Microsoft Unveils New Guidance to Detect and Defend Against Trivy Supply Chain Attack

**Supply-chain compromise of Trivy by TeamPCP:** TeamPCP abused mutable Git tags and forged commit identities to inject a Python-based credential-stealing payload into Trivy releases and GitHub Action tags, publishing infected binaries and container images that exfiltrate cloud credentials, Kubernetes secrets, application tokens, and other infrastructure secrets while letting legitimate scans complete to hide activity; mitigations include updating to verified safe versions, pinning actions to commit SHAs, minimizing GITHUB_TOKEN scope, and using secret managers.