Apr 10
Loading video player...
76/77 Trivy releases poisoned in 12 hours. CI/CD pipelines showed green while secrets leaked. Here's the technical breakdown + how to fix it now. The Trivy supply chain attack by TeamPCP compromised nearly every release tag of one of the most trusted security scanners. Malicious code ran silently before the legitimate scanner, stealing credentials from GitHub-hosted and self-hosted CI/CD runners. Within 24 hours, attackers used stolen NPM tokens to launch a second supply chain attack (Canisterworm), proving how interconnected our software supply chains are. You'll learn: • How mutable Git tags enable silent pipeline compromises • Why commit SHAs are the only cryptographically immutable reference • Adaptive payload tactics: memory scraping vs filesystem sweeps • 4-step remediation campaign to harden your pipelines now 🔗 Get a free demo: https://phoenix.security/request-a-demo/ 📖 Full technical analysis: https://phoenix.security/trivy-supply-chain-compromise-teampcp-weaponised-scanner-ongoing-attack/ 00:00 – Intro: Trivy Supply Chain Compromise Overview 00:15 – 76 out of 77 Trivy releases poisoned 00:38 – Irony: security scanner becomes credential stealer 01:01 – Attack components: GitHub action, setup script, binary 01:23 – 12-hour attack window on March 19th 01:47 – The stealth factor: green checks, stolen secrets 02:11 – How was this possible? Mutable Git tags explained 02:35 – Commit SHA vs tag: immutable vs movable pointer 03:10 – Force push: redirecting tags to malicious commits 03:42 – Lesson: trusting tags = trusting movable pointers 04:05 – Payload analysis: what the malicious code did 04:28 – GitHub-hosted runners: surgical memory scraping 05:02 – Self-hosted runners: aggressive filesystem sweep 05:35 – Adaptive payload: tailored to environment 06:00 – Phase two: NPM Canisterworm campaign 06:25 – Supply chains are connected: cascading danger 06:52 – Why does this keep happening? Flawed trust models 07:15 – Solution 1: Pin to commit SHAs, not tags 07:25 – Solution 2: Rotate all exposed secrets 07:32 – Solution 3: Audit runners for IoCs 07:40 – Solution 4: Review dangerous workflow triggers 07:50 – Visual comparison: vulnerable tag vs secure SHA 08:15 – Final takeaway: broken trust model stress test #CICDSecurity #SupplyChainAttack #TrivyCompromise #DevSecOps #GitHubActions #VulnerabilityManagement #ApplicationSecurity #SecOps #CloudSecurity #ContainerSecurity #Cybersecurity #ASPM #ShiftLeft #SecureSDLC #AppSec About Phoenix Security: Phoenix Security is an Application Security Posture Management (ASPM) platform that helps security and DevOps teams prioritize and fix vulnerabilities that actually matter. We eliminate false positives, automate remediation campaigns, and integrate security directly into CI/CD pipelines — so teams can ship faster without compromising security.