Trivy Compromised: Everything You Need to Know about the Latest Supply Chain Attack

On March 19, 2026, threat actors (self-identifying as TeamPCP) performed a multi-component supply-chain compromise of Aqua Security's Trivy: malicious commits and forced tag updates injected credential-stealing code into trivy-action, setup-trivy, and the Trivy v0.69.4 binary, exfiltrating secrets via a typosquatted domain and Cloudflare Tunnel, publishing backdoored artifacts to multiple registries, and creating fallback exfiltration via a tpcp-docs GitHub repo; the report provides technical behavior, IOCs, and remediation steps including artifact removal and action pinning.