TeamPCP hackers deface Aqua Security's internal GitHub

Aqua Security is scrambling to recover from supply chain attacks that first compromised the vendor's Trivy vulnerability scanner, and which have now seen threat actor TeamPCP breach its internal aquasec-com GitHub organisation.

TheOpen Source Malware community threat database said Aqua's internal GitHub organisation had been defaced, with 44 repositories renamed.

Also known by the monikers DeadCatx3, PCPCat and ShellForce, TeamPCP have prepended "tpcp-docs" to Aqua's repositories, and edited all descriptions to "TeamPCP Owns Aqua Security".

Open Source Malware said its forensic analysis of GitHub Events' application programming interface (API) suggested a compromised service account token for Aqua as the attack vector.

This was likely stolen during the recent TeamPCP compromise of the Trivy GitHub Actions, Open Source Malware said.

Trivy is an open source vulnerability scanner that Aqua maintains; it is designed to detect vulnerabilities and misconfigurations in software, before they reach production.

On GitHub, Trivy has over 33,800 stars, and it has over 100 million Docker Hub pulls, indicating it is embedded across cloud-native coding workflows using continuous integration and development (CI/CD) pipelines globally.

Confirming the attack, Aqua said its Trivy team is analysing the incidents and implementing additional security measures across repositories and automation systems within its open source projects.

The security vendor said it has no indication that Trivy versions used within Aqua's commercial products are impacted at this time.

TeamPCP published malicious versions of Trivy, 0.69.4, 0.69.5 and 0.69.6, along with trivy-action and setup-trivy.

These contained a persistent information harvester payload that targeted SSH keys; Amazon Web Services, Google Cloud Platform and Azure files; Kubernetes service tokens; Docker registry credentials' database passwords; Terraform state files and more.

Aqua published a timeline that said the attackers exploited a misconfiguration in Trivy's GitHub Actions environment used for automation, and extracted a privileged access token, in late February this year.

A credentials rotation by Aqua was done but wasn't fully comprehensive, and the security vendor said this allowed the attacker to "retain residual access via still valid credentials".

The attackers also typo-squatted a domain, scan.aquasecurtiy.org, which at a quick glance was visually similar to a legitimate Aqua Security name.

Since then, TeamPCP has force-pushed 76 of 77 version "@" tags in the aquasecurity/trivy-action repository on March 19 to point to their malware.

Aqua said it has engaged an incident response company, Sygnia, to help it with forensic investigation and remediation.

Security vendor Wiz attributed the Trivy attacks to TeamPCP, after the group's credential stealer identified itself as 'TeamPCP Cloud stealer' in its source code.

The same Internet Computer Protocol blockchain address used as command-and-control infrastructure for the Trivy payload also underpinned CanisterWorm, a self-propagating worm that used stolen access tokens to infect 47 packages across the npm registry."