Category: Uncategorized

Trivy, a popular open-source vulnerability scanner maintained by Aqua Security, was compromised a second time within the span of a month to deliver malware that stole sensitive CI/CD secrets.

The latest incident impacted GitHub Actions “aquasecurity/trivy-action” and “aquasecurity/setup-trivy,” which are used to scan Docker container images for vulnerabilities and set up GitHub Actions workflow with a specific version of the scanner, respectively.

“We identified that an attacker force-pushed 75 out of 76 version tags in the aquasecurity/trivy-action repository, the official GitHub Action for running Trivy vulnerability scans in CI/CD pipelines,” Socket security researcher Philipp Burckhardt said. “These tags were modified to serve a malicious payload, effectively turning trusted version references into a distribution mechanism for an infostealer.”

The payload executes within GitHub Actions runners and aims to extract valuable developer secrets from CI/CD environments, such as SSH keys, credentials for cloud service providers, databases, Git, Docker configurations, Kubernetes tokens, and cryptocurrency wallets.

The development marks the second supply chain incident involving Trivy. Towards the end of February and early March 2026, an autonomous bot called hackerbot-claw exploited a “pull_request_target” workflow to steal a Personal Access Token (PAT), which was then weaponized to seize control of the GitHub repository, delete several release versions, and push two malicious versions of its Visual Studio Code (VS Code) extension to Open VSX.

The first sign of the compromise was flagged by security researcher Paul McCarty after a new compromised release (version 0.69.4) was published to the “aquasecurity/trivy” GitHub repository. The rogue version has since been removed. According to Wiz, version 0.69.4 starts both the legitimate Trivy service and the malicious code responsible for a series of tasks –

• Conduct data theft by scanning the system for environmental variables and credentials, encrypting the data, and exfiltrating it via an HTTP POST request to scan.aquasecurtiy[.]org.
• Set up persistence by using a systemd service after confirming that it’s running on a developer machine. The systemd service is configured to run a Python script (“sysmon.py”) that polls an external server to retrieve the payload and execute it. 

In a statement, Itay Shakury, vice president of open source at Aqua Security, said the attackers abused a compromised credential to publish malicious trivy, trivy-action, and setup-trivy releases. In the case of “aquasecurity/trivy-action,” the adversary force-pushed 75 version tags to point to the malicious commits containing the Python infostealer payload without creating a new release or pushing to a branch, as is standard practice. Seven “aquasecurity/setup-trivy” tags were force-pushed in the same manner.

“So in this case, the attacker didn’t need to exploit Git itself,” Burckhardt told The Hacker News. “They had valid credentials with sufficient privileges to push code and rewrite tags, which is what enabled the tag poisoning we observed. What remains unclear is the exact credential used in this specific step (e.g., a maintainer PAT vs automation token), but the root cause is now understood to be credential compromise carried over from the earlier incident.”

The security vendor also acknowledged that the latest attack stemmed from incomplete containment of the hackerbot-claw incident. “We rotated secrets and tokens, but the process wasn’t atomic, and attackers may have been privy to refreshed tokens,” Shakury said. “We are now taking a more restrictive approach and locking down all automated actions and any token in order to thoroughly eliminate the problem.”

The stealer operates in three stages: harvesting environment variables from the runner process memory and the file system, encrypting the data, and exfiltrating it to the attacker-controlled server (“scan.aquasecurtiy[.]org”).

Should the exfiltration attempt fail, the victim’s own GitHub account is abused to stage the stolen data in a public repository named “tpcp-docs” by making use of the captured INPUT_GITHUB_PAT, an environment variable used in GitHub Actions to pass a GitHub PAT for authentication with the GitHub API.

It’s currently not known who is behind the attack, although there are signs that the threat actor known as TeamPCP may be behind it. This assessment is based on the fact that the credential harvester self-identifies as “TeamPCP Cloud stealer” in the source code. Also known as DeadCatx3, PCPcat, PersyPCP, ShellForce, and CipherForce, the group is known for acting as a cloud-native cybercrime platform designed to breach modern cloud infrastructure to facilitate data theft and extortion.

“The credential targets in this payload are consistent with the group’s broader cloud-native theft-and-monetization profile,” Socket said. “The heavy emphasis on Solana validator key pairs and cryptocurrency wallets is less well-documented as a TeamPCP hallmark, though it aligns with the group’s known financial motivations. The self-labeling could be a false flag, but the technical overlap with prior TeamPCP tooling makes genuine attribution plausible.”

Users are advised to ensure that they are using the latest safe releases –

“If you suspect you were running a compromised version, treat all pipeline secrets as compromised and rotate immediately,” Shakury said. Additional mitigation steps include blocking the exfiltration domain and the associated IP address (45.148.10[.]212) at the network level, and checking GitHub accounts for repositories named “tpcp-docs,” which may indicate successful exfiltration via the fallback mechanism.

“Pin GitHub Actions to full SHA hashes, not version tags,” Wiz researcher Rami McCarthy said. “Version tags can be moved to point at malicious commits, as demonstrated in this attack.”

Update

The supply chain attack on Trivy appears to have had a cascading impact, with threat actors leveraging the stolen data to compromise several npm packages and push malicious versions containing a self-propagating worm. More details about the activity can be found here.

Last week, New York City Mayor Zohran Mamdani announced the creation of the Office of LGBTQIA+ Affairs, fulfilling a key promise he made to queer and trans New Yorkers on the campaign trail. The office’s appointed director, Taylor Brown, who worked in the Civil Rights Bureau of the New York Attorney General’s Office, becomes the first openly transgender person to lead a New York City office or agency.

As queer and trans New Yorkers celebrated the announcement, some advocates were left wondering about another major campaign pledge Mamdani made to the community: investing $65 million to protect and expand gender-affirming care.

On Feb. 17, the Mamdani administration released its $127 billion preliminary budget for fiscal year 2027, but, according to an analysis by Prism, the $65 million funding increase has not been explicitly allocated.

The mayor’s office did not respond to multiple emails about where the funds are in the budget and how Mamdani planned to fulfill his campaign promise.

Concerns about whether trans health services would be bolstered in New York come as the U.S. Department of Health and Human Services (HHS) seeks to eliminate all federal funding for youth gender-affirming care. The department has proposed rules that would prevent hospitals that provide treatments such as puberty blockers and hormone therapy for trans youth from receiving Medicare or Medicaid funding, and restrict payments to outpatient providers. While the rules have yet to go into effect, two major hospitals in New York, NYU Langone Health and Mount Sinai, preemptively ended their transgender youth health care programs, leaving many young people and their parents scrambling to continue care.

Budget experts and sources within city government acknowledged the lack of clarity around whether Mamdani’s budget would increase funding for gender-affirming care. Some said the money could be apportioned under other budget items, or the administration could be waiting to determine the amount after the state budget is finalized.

Amid the Trump administration’s threats to trans health care, trans advocates told Prism that it’s more important than ever that Mamdani live up to his promises.

“You are in office because this community showed the hell up to get you in office,” said Ceyenne Doroshow, founder and executive director of GLITS, a Black-led trans advocacy organization, and one of New York’s most prominent trans activists. “Our babies were up at 6 o’clock in the morning getting people to vote, canvassing, fighting to make you mayor. Now we need you to fight to keep us alive.’”

The $65 Million Pledge

Amid a busy mayoral primary season last spring, Mamdani held a Trans Community Town Hall to share his platform for LGBTQIA+ New Yorkers.

His platform focused on three pledges: to make New York a “sanctuary city” for queer and trans people, including by expanding protections against the criminalization of gender-affirming care; to create the Office of LGBTQIA+ Affairs to oversee and implement LGBTQIA+ initiatives; and to invest $65 million in public providers for gender-affirming care. According to the platform, $57 million would go to public hospitals, community clinics, federally qualified health centers, and nonprofits that provide gender-affirming care and $8 million to expand telehealth appointments and broader health access programs for trans New Yorkers. The platform also pledged to “hold private entities abetting Trump’s attacks to account.”

Lorelei Crean, a lead organizer of NYC Youth 4 Trans Rights, sat in the front row at the town hall. Crean had spoken alongside Mamdani at a protest a few months prior, when hospitals first started curtailing gender-affirming care programs for youth under 19 in response to a Trump executive order, which was blocked in court. Crean said he had been denied care at Mount Sinai, and many of his friends were similarly impacted.

Prior to the town hall, “the last time I’d met Zohran was literally at the rally protesting the removal of gender-affirming care,” Crean recalled. He said it was “really impactful” that the next time they met, Mamdani promised that under his leadership, things would change.

Mamdani’s $65 million pledge received widespread news coverage. Yet shortly after the city’s preliminary budget was published last month, budget experts and trans advocates, including Doroshow, noticed that there was no mention of gender-affirming care. Prism’s review of the budget found that funds have not been explicitly appropriated for gender-affirming care, and no departments that would typically disburse such funds have been given an increase in funding equivalent to $65 million.

Members of city government have also noticed a lack of clarity over where the money appears in the budget, including the City Council’s Committee on Health. “We are aware of these discrepancies, and we intend to ask questions about this at the Health Committee’s Preliminary Budget Hearing on March 19th,” Jonathan Boucher, chief of staff for New York City Council Member and health committee Chair Lynn Schulman, said in an email. As part of the budget process, the City Council holds a series of public hearings in March and April to address concerns about the mayor’s preliminary budget.

When asked to identify whether the funds are in the budget, Malek Al-Shammary, the press secretary of the Independent Budget Office, noted that the Mamdani administration has apportioned some additional funds to the city’s public hospital system and the Department of Health and Mental Hygiene, including several millions toward a “new public health lab” and “comprehensive adolescent care.”

“Those totals do not add up to $57M/yr,” Al-Shammary said in an email. “With that said, we do not know what the administration’s plans are currently for that specific proposal. Barring more details, there isn’t much else we can share.”

Al-Shammary added that it’s difficult to know whether the funding is appropriated in the preliminary budget. Instead of being expressly listed, some programs or activities can be subsumed under a broader unit of appropriation: For example, pens would likely be incorporated into a category for general office supplies, Al-Shammary said.

“It really depends on the Unit of Appropriation and how the budget is structured,” he said.

The mayor’s office did not respond to Prism’s requests to detail which departments were apportioned the $65 million pledge, the amounts by department, and unit of appropriation.

Threats to Gender-Affirming Care

Questions surrounding Mamdani’s campaign pledge to gender-affirming care arise as care for trans youth is under threat nationally.

In December, the HHS introduced two rules intending to restrict youth access to gender-affirming treatments. The first rule would eliminate all Medicaid and Medicare funding for hospitals that provide gender-affirming care for minors. Hospitals that continue to offer such care would be barred from billing Medicaid or Medicare for any patient — essentially forcing hospitals to choose between providing gender-affirming care and remaining solvent.

The second rule applies to non-hospital medical settings and would eliminate federal Medicaid payments for youth gender-affirming care. If this rule comes to effect, states would no longer be able to split the cost of puberty blockers and other treatments with the federal government, and instead be forced to cover the total cost of care, as is already the case for abortion care.

The public comment period for the proposed rules ended Feb. 17. If the rules are published, they would go into effect 30 days after. The rules are being challenged in federal court, and a judge could issue an injunction that would temporarily bar them from going into effect.

Hospitals in New York and across the country have already begun shuttering their youth gender-affirming care programs. Last month, NYU Langone announced that it would cease providing gender-affirming care to people under 18. State officials said the decision violated New York’s anti-discrimination laws. The state attorney general gave the hospital until March 11 to reinstate its transgender youth health care program. It is not clear whether Langone responded to the attorney general’s order.

Mount Sinai has also reportedly followed suit in ending services for trans youth.

In preparation for the potential imposition of the HHS rules, state legislators have been pushing for the passage of bills to absorb any additional costs.

State Sen. Kristen Gonzalez sponsored a bill to create an $8 million gender-affirming care fund, which could help outpatient providers cover the cost of accepting patients previously seen in hospitals. Assembly Member Linda Rosenthal also introduced legislation mandating Medicaid and insurance companies to continue covering gender-affirming care regardless of federal funding rules. (State regulations require that Medicaid as well as private insurers cover gender-affirming care, but these rules are not yet codified in state law.)

Movement on the state level to fund gender-affirming care may explain the delay to set aside money in the city budget, said Michael Kinnucan, the director of health policy at the New York-based Fiscal Policy Institute. The $65 million for gender-affirming care does not appear to be in the preliminary budget, according to Kinnucan, but that doesn’t mean Mamdani has reversed course.

“It’s too soon to tell whether the mayor has backed down from his pledge because there’s a state-level push to protect funding,” Kinnucan said in an email. “If the state-level push succeeds then there won’t be a need for city funding.”

The state budget must be approved by April 1. The mayor usually releases a revised city budget in May, following input from the City Council, which the council votes on by June 30.

Trans advocates are asking Mamdani to do more to defend access to youth gender-affirming care in New York. Trans journalist and advocate Erin Reed has called on the mayor to instruct the Commission on Human Rights to investigate NYU Langone and other hospitals for violating the city’s anti-discrimination protections.

Doroshow of GLITS told Prism that the announcement of the new Office of LGBTQIA+ Affairs left her no less unsettled about Mamdani’s promises to queer and trans New Yorkers. She still has faith in him, she told Prism, but he needs to act with the urgency this moment demands.

“What the federal government is about to do to all of us and the politicians and everybody is make us the new slaves. We need somebody that represents saving and helping and making this a sanctuary city right now,” she said. “It was this community that pushed you to success. We rang the bell for you. Now answer the door.”

Prism is an independent and nonprofit newsroom led by journalists of color. We report from the ground up and at the intersections of injustice.

Ravie LakshmananMar 21, 2026Malware / Threat Intelligence

The threat actors behind the supply chain attack targeting the popular Trivy scanner are suspected to be conducting follow-on attacks that have led to the compromise of a large number of npm packages with a previously undocumented self-propagating worm dubbed CanisterWorm.

The name is a reference to the fact that the malware uses an ICP canister, which refers to tamperproof smart contracts on the Internet Computer blockchain, as a dead drop resolver. The development marks the first publicly documented abuse of an ICP canister for the explicit purpose of fetching the command-and-control (C2) server, Aikido Security researcher Charlie Eriksen said.

The list of affected packages is below –

• 28 packages in the @EmilGroup scope
• 16 packages in the @opengov scope
• @teale.io/eslint-config
• @airtm/uuid-base32
• @pypestream/floating-ui-dom

The development comes within a day after threat actors leveraged a compromised credential to publish malicious trivy, trivy-action, and setup-trivy releases containing a credential stealer. A cloud-focused cybercriminal operation known as TeamPCP is suspected to be behind the attacks.

The infection chain involving the npm packages involves leveraging a postinstall hook to execute a loader, which then drops a Python backdoor that’s responsible for contacting the ICP canister dead drop to retrieve a URL pointing to the next-stage payload. The fact that the dead drop infrastructure is decentralized makes it resilient and resistant to takedown efforts.

“The canister controller can swap the URL at any time, pushing new binaries to all infected hosts without touching the implant,” Eriksen said.

Persistence is established by means of a systemd user service, which is configured to automatically start the Python backdoor after a 5-second delay if it gets terminated for some reason by using the “Restart=always” directive. The systemd service masquerades as PostgreSQL tooling (“pgmon”) in an attempt to fly under the radar.

The backdoor, as mentioned before, phones the ICP canister with a spoofed browser User-Agent every 50 minutes to fetch the URL in plaintext. The URL is subsequently parsed to fetch and run the executable.

“If the URL contains youtube[.]com, the script skips it,” Eriksen explained. “This is the canister’s dormant state. The attacker arms the implant by pointing the canister at a real binary, and disarms it by switching back to a YouTube link. If the attacker updates the canister to point to a new URL, every infected machine picks up the new binary on its next poll. The old binary keeps running in the background since the script never kills previous processes.”

It’s worth noting that a similar youtube[.]com-based kill switch has also been flagged by Wiz in connection with the trojanized Trivy binary (version 0.69.4), which reaches out to the same ICP canister via another Python dropper (“sysmon.py”). As of writing, the URL returned by the C2 is a rickroll YouTube video.

The Hacker News found that the ICP canister supports three methods – get_latest_link, http_request, update_link – the last of which allows the threat actor to modify the behavior at any time to serve an actual payload.

In tandem, the packages come with a “deploy.js” file that the attacker runs manually to spread the malicious payload to every package a stolen npm token provides access to in a programmatic fashion. The worm, assessed to be vibe-coded using an artificial intelligence (AI) tool, makes no attempt to conceal its functionality.

“This isn’t triggered by npm install,” Aikido said. “It’s a standalone tool the attacker runs with stolen tokens to maximize blast radius.”

To make matters worse, a subsequent iteration of CanisterWorm detected in “@teale.io/eslint-config” versions 1.8.11 and 1.8.12 has been found to self-propagate on its own without the need for manual intervention.

Unlike “deploy.js,” which was a self-contained script the attacker had to execute with the pilfered npm tokens to push a malicious version of the npm packages to the registry, the new variant incorporates this functionality in “index.js” within a findNpmTokens() function that’s run during the postinstall phase to collect npm authentication tokens from the victim’s machine.

The main difference here is that the postinstall script, after installing the persistent backdoor, attempts to locate every npm token from the developer’s environment and spawns the worm right away with those tokens by launching “deploy.js” as a fully detached background process.

Interestingly, the threat actor is said to have swapped out the ICP backdoor payload for a dummy test string (“hello123”), likely to ensure that the entire attack chain is working as intended before adding the malware.

“This is the point where the attack goes from ‘compromised account publishes malware’ to ‘malware compromises more accounts and publishes itself,’” Eriksen said. “Every developer or CI pipeline that installs this package and has an npm token accessible becomes an unwitting propagation vector. Their packages get infected, their downstream users install those, and if any of them have tokens, the cycle repeats.”

(This is a developing story. Please check back for more details.)