CVE-2026-33634: Trivy Supply Chain Compromise and Credential Exfiltration

⚠ No Runnable Lab

Important Note on Reproduction: CVE-2026-33634 describes a sophisticated software supply chain attack involving compromised credentials, binary tampering, and GitHub Action hijacking. This vulnerability cannot be reproduced in a standard Linux Docker environment (e.g., Vulhub) because the attack surface relies on external artifact repositories, mutable Git tags, and a specific timeline of credential rotation failures.

There is no isolated binary or container image that allows local exploitation without the broader CI/CD context. Organizations must simulate this scenario by reviewing their pipeline logs, artifact registries, and GitHub repository history. The guidance in this post focuses on forensic detection, impact assessment, and remediation rather than local exploit validation.

---

1. Executive Summary

On March 19, 2026, the open-source security community faced a critical supply chain incident targeting Aquasecurity Trivy, a widely adopted vulnerability scanner for containers and Kubernetes. A threat actor, leveraging credentials compromised during a precursor attack in late February, executed a multi-stage injection campaign that affected the core trivy binary, the trivy-action GitHub Action, and the setup-trivy GitHub Action.

Key Impact Metrics:

• Risk Score: 100/100
• KEV Status: Yes (is_kev: true)
• Affected Components: aquasecurity/trivy v0.69.4, trivy-action (tags 0.0.1–0.34.2), setup-trivy (tags 0.2.0–0.2.6).
• Classification: CWE-506 (Software Include of External Control of Resource Path or Name), though operationally this is a Software Supply Chain Compromise.

The attack is particularly severe due to a critical operational failure: the vendor's credential rotation on March 1, 2026, was non-atomic. This allowed the attacker to retain valid tokens throughout the rotation window, maintain persistence, and successfully deploy malicious artifacts on March 19. The malware embedded in the malicious binaries and Actions performs automated credential exfiltration. If primary exfiltration channels are blocked, a fallback mechanism creates a repository named tpcp-docs within the victim's organization to store stolen secrets.

Organizations relying on Trivy for CI/CD pipelines are at immediate risk of credential theft and pipeline hijacking. All secrets accessible to pipelines using affected versions must be treated as compromised.

---

2. Technical Deep Dive

The exploitation of CVE-2026-33634 is a masterclass in supply chain warfare. It combines persistent access, operational exploitation (non-atomic rotation), and robust fallback mechanisms.

2.1 The Non-Atomic Rotation Failure

The attack vector originated from a breach in late February 2026. On March 1, the maintainers detected the initial compromise and initiated a credential rotation. However, the rotation protocol failed to meet security best practices:

1. Sequential Revocation: Credentials were revoked one by one rather than simultaneously.
2. Token Window: The attacker possessed a valid token that was not immediately revoked.
3. Exfiltration of New Secrets: During the rotation window (spanning several days), the attacker monitored CI/CD traffic and exfiltrated newly generated secrets.

This allowed the attacker to maintain a foothold equivalent to the original compromise, effectively making the rotation ineffective for removing persistence.

2.2 Multi-Stage Artifact Tampering

Once persistence was secured, the attacker focused on the March 19, 2026, deployment window. The attack targeted three distinct components:

• aquasecurity/trivy (Binary/Container): The attacker published release v0.69.4. The Go binary and container image were rebuilt with embedded credential-stealing malware. When executed, this malware reads environment variables, GITHUB_TOKEN, and other sensitive pipeline data.
• aquasecurity/trivy-action (GitHub Action): This Action is widely used to run Trivy in workflows. The attacker force-pushed 76 out of 77 version tags to point to malicious commits. These commits contained scripts that executed the stolen credentials or downloaded the malicious Trivy binary.
• aquasecurity/setup-trivy (GitHub Action): All 7 tags in this repository were replaced with malicious commits. This Action typically bootstraps the Trivy binary; its compromise ensures that even if users pin a specific SHA, the setup step could still inject the payload if the pin was bypassed or if the attacker had pushed malicious commits to the target tag.

2.3 Execution and Exfiltration Flow

When a victim's CI/CD pipeline runs:

1. The runner pulls a mutable tag (e.g., @v0.69.4 or @v0.2.6).
2. The malicious Action executes, harvesting secrets from the runner's environment.
3. Primary Exfiltration: Secrets are sent to an attacker-controlled C2 server.
4. Fallback Mechanism: If the primary channel is blocked (e.g., by network controls), the malware triggers a secondary script that uses the stolen GITHUB_TOKEN to create a public repository named tpcp-docs in the victim's organization and pushes the exfiltrated data there.

2.4 CWE-506 Considerations

While the primary nature of this incident is a supply chain compromise, the CVE is classified under CWE-506. In this context, the vulnerability stems from the system's inclusion of external resources (Git tags, registry artifacts) where the control of the resource path (the mutable tag) was compromised, leading to the inclusion of untrusted, malicious code.

---

3. PoC Analysis

A community researcher has released a defensive scanner to help organizations detect indicators of compromise related to the TeamPCP supply chain attack. This tool analyzes environments for malicious IOCs, including DNS queries and file hashes associated with the attack.

PoC Repository: https://github.com/fevar54/CVE-2026-33634-Scanner

Author: Ugur Can Ates

Disclaimer: The following code represents defensive detection tools (DNS monitoring and file scanning). These are not exploits. They are designed to identify IOCs in a compromised environment.

DNS Monitor Detector

This component monitors network traffic for DNS queries to known malicious domains associated with the attacker's infrastructure.

"""
DNS Monitor - Monitorea tráfico DNS en tiempo real
Author: Ugur Can Ates
"""

import threading
import time
from typing import List, Dict, Optional
from colorama import Fore, Style

try:
    from scapy.all import sniff, IP, UDP, DNS, DNSQR
    SCAPY_AVAILABLE = True
except ImportError:
    SCAPY_AVAILABLE = False


class DNSMonitor:
    """Monitorea tráfico DNS en busca de dominios maliciosos"""
    
    def __init__(self, ioc_manager):
        self.ioc_manager = ioc_manager
        self.detections = []
        self.running = False
        self.thread = None
    
    def _process_packet(self, packet):
        """Procesa un paquete DNS"""
        if packet.haslayer(DNS) and packet.haslayer(DNSQR):
            dns_layer = packet.getlayer(DNS)
            qr_layer = packet.getlayer(DNSQR)
            
            if qr_layer:
                domain = qr_layer.qname.decode('utf-8').rstrip('.')
                
                # Verificar si el dominio está en los IOCs
                if self.ioc_manager.check_domain(domain):
                    detection = {
                        'timestamp': time.time(),
                        'domain': domain,
                        'src_ip': packet[IP].src if packet.haslayer(IP) else 'Unknown',
                        'dst_ip': packet[IP].dst if packet.haslayer(IP) else 'Unknown',
                        'malicious': True
                    }
                    self.detections.append(detection)
                    print(f"{Fore.RED}[!] DNS Query to malicious domain detected: {domain}{Style.RESET_ALL}")
    
    def start_monitoring(self, interface: Optional[str] = None, timeout: int = 60):
        """Inicia el monitoreo DNS en tiempo real"""
        if not SCAPY_AVAILABLE:
            print(f"{Fore.RED}[!] Scapy no está instalado. DNS monitoring no disponible.{Style.RESET_ALL}")
            print("[*] Instala scapy con: pip install scapy")
            return
        
        self.running = True
        print(f"{Fore.GREEN}[*] Iniciando monitoreo DNS...{Style.RESET_ALL}")
        print("[*] Presiona Ctrl+C para detener")
        
        try:
            if interface:
                sniff(iface=interface, filter="udp port 53", prn=self._process_packet, timeout=timeout, store=0)
            else:
                sniff(filter="udp port 53", prn=self._process_packet, timeout=timeout, store=0)
        except KeyboardInterrupt:
            print(f"\n{Fore.YELLOW}[*] Monitoreo detenido por el usuario{Style.RESET_ALL}")
        finally:
            self.running = False
    
    def start_async(self, interface: Optional[str] = None):
        """Inicia monitoreo asíncrono en un hilo separado"""
        self.thread = threading.Thread(target=self.start_monitoring, args=(interface,), daemon=True)
        self.thread.start()
    
    def get_detections(self) -> List[Dict]:
        """Retorna las detecciones acumuladas"""
        return self.detections

File Scanner Detector

This component scans local directories for files matching malicious hashes or known trojanized binaries.

"""
File Scanner - Escanea archivos en busca de hashes maliciosos
Author: Ugur Can Ates
"""

import os
import hashlib
from pathlib import Path
from typing import List, Dict
from concurrent.futures import ThreadPoolExecutor, as_completed
from colorama import Fore, Style


class FileScanner:
    """Escáner de archivos para detectar hashes maliciosos"""
    
    def __init__(self, ioc_manager, max_workers: int = 10):
        self.ioc_manager = ioc_manager
        self.max_workers = max_workers
        self.detections = []
    
    def scan_directory(self, directory: str, recursive: bool = True) -> List[Dict]:
        """Escanea un directorio en busca de archivos maliciosos"""
        detections = []
        files_to_scan = []
        
        path = Path(directory)
        
        if not path.exists():
            print(f"{Fore.RED}[!] Directorio no existe: {directory}{Style.RESET_ALL}")
            return detections

        # [Truncated for brevity in analysis, logic continues to scan files]
        # The scanner computes hashes and checks against the IOC manager's
        # known malicious hash list for trivy v0.69.4 and action payloads.
        
        return detections

---

4. Exploitation Walkthrough

To understand the impact, security engineers should review the following attack sequence as it would manifest in a compromised CI/CD environment.

Scenario: Pipeline Execution

1. Configuration: A developer updates a GitHub Actions workflow to use aquasecurity/trivy-action@v0.34.2 (or a mutable tag pointing to a hijacked commit).
2. Trigger: A pull request triggers the workflow.
3. Artifact Download: The runner pulls the malicious trivy-action. The Action script executes.
4. Credential Harvesting: The malware within the Action reads environment variables:
   • GITHUB_TOKEN
   • AWS_SECRET_ACCESS_KEY
   • SLACK_WEBHOOK
   • Private SSH keys mounted in the workspace.
5. Exfiltration: The stolen data is compressed and sent to an external C2 domain.
6. Persistence (Fallback): Simultaneously, the malware checks connectivity. If the C2 is unreachable, it uses the GITHUB_TOKEN to create a repository tpcp-docs in the organization and pushes a base64-encoded dump of the secrets.

Verification Steps

• Check runner logs for execution of trivy-action around March 19–20, 2026.
• Search organization repositories for tpcp-docs.
• Inspect trivy binary integrity for v0.69.4.

---

5. Detection & Monitoring

To detect remnants of this attack, implement the following detection rules.

YARA Rule: TeamPCP Fallback Repository Indicator

Detects artifacts or scripts referencing the fallback repository name.

rule Trivy_TeamPCP_Fallback_Repo {
    meta:
        description = "Detects references to the TeamPCP fallback exfiltration repository"
        author = "ilovethreats.com"
        cve = "CVE-2026-33634"
        date = "2026-04-20"
    strings:
        $repo_name = "tpcp-docs" ascii wide nocase
        $git_cmd = "git push" ascii wide nocase
        $org_repo_pattern = /ghp_[a-zA-Z0-9]{36}.*tpcp-docs/ ascii wide nocase
    condition:
        any of ($repo_name, $org_repo_pattern)
}

Sigma Rule: Suspicious GitHub Action Usage

Detects usage of known hijacked tags in workflow files.

title: Suspicious TeamPCP Affected GitHub Action Versions
id: a1b2c3d4-e5f6-7890-abcd-ef1234567890
status: experimental
description: Detects the use of known compromised versions of trivy-action or setup-trivy.
references:
  - https://github.com/fevar54/CVE-2026-33634-Scanner
author: ilovethreats.com
date: 2026/04/20
tags:
  - attack.t1195
  - attack.t1059
logsource:
  category: file_event
  product: github
detection:
  selection:
    file_path|endswith:
      - '.github/workflows/*.yml'
      - '.github/workflows/*.yaml'
    content:
      - 'aquasecurity/trivy-action@v0.0.1'
      - 'aquasecurity/trivy-action@v0.34.2'
      - 'aquasecurity/setup-trivy@v0.2.0'
      - 'aquasecurity/setup-trivy@v0.2.6'
  condition: selection
falsepositives:
  - Old workflow files not yet migrated
level: high

Nuclei Template: Vulnerable Action Detection

Scan public repositories for usage of affected tags.

id: cve-2026-33634-vulnerable-action

info:
  name: Trivy Supply Chain Compromise
  author: ilovethreats
  severity: high
  tags: supply-chain,cve-2026-33634

http:
  - method: GET
    path:
      - "{{BaseURL}}/.github/workflows/trivy-scan.yml"
      - "{{BaseURL}}/.github/workflows/security.yml"
    extractors:
      - type: regex
        part: body
        regex:
          - "aquasecurity/trivy-action@v0\\.(0[0-9]|1[0-9]|2[0-9]|3[0-9]|4[0-2])"
          - "aquasecurity/setup-trivy@v0\\.2\\.(0|1|2|3|4|5|6)"
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "aquasecurity/trivy-action"
        condition: or

---

6. Remediation Guidance

Given the severity and the KEV status, immediate action is required.

6.1 Secret Rotation (Critical)

• Scope: Rotate all secrets accessible to any CI/CD pipeline that has run since late February 2026.
• Rationale: Due to the non-atomic rotation failure, attackers likely captured new secrets generated during the March 1 rotation window.
• Targets:
  • GitHub Personal Access Tokens / PATs.
  • OAuth App credentials.
  • AWS/GCP/Azure keys exposed in environment variables.
  • SSH keys and deployment certificates.

6.2 Artifact Quarantine

• Identify and remove all instances of:
  • aquasecurity/trivy version 0.69.4.
  • aquasecurity/trivy-action tags 0.0.1 through 0.34.2.
  • aquasecurity/setup-trivy tags 0.2.0 through 0.2.6.
• Clear local caches and registry mirrors.

6.3 Workflow Hardening

• Pin to SHA: Immediately update all workflows to use full commit SHAs instead of mutable tags.

  # UNSAFE
  - uses: aquasecurity/trivy-action@v0.35.0
  
  # SAFE
  - uses: aquasecurity/trivy-action@sha256:<full-commit-sha>
  

• Audit History: Check workflow run logs from March 19–20, 2026. Look for anomalies, network connections to unknown IPs, or execution of unexpected scripts.

6.4 Organization Cleanup

• Search the GitHub organization for a repository named tpcp-docs.
• If found, assume all secrets in the organization are fully compromised and rotate all organization-level credentials.

6.5 Compliance

• Apply mitigations per vendor instructions.
• Follow CISA BOD 22-01 guidance for cloud services regarding supply chain risk management.

---

7. References

1. CVE Details: CVE-2026-33634
2. Vendor Advisory: Aquasecurity Security Bulletin (March 20, 2026).
3. PoC Scanner: CVE-2026-33634-Scanner by Ugur Can Ates.
4. CISA BOD 22-01: Improving the Nation's Cybersecurity.
5. TeamPCP Analysis: ilovethreats.com Technical Report on Supply Chain Attack Timeline.