GitHub Actions, npm, PyPI를 포괄하는 여러 주에 걸친 다중 생태계 공격 체인

How did they gain access to push the malicious v0.69.4 tag? The attacker was able to push a tag to aquasecurity/trivy pointing to a malicious commit. This requires write access to the repository. Was this via a compromised PAT, GitHub App, or deploy key? Resolution: Aqua Security confirmed the attack stemmed from incomplete containment of the March 1, 2026 incident. Credential rotation "wasn't atomic and attackers may have been privy to refreshed tokens." Was aqua-bot the initial access vector, or only compromised via /trivy? The aqua-bot service account was used for lateral movement to tfsec, traceeshark, and trivy-action. However, it's unclear whether aqua-bot credentials were the initial compromise, or if they were harvested from the trivy repository's secrets after the v0.69.4 tag push triggered workflows. Resolution: The official disclosure confirms incomplete credential rotation from the first incident allowed attackers to capture refreshed tokens, including aqua-bot credentials. At 17:51:17 UTC on March 19, a v0.70.0 tag was deleted. The commit (9dbb34d3ec0f) was authored by aqua-bot on March 16 — 3 days earlier — with message "Updates", modifying cmd/trivy/main.go, pkg/github/auth.go, pkg/github/repowrite.go, pkg/github/runner.go. This suggests aqua-bot compromise may predate March 19. All 7 tags (v0.2.0-v0.2.6) were force-pushed to malicious commits. Commit 8afa9b9f spoofed contributor "thara" (Tomochika Hara). Message: "Pin Trivy install script checkout to a specific commit (#28)". Spoofed date: 2026-01-15. Exposure window: ~4 hours (17:43-21:44 UTC Mar 19). A GitHub user "DarkSeek3r" (user ID 266895321) was created at 2026-03-10T01:44:23. Their only public activity was forking aquasecurity/trivy and actions/checkout — the exact repositories used in this attack. Update: Account renamed to octocommit on Mar 10 — still active, not deleted. Full defanged 3-stage payload from LiteLLM 1.82.8. Includes orchestrator, collector, and persistence components with shared RSA 4096-bit public key (strongest attribution link across all TeamPCP payloads). Defanged payload from Telnyx PyPI 4.87.1/4.87.2. WAV steganography delivery with platform-specific payloads for Windows and Linux/macOS. # Delivery mechanismWAV steganography: payloads hidden in audio frameshangup.wav (Windows), ringtone.wav (Linux/macOS)# Windows payloadXOR-decrypted executable dropped as msbuild.exePersistence via Startup folder# Linux/macOS payloadCredential sweeper with AES-256-CBC + RSA-4096Same RSA public key as LiteLLM payloads Show details Threat Actor TeamPCP Also known as PCPcat, Persy_PCP, ShellForce, CipherForce, and DeadCatx3. Emerged as a significant threat to cloud-native infrastructure in late 2025. Self-attribution string "TeamPCP Cloud stealer" found in the trivy-action payload links this incident to the group. The Official Soundtrack of the Trivy Supply Chain Attack Every threat actor leaves fingerprints. TeamPCP left a playlist. Songs embedded in payloads, C2 infrastructure, and attack tooling. Big City Life Mattafix scan.aquasecurtiy.org Primary C2 Thank You Dido ICP Fallback 03/22 14:45 UTC God Is in the Rhythm King Gizzard And The Lizard Wizard ICP Fallback 03/22 15:20 UTC Except Crime YTCracker ICP Fallback 03/22 15:57 UTC Instant Message Yung Innanet ICP Fallback 03/22 19:27 UTC Teardrop Massive Attack ICP Fallback 03/22 19:56 UTC Drinking bôa ICP Fallback 03/22 20:12 UTC The Show Must Go On Queen checkmarx[.]zone/vsx 03/23 12:53 UTC Bad Apple!! Touhou (English Remaster) checkmarx[.]zone 03/24 13:39 UTC Mr. Trololo Eduard Khil nsa[.]cat Attacker VPS 01 / 10 Myth #1 "hackerbot-claw compromised Trivy" Reality:hackerbot-claw is an automated penetration testing bot that scans GitHub for vulnerable projects—its user agent and behavioral patterns differ from the main attacker. MegaGame10418 is the actor who exploited the February 27 PwnRequest, exfiltrating the aqua-bot PAT. Aqua's official post-mortem confirms: "The user agent and behavioral patterns of hackerbot-claw are different than the other events inspected." Myth #2 "Malicious commits landed in Trivy's main branch" Reality: The imposter commits (1885610c, 70379aad) never merged into main. They exist in GitHub's object store due to cross-fork object sharing. The attack worked because a malicious tag (v0.69.4) was pushed that referenced these orphan commits—triggering CI/CD builds without any merge or review. Myth #3 "GhostClaw is related to TeamPCP" Reality:GhostClaw is a separate campaign with different TTPs and IOCs. TeamPCP uses tag hijacking and CI/CD exploitation; GhostClaw uses npm typosquatting and AI workflow hooks. Different infrastructure (registrars, C2 patterns), more social engineering-focused payloads (fake CLI installers with progress bars), and different persistence mechanisms (shell hooks, cron jobs vs. GitHub Actions). No shared IOCs or attribution overlap identified. This site was created by Rami McCarthy, Principal Security Researcher @ Wiz.