{ "Event": { "analysis": "1", "date": "2026-03-25", "extends_uuid": "", "info": "[Threat Intel] Guidance for detecting, investigating, and defending against the Trivy supply chain compromise", "protected": false, "publish_timestamp": "1775507895", "published": true, "threat_level_id": "2", "timestamp": "1775507895", "uuid": "ae9ce79b-1faf-4621-9fb9-7572f57439fc", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#96f4f6", "local": false, "name": "misp-galaxy:producer=\"Microsoft\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#ed66f6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Steal Web Session Cookie - T1539\"", "relationship_type": "" }, { "colour": "#68f2ff", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data from Local System - T1005\"", "relationship_type": "" }, { "colour": "#bce57a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Web Service - T1567\"", "relationship_type": "" }, { "colour": "#75ec20", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Masquerading - T1036\"", "relationship_type": "" }, { "colour": "#a320c3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Unsecured Credentials - T1552\"", "relationship_type": "" }, { "colour": "#f95f85", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials In Files - T1552.001\"", "relationship_type": "" }, { "colour": "#59699c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Valid Accounts - T1078\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#abbbbf", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Modify Authentication Process - T1556\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#120044", "local": false, "name": "rectifyq:sub-category=\"intrusion-analysis\"", "relationship_type": "" }, { "colour": "#18005e", "local": false, "name": "rectifyq:topic=\"supply-chain\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#1b0068", "local": false, "name": "rectifyq:topic=\"cloud\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774436408", "to_ids": false, "type": "link", "uuid": "bb76ab4e-e910-430e-b71c-a47ca42d606f", "value": "https://www.microsoft.com/en-us/security/blog/2026/03/24/detecting-investigating-defending-against-trivy-supply-chain-compromise/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1774436408", "to_ids": false, "type": "text", "uuid": "385d491a-dc54-407d-bb22-303c5fc892a6", "value": "On March 19, 2026, Trivy, an open-source vulnerability scanner, was compromised in a sophisticated CI/CD supply chain attack. Threat actors, identified as TeamPCP, injected credential-stealing malware into official Trivy releases, affecting the core binary and GitHub Actions. The attack exploited mutable tags and commit identity spoofing on GitHub. The malware performed extensive credential harvesting, targeting cloud providers, Kubernetes secrets, and various application credentials. Microsoft Defender provides detection and investigation capabilities for this threat. Recommended mitigations include updating to safe versions, hardening CI/CD pipelines, enforcing least privilege, protecting secrets, and leveraging attack path analysis to reduce lateral movement risks." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1774436408", "to_ids": false, "type": "text", "uuid": "6a94fbd6-6188-4cb0-b5ab-a73b4775e4cc", "value": "Name: Guidance for detecting, investigating, and defending against the Trivy supply chain compromise\nAuthor: AlienVault\nAdversary: TeamPCP\nTags: [\"trivy\", \"supply chain attack\", \"credential theft\"]\nTgtd countries: []\nMlwr families: [\"Trivy\"]\nAttack_ids: [\"T1539\", \"T1005\", \"T1567\", \"T1036\", \"T1552\", \"T1552.001\", \"T1078\", \"T1027\", \"T1556\"]\nIndustries: []" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1774436408", "to_ids": false, "type": "threat-actor", "uuid": "4527122e-5d7b-44eb-aa9e-b9a1577b4542", "value": "TeamPCP" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775490841", "to_ids": true, "type": "ip-dst", "uuid": "f1c20f03-1291-4601-bce8-9fa6e14ba023", "value": "45.148.10.212", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775490862", "to_ids": true, "type": "ip-dst", "uuid": "ca47cf7d-2d71-42b4-a40b-63ef2d2f02b1", "value": "45.148.10.122", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775490884", "to_ids": true, "type": "domain", "uuid": "b214060d-4bcd-40cb-a13b-9b6ad4456ce3", "value": "aquasecurtiy.org", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775490906", "to_ids": true, "type": "domain", "uuid": "c24f0f25-585a-4221-a10c-7ad4bbe00e6f", "value": "checkmarx.zone", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775490927", "to_ids": true, "type": "hostname", "uuid": "ed0ee7b8-b7a2-4996-ab2a-cdf6289cfb99", "value": "plug-tab-protective-relay.trycloudflare.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775490949", "to_ids": true, "type": "hostname", "uuid": "0f6182f5-2712-41dc-a0dd-425c3796b58d", "value": "scan.aquasecurtiy.org", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775490970", "to_ids": true, "type": "hostname", "uuid": "bd9f6dbc-34e3-40f2-b1f3-87d25a2ea5d3", "value": "tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ] } }