On March 19, threat actors compromised Trivy, Aqua Security's widely deployed open-source vulnerability scanner, and turned it against the pipelines trusting it. By the time most teams noticed, malicious versions of trivy-action and setup-trivy had already run in CI environments across the industry, harvesting SSH keys, cloud credentials, and Kubernetes secrets.
Within 24 hours, it escalated. Stolen npm tokens were used to seed a self-propagating worm called CanisterWorm, now confirmed across dozens of packages and still spreading.
And then it happened again.
Just days later, the same threat actor leveraged the same underlying weakness: compromised credentials. In a separate attack, they targeted Checkmarx GitHub Actions. No new exploit. No new technique. Just reused access.
This was not a sophisticated vulnerability chain. It was a stolen credential, an overprivileged service account, and mutable tags that were never locked down. The attacker had valid access. That was enough.
Scanners Can’t Scan Themselves
There’s an uncomfortable irony here.
Trivy exists to find risk in your software supply chain. But this attack did not come through a dependency vulnerability or a misconfigured container. It came through an identity, specifically a compromised PAT from an earlier incident that was never fully revoked.
The aqua-bot service account had broad access. Tags were not pinned. Trust in the toolchain was implicit and unmonitored.
These are not code problems. They are developer identity governance failures that sit completely outside the visibility of traditional AppSec tooling.
What the Attack Actually Looks Like in Your Environment
The behavioral fingerprint of this compromise is clear if you know where to look:
- Package versions published with no corresponding PR, commit, or expected activity
- CI jobs making outbound network calls they have never made before
- npm or GitHub tokens used from new IPs, in rapid succession, accessing repos outside their normal scope
- package.json install hooks executing encoded or remote-execution commands
- Unexpected repositories like tpcp-docs or docs-tpcp appearing in your GitHub org
If any of these signals appear, treat all pipeline secrets in that environment as compromised and rotate them immediately.
Where BlueFlag Already Has You Covered
When we mapped this attack against BlueFlag’s capabilities, the coverage was broader than expected because most of what TeamPCP exploited is not novel. It is the same class of developer identity risk we are built to surface.
A service account accessing repositories outside its normal behavior gets flagged. Unexpected changes to install-time hooks are detected as anomalous file activity. An overprivileged machine identity with blast radius across multiple systems is exactly what least-privilege enforcement and continuous entitlement monitoring are built for.
What makes this attack particularly dangerous is the sequencing: a stale credential enabling tag poisoning, enabling a worm, enabling lateral spread. Individually, each signal might look like noise. Together, they are a five-alarm fire. BlueFlag's toxic combinations detection, powered by our Correlated Threat Intelligence engine, is built for exactly this - correlating signals across identities, tools, and code that other tools see in isolation into a coherent risk picture, before the damage is done.
Individual scanners catch specific vulnerabilities. BlueFlag correlates the developer identity risk, tool misconfigurations, and code-level signals that together make attacks like this possible in the first place.
What to Do Right Now
- Audit pipelines for Trivy executions between March 19–20 and Checkmarx GitHub Actions activity during known compromise windows
- Look for unusual outbound network calls in CI workflows
- Search your GitHub org for unexpected repositories such as tpcp-docs or docs-tpcp
- Rotate all exposed credentials including SSH keys, cloud credentials, and npm tokens
- Pin GitHub Actions to full commit SHAs. Version tags are mutable, and this attack proved it
- Review service account access and enforce least privilege
The Bigger Problem Isn’t Patched
Trivy got patched.
Checkmarx got patched.
These tools will continue to be updated.
But what made this possible in the first place does not get fixed by a version update. The absence of developer identity governance still remains. Overprivileged service accounts, unmonitored token usage, and automated tools executing actions with valid access are just some of the ways that risk shows up and gets exploited.
That is the problem BlueFlag was built to solve across the SDLC.
How Exposed Is Your SDLC?
Take BlueFlag’s free health check. Five questions, immediate insights, and a personalized assessment from our team: blueflagsecurity.com/sdlc-healthcheck
