REPO·RANK #0·0/6 firing·Go
Rank#0Go
Cross-signal0.00 / 6.0
Quiet across tracked channels.
Cross-signal · 30D+0
GitHubQUIET+0 stars24h
HackerNewsQUIET0 posts7d
RedditQUIET0 posts7d
BlueskyQUIET0 posts7d
Dev.toQUIET0 posts7d
XQUIET0 posts7d
Stars35k+0 7d+0 today
Forks376+0 7d1% fork ratio
Contribs0+0 30dsolo-led
Momentum0.00.0stars-velocity score
SurfaceTHIN1 / 6last commit
Coverage1 / 13 sources fired (7d)
·
aquasecurity/trivy sits at 35,023 GitHub stars with steady Go traction — organic growth keeps it on the trending list.
// 01 · GITHUB MOMENTUM
0.0
0 stars 24h | 0 7d
// 02 · MENTIONS
0
0 in 24h | 1 source
// 03 · CROSS-SIGNAL
0.00
0/6 channels firing
// 04 · PACKAGE ADOPTION
-
no linked package yet
// 05 · PROJECT SURFACE
thin
last commit
// 01
Breakdown
How is this scored?
- 6.0
- strong signal across ≥5 of 6 channels
- 5.0
- strong signal across ≥4 of 6 channels
- 4.0
- strong signal across ≥3 of 6 channels
- 3.0+
- active on 2+ channels
- <1.0
- low or no cross-channel activity
Each channel contributes 0-1. Per-channel tiers: GitHub (breakout 1.0 / hot 0.7 / rising 0.4), HN (front-page 1.0 / ≥3 mentions 0.7 / 1-2 mentions 0.4), Bluesky (≥5 mentions 1.0 / 2-4 0.7 / 1 0.4), dev.to (≥3 articles 1.0 / 2 0.7 / 1 0.4), Reddit (corpus-normalized 48h velocity), X (≥10 mentions 24h 1.0 / 3-9 0.7 / 1-2 0.4).
- GitHub momentum0.00
- Reddit0.00
- HackerNews0.00
- Bluesky0.00
- dev.to0.00
- X (Twitter)1.00
* Reddit bar shows a per-repo velocity proxy (raw score / 100); the score formula uses the corpus-normalized version so a single repo's bar may not match its contribution to the corpus-wide ranking.
// KNOWN REPO · PACKAGE · LAUNCH · SITE SURFACES
GitHubaquasecurity/trivy35k starsWebsitetrivy.devsite found; profile scan queued
Docspendingdocs scanner pending
npmnoneno linked npm package
ProductHuntnoneno launch linked
Paper/modelpendingHF/arXiv resolver not attached yet
// 02
Growth
No daily star history collected yet.open star-activity →
Today
0
+0 last 24h
7d
+0
rolling
30d
+0
rolling
Spike
none
no breakout in window
// 03
Mentions
// last scanreddit 33mhn 53mbluesky 1d*devto 2hph 1d*npm 1h
- X→ OPEN
On March 19, 2026, TEAM PCP @pcpcats successfully compromised Aqua Security’s Trivy vulnerability scanner. They force-pushed malicious code to 76 of 77 version tags in the aquasecurity/trivy-action repository. Any CI/CD pipeline using these tags automatically pulled a Cloud Stealer that scraped memory (/proc/*/mem), harvested AWS/GCP/Azure metadata, and bundled secrets into an encrypted file The malware executed the legitimate Trivy scan after stealing credentials, meaning pipelines still showed a Green/Pass status while being drained of secrets. Impacted Organizations While over 1,000 SaaS environments and 10,000+ workflows are estimated to be affected, two major entities have been the focus of recent reports: EU Commission (Confirmed): CERT-EU confirmed a breach of the Commission’s AWS-based Europa platform Scope: Approximately 91.7 GB of compressed data (340 GB uncompressed) was exfiltrated. This included 52,000 email-related files and impacted 29 other EU agencies.+1 Status: Detection occurred on March 24; the data was reportedly leaked by ShinyHunters on March 28 after extortion failed. Cisco The Claim: Threat intelligence reports (specifically from Black Kite and others) indicate that a development environment linked to Trivy led to the theft of Cisco source code. Cisco has remained notably quiet compared to the EU Commission’s transparency. While their Talos team is actively monitoring the threat actor group, a formal public Statement of Impact regarding the specific Trivy-linked source code theft has not been released as of April 6 TeamPCP and their affiliates (including the Vect ransomware group) set deadlines for organizations to negotiate before their harvested credentials and stolen data are sold or leaked Since the deadline has passed, security researchers expect a surge in secondary attacks. Threat actors are now likely using the stolen AWS/Azure keys to move laterally into production environments of the 1,000+ affected orgs If you are managing environments that use Trivy, the window for preventative action has closed You are now in Incident Response mode Godspeed brothers▶ Twitter - X→ OPEN
Trivy GitHub Action Hijacked to Steal CI/CD Secrets Across Thousands of Pipelines In a targeted supply chain attack, threat actors compromised two official GitHub Actions used by the Trivy vulnerability scanner, turning trusted version tags into a stealthy infostealer distribution channel. The attackers force-pushed malicious commits to 75 out of 76 version tags in the [aquasecurity/trivy-action] repository and seven tags in [aquasecurity/setup-trivy]. This breach served as the entry point for a broader campaign that would later cascade into the compromise of LiteLLM packages, npm ecosystems, and a self-propagating worm. 🎯 The Initial Attack The adversary didn't exploit a vulnerability in Git or GitHub. They had valid credentials with sufficient privileges to push code and rewrite existing tags. Using those credentials, they force-pushed malicious commits to version tags without creating new releases or pushing to standard branches. → 75 tags in aquasecurity/trivy-action were poisoned. → 7 tags in aquasecurity/setup-trivy were also modified. → Trusted version references became distribution channels for malware. TeamPCP Cloud Stealer The payload executes within GitHub Actions runners and targets sensitive data in CI/CD environments: SSH keys, Cloud service provider credentials, Database connection strings, Git and Docker configurations, Kubernetes tokens, Cryptocurrency wallets. ⚠️ The Three-Stage Stealer: → Harvest: Scrapes environment variables from runner process memory and the file system. → Encrypt: Packages stolen data into an encrypted archive. → Exfiltrate: Sends the archive to an attacker-controlled server at scan.aquasecurtiy[.]org. The source code self-identifies as TeamPCP Cloud stealer. 🔁 The Cascading Impact This Trivy compromise was the seed. Stolen credentials from CI/CD environments enabled the attackers to: → Backdoor LiteLLM packages on PyPI. → Compromise multiple npm packages with a self-propagating worm. → Harvest credentials from downstream environments, expanding their reach. The loop that followed: Trivy compromised, credentials stolen, those credentials used to compromise LiteLLM and npm packages, which in turn harvested more credentials, traces back to this initial breach. 🛡️ What to Do Now If you used aquasecurity/trivy-action or aquasecurity/setup-trivy during the compromise window: → Rotate all secrets present in your CI/CD environment immediately. Assume everything is compromised. → Block exfiltration domain scan.aquasecurtiy[.]org and IP 45.148.10[.]212 at the network level. → Check GitHub accounts for repositories named tpcp-docs. This may indicate successful exfiltration via a fallback mechanism. 🛡️Long-Term Hardening → Pin GitHub Actions to full SHA hashes, not version tags. Version tags can be moved to point at malicious commits, as demonstrated in this attack. → Audit CI/CD credentials and enforce least privilege. → Monitor for unusual tag modifications in your repositories. Trivy, a tool designed to secure the software supply chain, became the entry point for compromising it. The attacker didn't need to break into GitHub. They used legitimate credentials to rewrite history, turning trusted version tags into a silent distribution channel for malware and the attack loop started here.▶ Twitter - X→ OPEN
Trivy GitHub Action Hijacked to Steal CI/CD Secrets Attackers compromised two official GitHub Actions used by Trivy, force-pushing malicious commits to 75 version tags in aquasecurity/trivy-action and seven tags in aquasecurity/setup-trivy. This was the initial breach that later cascaded into the LiteLLM backdoor and npm worm campaign. The Attack: Attacker had valid credentials with tag-write privileges. Force-pushed malicious code to existing version tags—no new releases, no branches. Trusted tags became malware distribution channels. The Payload: TeamPCP Cloud Stealer Harvests SSH keys, cloud creds, DB strings, Kubernetes tokens, crypto wallets from runner memory and filesystem. Encrypts stolen data. Exfiltrates to scan.aquasecurtiy[.]org. The Cascade: Stolen credentials from this breach were used to backdoor LiteLLM on PyPI and compromise npm packages with a self-propagating worm. Each compromise harvested more credentials, feeding the next. What to Do: Rotate all CI/CD secrets immediately. Block scan.aquasecurtiy[.]org and IP 45.148.10[.]212. Check GitHub for repos named tpcp-docs (fallback exfiltration indicator). Pin GitHub Actions to full SHA hashes, not version tags. This breach started the loop: Trivy → credentials stolen → LiteLLM, npm compromised → more credentials stolen. Secure your pipeline before it becomes the next link.▶ Twitter - X→ OPEN
10 GitHub repos every cloud security expert needs to know: 1. ScoutSuite: multi-cloud security auditing for AWS, Azure, and GCP. github.com/nccgroup/ScoutSui… 2. Trivy: scans container images, Git repos, and cloud configs for vulnerabilities. github.com/aquasecurity/triv… 3. OPA: the standard policy engine for Kubernetes, Terraform, and APIs. github.com/open-policy-agent… 4. Prowler: 300+ security checks covering CIS, GDPR, HIPAA, and SOC2 across major clouds. github.com/prowler-cloud/pro… 5. Checkov: scans Terraform, CloudFormation, and Dockerfiles for security issues before production. github.com/bridgecrewio/chec… 6. Cloudsplaining: exposes AWS IAM least privilege violations fast. IAM misconfig is the number one cloud breach vector. github.com/salesforce/clouds… 7. Stratus Red Team: cloud adversary emulation mapped to MITRE ATT&CK for purple team exercises. github.com/DataDog/stratus-r… 8. Pacu: AWS exploitation framework for cloud pentests. The Metasploit of AWS. github.com/RhinoSecurityLabs… 9. Gitleaks: catches secrets, API keys, and credentials leaked into Git repos. github.com/gitleaks/gitleaks 10. AWS Security Tools Arsenal: curated index of every open-source AWS security tool you need. github.com/toniblyx/my-arsen… Star these repos. The cloud security professionals who know these tools are the ones getting hired. For more on AI and cybersecurity opportunities, subscribe to my YouTube channel: invidious.tiekoetter.com/@victorakinode▶ Twitter - X→ OPEN
Quem escaneia os scanners? Trivy ecosystem supply chain temporarily compromised Criticalitaysk published GHSA-69fq-xp46-6x23 last week github.com/aquasecurity/triv…▶ Twitter
// 04
Context
Next-generation cloud native security
- https://aquasec.com
- @aquasecteam
- 214 public repos
- 2.2k followers
// 05Deep dive
// STARS35k—/ 7d
// FORKS376—/ 7d
// CONTRIBUTORS0—/ 30d
Open Issues250
Last Commit
Latest Release—
// TREND24h07d030d0
X🔥
Ranked confirmation layer for repo-specific X buzz in the last 24h.
Mentions 24h
23
Authors 24h
19
Engagement
51
Peak hour
06:24
Score
91.6
Breakout on X in the last 24h. 23 matched posts across 19 authors.
Top matched posts
- @VictorAkinode14 eng
10 GitHub repos every cloud security expert needs to know: 1. ScoutSuite: multi-cloud security auditing for AWS, Azure, and GCP. github.com/nccgroup/ScoutSui… 2. Trivy: scans container images, Git repos, and cloud configs for vulnerabilities. github.com/aquasecurity/triv… 3. OPA: the standard policy engine for Kubernetes, Terraform, and APIs. github.com/open-policy-agent… 4. Prowler: 300+ security checks covering CIS, GDPR, HIPAA, and SOC2 across major clouds. github.com/prowler-cloud/pro… 5. Checkov: scans Terraform, CloudFormation, and Dockerfiles for security issues before production. github.com/bridgecrewio/chec… 6. Cloudsplaining: exposes AWS IAM least privilege violations fast. IAM misconfig is the number one cloud breach vector. github.com/salesforce/clouds… 7. Stratus Red Team: cloud adversary emulation mapped to MITRE ATT&CK for purple team exercises. github.com/DataDog/stratus-r… 8. Pacu: AWS exploitation framework for cloud pentests. The Metasploit of AWS. github.com/RhinoSecurityLabs… 9. Gitleaks: catches secrets, API keys, and credentials leaked into Git repos. github.com/gitleaks/gitleaks 10. AWS Security Tools Arsenal: curated index of every open-source AWS security tool you need. github.com/toniblyx/my-arsen… Star these repos. The cloud security professionals who know these tools are the ones getting hired. For more on AI and cybersecurity opportunities, subscribe to my YouTube channel: invidious.tiekoetter.com/@victorakinode
mediumphrase24d agoopenReturned by a high-confidence repo query and contains a visible project phrase, but the exact URL, slug, or package name was not visible.
- @cyber_rekk12 eng
On March 19, 2026, TEAM PCP @pcpcats successfully compromised Aqua Security’s Trivy vulnerability scanner. They force-pushed malicious code to 76 of 77 version tags in the aquasecurity/trivy-action repository. Any CI/CD pipeline using these tags automatically pulled a Cloud Stealer that scraped memory (/proc/*/mem), harvested AWS/GCP/Azure metadata, and bundled secrets into an encrypted file The malware executed the legitimate Trivy scan after stealing credentials, meaning pipelines still showed a Green/Pass status while being drained of secrets. Impacted Organizations While over 1,000 SaaS environments and 10,000+ workflows are estimated to be affected, two major entities have been the focus of recent reports: EU Commission (Confirmed): CERT-EU confirmed a breach of the Commission’s AWS-based Europa platform Scope: Approximately 91.7 GB of compressed data (340 GB uncompressed) was exfiltrated. This included 52,000 email-related files and impacted 29 other EU agencies.+1 Status: Detection occurred on March 24; the data was reportedly leaked by ShinyHunters on March 28 after extortion failed. Cisco The Claim: Threat intelligence reports (specifically from Black Kite and others) indicate that a development environment linked to Trivy led to the theft of Cisco source code. Cisco has remained notably quiet compared to the EU Commission’s transparency. While their Talos team is actively monitoring the threat actor group, a formal public Statement of Impact regarding the specific Trivy-linked source code theft has not been released as of April 6 TeamPCP and their affiliates (including the Vect ransomware group) set deadlines for organizations to negotiate before their harvested credentials and stolen data are sold or leaked Since the deadline has passed, security researchers expect a surge in secondary attacks. Threat actors are now likely using the stolen AWS/Azure keys to move laterally into production environments of the 1,000+ affected orgs If you are managing environments that use Trivy, the window for preventative action has closed You are now in Incident Response mode Godspeed brothers
highrepo_slug24d agoopenContains the exact GitHub repo slug.
- @cytexsmb7 eng
Trivy GitHub Action Hijacked to Steal CI/CD Secrets Across Thousands of Pipelines In a targeted supply chain attack, threat actors compromised two official GitHub Actions used by the Trivy vulnerability scanner, turning trusted version tags into a stealthy infostealer distribution channel. The attackers force-pushed malicious commits to 75 out of 76 version tags in the [aquasecurity/trivy-action] repository and seven tags in [aquasecurity/setup-trivy]. This breach served as the entry point for a broader campaign that would later cascade into the compromise of LiteLLM packages, npm ecosystems, and a self-propagating worm. 🎯 The Initial Attack The adversary didn't exploit a vulnerability in Git or GitHub. They had valid credentials with sufficient privileges to push code and rewrite existing tags. Using those credentials, they force-pushed malicious commits to version tags without creating new releases or pushing to standard branches. → 75 tags in aquasecurity/trivy-action were poisoned. → 7 tags in aquasecurity/setup-trivy were also modified. → Trusted version references became distribution channels for malware. TeamPCP Cloud Stealer The payload executes within GitHub Actions runners and targets sensitive data in CI/CD environments: SSH keys, Cloud service provider credentials, Database connection strings, Git and Docker configurations, Kubernetes tokens, Cryptocurrency wallets. ⚠️ The Three-Stage Stealer: → Harvest: Scrapes environment variables from runner process memory and the file system. → Encrypt: Packages stolen data into an encrypted archive. → Exfiltrate: Sends the archive to an attacker-controlled server at scan.aquasecurtiy[.]org. The source code self-identifies as TeamPCP Cloud stealer. 🔁 The Cascading Impact This Trivy compromise was the seed. Stolen credentials from CI/CD environments enabled the attackers to: → Backdoor LiteLLM packages on PyPI. → Compromise multiple npm packages with a self-propagating worm. → Harvest credentials from downstream environments, expanding their reach. The loop that followed: Trivy compromised, credentials stolen, those credentials used to compromise LiteLLM and npm packages, which in turn harvested more credentials, traces back to this initial breach. 🛡️ What to Do Now If you used aquasecurity/trivy-action or aquasecurity/setup-trivy during the compromise window: → Rotate all secrets present in your CI/CD environment immediately. Assume everything is compromised. → Block exfiltration domain scan.aquasecurtiy[.]org and IP 45.148.10[.]212 at the network level. → Check GitHub accounts for repositories named tpcp-docs. This may indicate successful exfiltration via a fallback mechanism. 🛡️Long-Term Hardening → Pin GitHub Actions to full SHA hashes, not version tags. Version tags can be moved to point at malicious commits, as demonstrated in this attack. → Audit CI/CD credentials and enforce least privilege. → Monitor for unusual tag modifications in your repositories. Trivy, a tool designed to secure the software supply chain, became the entry point for compromising it. The attacker didn't need to break into GitHub. They used legitimate credentials to rewrite history, turning trusted version tags into a silent distribution channel for malware and the attack loop started here.
highrepo_slug24d agoopenContains the exact GitHub repo slug.
- @cytexsmb6 eng
Trivy GitHub Action Hijacked to Steal CI/CD Secrets Attackers compromised two official GitHub Actions used by Trivy, force-pushing malicious commits to 75 version tags in aquasecurity/trivy-action and seven tags in aquasecurity/setup-trivy. This was the initial breach that later cascaded into the LiteLLM backdoor and npm worm campaign. The Attack: Attacker had valid credentials with tag-write privileges. Force-pushed malicious code to existing version tags—no new releases, no branches. Trusted tags became malware distribution channels. The Payload: TeamPCP Cloud Stealer Harvests SSH keys, cloud creds, DB strings, Kubernetes tokens, crypto wallets from runner memory and filesystem. Encrypts stolen data. Exfiltrates to scan.aquasecurtiy[.]org. The Cascade: Stolen credentials from this breach were used to backdoor LiteLLM on PyPI and compromise npm packages with a self-propagating worm. Each compromise harvested more credentials, feeding the next. What to Do: Rotate all CI/CD secrets immediately. Block scan.aquasecurtiy[.]org and IP 45.148.10[.]212. Check GitHub for repos named tpcp-docs (fallback exfiltration indicator). Pin GitHub Actions to full SHA hashes, not version tags. This breach started the loop: Trivy → credentials stolen → LiteLLM, npm compromised → more credentials stolen. Secure your pipeline before it becomes the next link.
highrepo_slug24d agoopenContains the exact GitHub repo slug.
- @juuh42dias5 eng
Quem escaneia os scanners? Trivy ecosystem supply chain temporarily compromised Criticalitaysk published GHSA-69fq-xp46-6x23 last week github.com/aquasecurity/triv…
mediumphrase24d agoopenReturned by a high-confidence repo query and contains a visible project phrase, but the exact URL, slug, or package name was not visible.