VDB

GCVE-110-OSM-2026-1124

GCVE-110-OSM-2026-1124
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published March 19, 2026
Legitimate Aqua Security setup-trivy GitHub Action compromised on March 19-20, 2026 as part of the TeamPCP supply-chain attack. 7 of its tags were force-pushed to point to malicious commits via the compromised aqua-bot service account. Malicious action.yaml executes credential harvesting payload that scrapes Runner.Worker process memory, sweeps filesystem for sensitive credentials (SSH, AWS, GCP, Azure, K8s, crypto wallets), encrypts with AES-256-CBC + RSA-4096, and exfiltrates to scan.aquasecurtiy.org and plug-tab-protective-relay.trycloudflare.com. === COMPROMISE === Compromised service account: aqua-bot 7 tags force-pushed to malicious versions Spoofed committers: rauchg, DmitriyLewen Injection point: action.yaml modified to execute malicious payload === PAYLOAD === Memory scraping: /proc/[PID]/mem targeting Runner.Worker process Pattern matching: {"value":"<secret>","isSecret":true} Filesystem sweep: 50+ paths (SSH keys, cloud creds, K8s tokens, crypto wallets, GPG keys, Docker creds, Slack/Twitter creds) === EXFILTRATION === Primary: POST to scan.aquasecurtiy.org (AES-256-CBC + RSA-4096 encrypted tpcp.tar.gz) Cloudflare tunnel: plug-tab-protective-relay.trycloudflare.com Fallback: Creates tpcp-docs GitHub repo via GITHUB_TOKEN, uploads as release asset === PERSISTENCE (dev machines only) === Condition: GITHUB_ACTIONS != true Dropper: ~/.config/systemd/user/sysmon.py C2 polling: https://tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io/ every 50 min Download path: /tmp/pglog

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownall (affected)

References

Browse GCVE Records

73,053 records in the GCVE database · Updated July 16, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›