GHSA-69fq-xp46-6x23: Embedded Malicious Code in Trivy binary

March 21, 2026 (updated March 22, 2026)

On March 19, 2026, threat actor TeamPCP used compromised credentials to publish a malicious Trivy v0.69.4 release containing a credential-stealing payload. The malware extracts secrets from process memory and filesystem locations including SSH keys, cloud provider credentials, Kubernetes tokens, and environment variables. Stolen data is encrypted using AES-256-CBC with RSA-4096 hybrid encryption and exfiltrated via HTTP POST to attacker infrastructure at scan.aquasecurtiy[.]org (typosquatted domain). As a fallback, stolen GitHub PATs are used to stage data in repositories named tpcp-docs within compromised accounts.

References

Code Behaviors & Features

Detect and mitigate GHSA-69fq-xp46-6x23 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →