{ "Event": { "analysis": "1", "date": "2026-03-20", "extends_uuid": "", "info": "[Threat Intel] Widespread GitHub Actions Tag Compromise Exposes CI/CD Secrets", "protected": false, "publish_timestamp": "1775245829", "published": true, "threat_level_id": "2", "timestamp": "1775245829", "uuid": "98121684-c3b0-4048-9644-b894b01bb420", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#0ee843", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Cloud Instance Metadata API - T1552.005\"", "relationship_type": "" }, { "colour": "#e8825f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Supply Chain Compromise - T1195\"", "relationship_type": "" }, { "colour": "#a9bb6d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials from Password Stores - T1555\"", "relationship_type": "" }, { "colour": "#bce57a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Web Service - T1567\"", "relationship_type": "" }, { "colour": "#a320c3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Unsecured Credentials - T1552\"", "relationship_type": "" }, { "colour": "#fe1ef0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Shell - T1505.003\"", "relationship_type": "" }, { "colour": "#e7d11f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Private Keys - T1552.004\"", "relationship_type": "" }, { "colour": "#1997de", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Shell History - T1552.003\"", "relationship_type": "" }, { "colour": "#f95f85", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials In Files - T1552.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Group Policy Preferences - T1552.006\"", "relationship_type": "" }, { "colour": "#a9f8b1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1041\"", "relationship_type": "" }, { "colour": "#7628f7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Unix Shell - T1059.004\"", "relationship_type": "" }, { "colour": "#ad5a96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Hijack Execution Flow - T1574\"", "relationship_type": "" }, { "colour": "#59699c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Valid Accounts - T1078\"", "relationship_type": "" }, { "colour": "#d596aa", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Compromise Software Supply Chain - T1195.002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration to Cloud Storage - T1567.002\"", "relationship_type": "" }, { "colour": "#bf2644", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Server Software Component - T1505\"", "relationship_type": "" }, { "colour": "#e1e63b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"DLL Side-Loading - T1574.002\"", "relationship_type": "" }, { "colour": "#37c019", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Cloud Accounts - T1078.004\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#18005e", "local": false, "name": "rectifyq:topic=\"supply-chain\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:online-service=\"3b16bb5a-eb4f-4603-a909-bebc5df4a46d\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774062010", "to_ids": false, "type": "link", "uuid": "23bca391-5b83-4b2f-9ead-317d9a34034a", "value": "https://socket.dev/blog/trivy-under-attack-again-github-actions-compromise", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1774062010", "to_ids": false, "type": "text", "uuid": "d72a29a6-a9eb-46a2-917c-697eeebd504d", "value": "A new supply chain attack targeting Trivy has compromised 75 out of 76 version tags in the aquasecurity/trivy-action GitHub repository. The attacker force-pushed these tags to serve malicious payloads, effectively turning trusted version references into a distribution mechanism for an infostealer. The malicious code executes within GitHub Actions runners, targeting sensitive data in CI/CD environments. It harvests secrets from runner process memory and the filesystem, encrypts the collected data, and exfiltrates it to an attacker-controlled endpoint or a fallback GitHub-based channel. The attack's scope is significant, potentially affecting over 10,000 workflow files on GitHub referencing this action." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1774062010", "to_ids": false, "type": "text", "uuid": "0b8c8fa5-38b8-4fcc-86c2-ed474d545408", "value": "Name: Widespread GitHub Actions Tag Compromise Exposes CI/CD Secrets\nAuthor: AlienVault\nAdversary: TeamPCP\nTags: [\"ci/cd\", \"teampcp cloud stealer\", \"credential theft\", \"trivy\", \"infostealer\", \"supply chain attack\", \"typosquat\", \"github actions\", \"exfiltration\"]\nTgtd countries: []\nMlwr families: [\"TeamPCP Cloud stealer\"]\nAttack_ids: [\"T1552.005\", \"T1195\", \"T1555\", \"T1567\", \"T1552\", \"T1505.003\", \"T1552.004\", \"T1552.003\", \"T1552.001\", \"T1552.006\", \"T1041\", \"T1059.004\", \"T1574\", \"T1078\", \"T1195.002\", \"T1567.002\", \"T1505\", \"T1574.002\", \"T1078.004\"]\nIndustries: []" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1774062010", "to_ids": false, "type": "threat-actor", "uuid": "0a6fc7ce-727d-427d-8637-2f39ef9cd6c4", "value": "TeamPCP" }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:04/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775237435", "to_ids": true, "type": "sha1", "uuid": "c19ed1d0-6821-40f2-b027-c3a2129d9c0c", "value": "57a97c7e7821a5776cebc9bb87c984fa69cba8f1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775240114", "to_ids": true, "type": "url", "uuid": "19a90186-c90c-40af-9e74-5c75c0c8f68c", "value": "https://scan.aquasecurtiy.org", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775240135", "to_ids": true, "type": "hostname", "uuid": "45dcba4c-3f9c-4798-a24d-2d4f6d37a665", "value": "scan.aquasecurtiy.org", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775240156", "uuid": "7936be94-2f89-4826-9cad-d99364191d10", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775240156", "to_ids": true, "type": "md5", "uuid": "90837e6a-e6fb-4f93-8ea1-c75a16564c60", "value": "d761a6a7ae9f2254bd81ac234033a8b8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775237434", "to_ids": true, "type": "sha1", "uuid": "a6b8d0cd-ccb5-48d2-8b3a-202b19d8c482", "value": "4fed54d88f919c675ee2f575f70698a8d3649287", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775237434", "to_ids": true, "type": "sha256", "uuid": "be26ac9f-9f7a-43b7-aac3-de10b7a35db7", "value": "18a24f83e807479438dcab7a1804c51a00dafc1d526698a66e0640d1e5dd671a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775236232", "to_ids": true, "type": "ssdeep", "uuid": "8a90dd56-f2b4-4f8a-bbc0-fdf621e347d9", "value": "384:tJRfIaEkaBSVQD8Pj/EnfjGgatHkBBIBtrrYIU2/2glBU46z++622JMwjaj/J:1fIadaYVQQPrEnfjVMx2gV/+N0+" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775236232", "to_ids": false, "type": "size-in-bytes", "uuid": "f87fcf60-8871-44c7-a918-35ed7f0e4a51", "value": "17592" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775236232", "to_ids": true, "type": "filename", "uuid": "f0718ee4-858b-4ecb-946c-48ac5d1ebab0", "value": "18a24f83e807479438dcab7a1804c51a00dafc1d526698a66e0640d1e5dd671a.sh" }, { "category": "Other", "comment": "Checked: 04/04/2026\nLast-scan\t: 03/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775236232", "to_ids": false, "type": "text", "uuid": "ffc12134-9ac8-4bfb-bf43-071985c3212e", "value": "Type Description: Shell script\nMicrosoft: Trojan:Linux/CanisterWorm.DB!MTB\nVT Total Detection:32/62\nFirst Submission:2026-03-20T17:39:01.000000+00:00\nLast Submission:2026-03-21T13:05:49.000000+00:00" } ] } ] } }