RSA

1K+ cloud environments infected following Trivy supply chain attack

Crims 'creating a snowball effect' across open source projects

RSAC 2026 Thousands of organizations' cloud environments have been infected with secret-stealing malware as a result of the Trivy supply-chain attack last week, and now the crims that compromised the open source scanners are working with notorious extortion crews like Lapsus$.

"We know of over 1,000 impacted SaaS environments right now that are actively dealing with this particular threat actor," Mandiant Consulting CTO Charles Carmakal said during a Google event on the outskirts of the annual RSA Conference in San Francisco. 

"That 1,000-plus downstream victims will probably expand into another 500, another 1,000, maybe another 10,000," he continued. "And we know that these actors are collaborating with a number of other actors right now." 

These criminals are primarily based in the US, UK, Canada and Western Europe, Carmakal said. They are "known for being exceptionally aggressive with their extortion," he added. "They're very loud, they're very aggressive, and so we're going to end up seeing the impact in the coming days, weeks, and months."

According to Wiz, another Google-owned security shop, one of these groups is Lapsus$.

"We are seeing a dangerous convergence between supply chain attackers and high-profile extortion groups like Lapsus$," Ben Read, a lead researcher at Wiz, told The Register via email on Tuesday. 

In addition to hitting Trivy and open source static analysis tool KICS, the supply chain attack has also trojanized liteLLM, a critical piece of AI middleware present in 36 percent of all cloud environments, according to Wiz.

"By moving horizontally across the ecosystem - hitting tools like liteLLM that are present in over a third of cloud environments - they are creating a snowball effect," Reed said. "This isn't an isolated incident. It's a systemic campaign that requires security teams to take action and will likely continue to expand."

According to the attackers' public telegram messages, they plan continue targeting additional popular open source projects as well.

Here's what happened. Late last week, security researcher Paul McCarty warned about a widespread supply chain attack targeting Trivy, an open source scanner maintained by Aqua Security that finds vulnerabilities, misconfigurations, and exposed secrets.

Developers commonly embed this scanner into their CI/CD pipelines - and this makes it a boon for attackers to exploit because it allows them to steal API keys, cloud and database credentials, GitHub tokens, plus a ton of other secrets and sensitive information.

A group called TeamPCP compromised Trivy version 0.69.4, pushing malicious container images and GitHub releases to users. They were able to do this because, back in February, the same crew exploited a misconfiguration in Trivy's GitHub Action component and stole a privileged access token. 

This security issue was never fully fixed, and later in March the miscreants used the token to make imposter commits to Trivy.

Socket and Google-owned Wiz researchers over the weekend determined that the attack compromised multiple components of the Trivy project: the core scanner, the trivy-action GitHub Action, and the setup-trivy GitHub Action, and force-pushed 75 out of 76 trivy-action tags to malicious versions, meaning anyone who embedded Trivy in their development pipeline executed infostealer-malware upon opening the scanner.

"With over 10,000 workflow files on GitHub referencing this action, the potential blast radius is significant," Socket analyst Philipp Burckhardt said on Friday. 

Researchers also found TeamPCP expand its operations to infect the npm ecosystem via a never-before-seen worm, called CanisterWorm, leveraging stolen publish tokens from the initial Trivy compromise.

On Sunday, Socket spotted additional malicious images published to Docker Hub, and McCarty noted that the crims defaced Aqua Security's internal GitHub, renaming all 44 repositories and exposing internal source code, CI/CD configs, and knowledge bases. At that time, every repo's description said: " TeamPCP Owns Aqua Security."

According to Socket, "while the full scope of this access remains unclear, the presence of these repositories indicates a deeper level of control over the GitHub organization during the compromise." ®