cbcvebase.
CVE-2026-33634
published 2026-03-23

CVE-2026-33634: Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release, force-push 76 of 77…

PriorityP190high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2026-04-09
Exploited in the wild
EPSS
60.37%
99.0th percentile
Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release, force-push 76 of 77 version tags in `aquasecurity/trivy-action` to credential-stealing malware, and replace all 7 tags in `aquasecurity/setup-trivy` with malicious commits. This incident is a continuation of the supply chain attack that began in late February 2026. Following the initial disclosure on March 1, credential rotation was performed but was not atomic (not all credentials were revoked simultaneously). The attacker could have use a valid token to exfiltrate newly rotated secrets during the rotation window (which lasted a few days). This could have allowed the attacker to retain access and execute the March 19 attack. Affected components include the `aquasecurity/trivy` Go / Container image version 0.69.4, the `aquasecurity/trivy-action` GitHub Action versions 0.0.1 – 0.34.2 (76/77), and the`aquasecurity/setup-trivy` GitHub Action versions 0.2.0 – 0.2.6, prior to the recreation of 0.2.6 with a safe commit. Known safe versions include versions 0.69.2 and 0.69.3 of the Trivy binary, version 0.35.0 of trivy-action, and version 0.2.6 of setup-trivy. Additionally, take other mitigations to ensure the safety of secrets. If there is any possibility that a compromised version ran in one's environment, all secrets accessible to affected pipelines must be treated as exposed and rotated immediately. Check whether one's organization pulled or executed Trivy v0.69.4 from any source. Remove any affected artifacts immediately. Review all workflows using `aquasecurity/trivy-action` or `aquasecurity/setup-trivy`. Those who referenced a version tag rather than a full commit SHA should check workflow run logs from March 19–20, 2026 for signs of compromise. Look for repositories named `tpcp-docs` in one's GitHub organization. The presence of such a repository may indicate that the fallback exfiltration mechanism was triggered and secrets were

Affected

15 ranges
VendorProductVersion rangeFixed in
aquasecsetup-trivy< 0.2.60.2.6
aquasectrivy
aquasectrivy_action< 0.35.00.35.0
aquasecuritysetup-trivy< 0.2.60.2.6
aquasecuritysetup-trivy>= 0 < 0.2.60.2.6
aquasecuritytrivy
aquasecuritytrivy-action< 0.35.00.35.0
aquasecuritytrivy-action>= 0 < 0.35.00.35.0
berriailitellm
github.comaquasecurity_trivy>= 0.69.4
litellmlitellm
litellmlitellm
team-telnyxtelnyx
telnyxtelnyx
telnyxtelnyx

Detection & IOCsextracted from sources · hover to see the quote

domaincheckmarx[.]zone
ip83.142.209[.]11
port443
filenametpcp.tar.gz
filenamesetup.sh
urlhttps://checkmarx[.]zone/vsx
urlhttps://checkmarx[.]zone/raw
domainscan.aquasecurity[.]org
pathtpcp-docs
pathdocs-tpcp
filenamemsbuild.exe
port2375
urlhxxps://audit.checkmarx[.]cx/v1/telemetry
uaKICS-Telemetry/2.0
urlhxxps://whereisitat[.]lucyatemysuperbox[.]space/
otherGitHub ID 139343333 (Argon-DevOps-Mgt service account)
versionaquasecurity/trivy v0.69.4
versionaquasecurity/trivy v0.69.5
versionaquasecurity/trivy v0.69.6
filenamemcpAddon.js
otherShai-Hulud: The Third Coming (string in malicious @bitwarden/cli payload)
other# hacked by teampcp (comment in xinference malicious payload)
  • Search GitHub Actions workflow run logs from March 19–20, 2026 for references to tpcp.tar.gz, scan.aquasecurity[.]org, or checkmarx[.]zone, which indicate execution of the malicious stealer payload.
  • Search GitHub organization for repositories named 'tpcp-docs' or 'docs-tpcp' as indicators of successful fallback exfiltration via GITHUB_TOKEN.
  • Monitor outbound network connections from CI runners to checkmarx[.]zone, audit.checkmarx[.]cx, and whereisitat[.]lucyatemysuperbox[.]space — all confirmed attacker-controlled exfiltration endpoints.
  • Detect the KICS malicious telemetry exfiltration by alerting on outbound HTTP requests with User-Agent 'KICS-Telemetry/2.0' to audit.checkmarx[.]cx.
  • Detect the persistence mechanism installed by the Checkmarx-linked stealer on non-CI systems: a systemd user service polling checkmarx[.]zone/raw every 50 minutes.
  • Detect the CanisterWorm/CanisterSprawl C2 pattern: look for outbound connections to Internet Computer Protocol (ICP) canisters as a dual-channel exfiltration endpoint, consistent across multiple TeamPCP worm variants.
  • Detect the Bitwarden CLI compromise by hunting for the string 'Shai-Hulud: The Third Coming' or Dune-themed identifiers (atreides, fremen, sandworm, sardaukar) in npm package contents or process memory.
  • Detect the xinference PyPI stealer by scanning for the comment '# hacked by teampcp' and double base64-encoded payloads injected into __init__.py that execute as a detached subprocess on package import.
  • Detect the scripted mass-defacement pattern: all 44 aquasec-com repositories were modified in a 2-minute burst (20:31:07–20:32:26 UTC on March 22, 2026) via a compromised service account token bridging two GitHub orgs.
  • Detect exposed Docker APIs on port 2375 across local subnets, which TeamPCP actively exploits for lateral movement alongside stolen SSH keys.
  • ·Trivy versions 0.69.4, 0.69.5, and 0.69.6 are confirmed malicious; 0.69.3 is the last known clean Docker Hub release. Safe versions are 0.69.2 and 0.69.3.
  • ·Patching Trivy alone is insufficient; credential rotation for all secrets accessible to affected pipelines during the March 19–27 compromise window is mandatory.
  • ·Checkmarx VS Code/Open VSX extensions ast-results v2.53.0 and cx-dev-assist v1.7.0 (March incident) and ast-results v2.63.0/2.66.0 and cx-dev-assist v1.17.0/1.19.0 (April incident) are malicious; VS Code Marketplace versions of the March incident were not affected.
  • ·@bitwarden/cli version 2026.4.0 is malicious (compromised via cascading KICS Docker image pull); version 2026.4.1 (re-release of 2026.3.0) is safe. Approximately 334 downloads occurred during the exposure window.
  • ·474 public repositories executed malicious code from the compromised trivy-action workflow, and 1,750 Python packages were configured to automatically pull poisoned versions — indicating broad downstream exposure beyond direct Trivy users.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.4CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.4CRITICAL
cisa9.4CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.