TeamPCP, a threat actor group, executed a sophisticated multi-stage supply chain attack starting with Aqua Security's Trivy vulnerability scanner. By exploiting a GitHub Actions misconfiguration, they stole credentials, trojanized Trivy binaries and actions, and spread malware across npm packages via a self-propagating worm called CanisterWorm. The attack chain compromised CI/CD pipelines across millions of developer environments, stealing cloud credentials, SSH keys, Kubernetes tokens, and more. The group claims to have obtained 300 GB of compressed credentials from projects downloaded over 100 million times monthly. Security experts recommend rotating all credentials, pinning GitHub Actions to commit SHAs instead of tags, and treating security tools as versioned dependencies with checksum verification.

7m read timeFrom thenewstack.io
Post cover image
Table of contents
Security tools turned weaponsHow the attack unfoldedGitHub shares the blameRotate credentials, pin actions

Sort: