remediation so much as a temporary pause.
The Bottom Line
For brand protection and digital risk, the lesson from Trivy is the same one that LOTS attacks, ClickFix, and npm-hosted phishing have been teaching for the past two years: infrastructure trust is not a security signal. The platforms are legitimate. The intent is not. And detection strategies that can’t distinguish between the two will continue to fail against attackers who have learned to operate entirely within the boundaries of the systems we’ve been conditioned to trust.
Key Takeaways
- Trivy, the most widely adopted open-source vulnerability scanner, was compromised by TeamPCP and weaponized to steal CI/CD credentials from thousands of pipelines while scans appeared to complete normally.
- The attack cascaded within one week to Checkmarx, litellm, and 47+ npm packages, with each compromised credential enabling the next stage.
- The campaign demonstrates the Living Off Trusted Sites pattern applied to developer infrastructure: every component operated within platforms organizations already trust.
- Incomplete credential rotation after an earlier breach gave attackers the residual access that made the entire campaign possible.
