THE TRIVY ATTACK WAS INEVITABLE

Mutable Tags Are Broken by Design

On March 19, 2026, at Friday 5 PM UTC, TeamPCP force-pushed a malicious commit to the Trivy GitHub Action tag. The attack replaced the legitimate Trivy binary with a credential-stealing payload. For 12 hours, every CI pipeline running trivy-action downloaded the backdoor.

Timeline

How the payload worked

The malicious commit replaced the Trivy binary with two credential-stealing scripts: sysmon.py and pgmon. These scripts harvested CI environment variables, secrets, and tokens, then exfiltrated them to an attacker-controlled C2 domain via outbound HTTP requests.

Transitive spread

The attack did not stop at trivy-action. Because setup-trivy referenced trivy-action as a dependency, the compromise spread transitively. Any workflow using setup-trivy was also affected. Additionally, stolen publish tokens were used to push compromised versions of VS Code extensions to both the VS Code Marketplace and OpenVSX.

Why mutable tags are broken by design

GitHub Actions tags like @v1 are mutable references. Anyone with write access can force-push a new commit to the same tag. There is no integrity verification, no content hash check, and no notification to downstream consumers. SHA pinning is the only defense because it references an immutable commit hash that cannot be silently replaced.

How OpenSyber detects this

OpenSyber's CI/CD Supply Chain Guardian already SHA-pins all GitHub Actions and detects when a mutable tag resolves to a different commit than expected. The Network Sentinel would have caught the outbound curl to the C2 domain, triggering an immediate alert before any secrets left the pipeline.