Guidance for detecting, investigating, and defending against the Trivy supply chain compromise

Microsoft Defender Security Research reports a supply-chain attack attributed to TeamPCP that compromised Trivy (malicious v0.69.4) and aquasecurity GitHub Actions by force-pushing tags and publishing infected releases; the malware harvested cloud, CI/CD, Kubernetes, SSH, database and other secrets, encrypted them into tpcp.tar.gz and exfiltrated to a typosquatted domain (scan.aquasecurtiy.org). The blog describes attacker techniques (mutable tags, commit impersonation), observed detections and hunting queries, and provides mitigation guidance including pinning actions to SHAs, rotating credentials, and updating to safe Trivy/Action versions.