CVE-2026-33634: Remote Supply Chain Compromise in Trivy Ecosystem via Non-Atomic Secret Rotation

The Aqua Security Trivy ecosystem suffered a severe supply chain compromise, identified as CVE-2026-33634 and categorized under CWE-506 (Embedded Malicious Code). The affected components include the core aquasecurity/trivy container image scanner, the aquasecurity/trivy-action GitHub Action, and the aquasecurity/setup-trivy utility. The vulnerability exposes downstream users to arbitrary malicious code execution within the context of their continuous integration and continuous deployment (CI/CD) pipelines.

The attack surface encompasses the automated build and release infrastructure utilized by Aqua Security. The threat actor, identified as TeamPCP, successfully infiltrated this pipeline to inject an infostealer payload into official artifacts. This malicious code operates transparently during standard vulnerability scanning operations, executing alongside the legitimate scanning engine without disrupting normal exit codes or standard output.

The primary attack mechanism relies on a sophisticated infostealer designed specifically for ephemeral GitHub Actions runner environments. Upon execution, the payload locates the parent runner process and performs a full memory space dump. This technique actively bypasses the native secret masking provided by the GitHub Actions runner, as the masking relies on scrubbing standard output streams rather than securing process memory.

The scope of the compromise is extensive, affecting 76 out of 77 version tags in the trivy-action repository and all mutable tags in the setup-trivy repository. The attacker utilized forced Git pushes to overwrite existing version tags, ensuring that any workflow referencing floating tags (e.g., @v0.34.2 or @master) automatically pulled the malicious artifacts during subsequent pipeline executions.

The initial vector for the compromise was the theft of high-privileged CI/CD credentials, specifically targeting GitHub Personal Access Tokens and Docker Hub authentication tokens. Aqua Security detected this initial breach in late February 2026 and initiated a standard incident response procedure, which included the rotation of the compromised cryptographic material.

The critical operational failure occurred during the secret rotation process. The rotation was executed in a non-atomic sequence, creating a defined time window where both the legacy compromised tokens and the newly generated tokens remained functionally valid. The threat actor utilized a still-active legacy token to query the CI/CD configuration and exfiltrate the newly established secrets, effectively resetting the incident response effort and maintaining persistent access.

With persistent authentication secured, the attacker exploited a specific Cross-Fork Object Reference (CFOR) behavior within the go-git library. This weakness allowed the attacker to reference Git objects residing in an attacker-controlled fork as if they were natively present in the upstream repository's commit history. The CI/CD pipeline, relying on go-git, pulled these imposter commits during the build sequence.

The culmination of the root cause chain was the unauthorized modification of Git reference tags. By leveraging the stolen, highly-privileged tokens, the attacker executed force-pushes against the aquasecurity/trivy-action and setup-trivy repositories. This action repointed stable release tags to the previously injected imposter commits, seamlessly delivering the malicious payload to downstream consumers without requiring them to update their dependency configurations.

The attacker achieved code execution by replacing the legitimate Trivy binary download logic within the setup actions with a modified routine fetching the compromised payload. Analysis of the affected setup-trivy action reveals the forced update mechanism that bypasses standard checksum verification.

The workflow modification intercepts the binary acquisition phase. Below is a comparison demonstrating the security failure when utilizing mutable tags versus immutable cryptographic hashes. The compromised repositories relied on mutable tags, allowing the attacker to silently replace the underlying execution logic.

# VULNERABLE CONFIGURATION (Relies on mutable tags)
steps:
  - name: Run Trivy vulnerability scanner
    uses: aquasecurity/trivy-action@master
    with:
      image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
 
# SECURE CONFIGURATION (Cryptographic pinning)
steps:
  - name: Run Trivy vulnerability scanner
    uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f233cd0d7135 # v0.35.0
    with:
      image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'

The malicious binary utilizes low-level system calls to access the memory space of the GitHub Actions runner. Specifically, it targets the .NET runtime environment of the Runner.Worker process. By reading /proc/<pid>/mem, the malware extracts the heap space where the runtime allocates strings representing the environment variables.

The extraction routine implements a signature scanning algorithm against the extracted memory pages. It searches for predefined byte sequences corresponding to standard secret formats, such as ghp_ for GitHub tokens and AKIA for AWS access keys. Once a match occurs, the continuous memory block is parsed, buffered, and packaged for the exfiltration phase.

The embedded malware activates synchronously during the initialization of the Trivy binary (v0.69.4) within a victim's CI/CD runner environment. It operates entirely in memory and specifically targets the Runner.Worker process, which acts as the core execution engine for GitHub Actions workflows. The attacker requires no direct inbound network access; the execution is triggered solely by the victim's automated pipeline schedules.

The malware executes a direct memory dump of the Runner.Worker process to bypass the standard environment variable masking features provided by GitHub. Because the worker process requires plain-text access to secrets to inject them into the execution context of individual steps, these secrets remain unencrypted within the process heap. The malware reads these memory regions and extracts the values before they are passed to the standard output stream where masking would occur.

Extracted data includes the core GITHUB_TOKEN, cloud provider authentication keys (AWS, Azure, GCP), and user-defined environment variables such as deployment credentials or database passwords. The malware compresses these secrets into an archive format and prepares a secure outbound connection.

Exfiltration occurs via a primary command-and-control (C2) channel directing HTTP POST requests to a typosquatted domain (scan.aquasecurtiy.org). If the victim's network perimeter restricts outbound DNS resolution or blocks the primary domain, the malware activates a fallback protocol. It utilizes the stolen GITHUB_TOKEN to execute API calls against the victim's GitHub organization, generating public repositories prefixed with tpcp-docs-. The stolen secrets are subsequently embedded within the repository descriptions or committed as compressed archives, ensuring the attacker can retrieve the data asynchronously.

The successful execution of this supply chain attack results in the complete compromise of cryptographic material exposed to the affected CI/CD environments. Organizations executing the compromised Trivy versions inadvertently leak all secrets accessible to the workflow runner, fundamentally breaching the confidentiality of their deployment infrastructure.

The exfiltration of cloud provider authentication keys provides the threat actor with the necessary privileges to pivot from the CI/CD environment directly into the victim's production infrastructure. This escalation path enables unauthorized data access, the hijacking of compute resources for cryptomining, and lateral movement into adjacent corporate networks.

The secondary fallback exfiltration mechanism introduces a severe public exposure risk. By programmatically generating public repositories containing the stolen secrets, the malware makes highly sensitive credentials accessible to any third party actively monitoring the GitHub platform. This behavior significantly amplifies the impact, expanding the threat landscape beyond the initial TeamPCP actors.

The malware additionally exhibits distinct worm-like capabilities by attempting to modify other workflow configuration files within the compromised organization. By programmatically updating disparate workflows to utilize the malicious Trivy actions, the payload ensures continuous propagation and persistent secret extraction across the entirety of the victim's software portfolio.

Immediate remediation dictates the comprehensive removal of all affected Trivy artifacts from local developer caches and internal organizational container registries. Systems administrators must explicitly purge Trivy version 0.69.4 and update all workflow configuration files to utilize verified, safe versions. Safe iterations include the legacy 0.69.2 and 0.69.3 versions, or the comprehensively patched 0.35.0 action release.

All cryptographic secrets accessible to GitHub Actions workflows that executed between March 19 and March 21, 2026, must be classified as compromised. Security operations teams must execute an immediate, atomic rotation of all exposed cloud credentials, SSH private keys, and service account tokens. The rotation event must invalidate previous tokens simultaneously to prevent the non-atomic rotation vulnerability exploited by the threat actor.

Organizations must implement strict, immutable commit pinning for all third-party GitHub Actions dependencies. Security teams must replace mutable version tags with full 40-character SHA-256 commit hashes. This structural change prevents upstream repository tag manipulation from compromising the local build process, ensuring cryptographic verification of the executed action.

To systematically mitigate the risk of memory-resident secret extraction, infrastructure teams must transition to OpenID Connect (OIDC) for cloud provider authentication. OIDC workflows eliminate the requirement for long-lived static secrets within the runner environment, replacing them with short-lived, dynamically generated tokens that significantly reduce the utility of process memory dumping attacks.