Provenance Record

{"https://thehackernews.com/2026/03/trivy-security-scanner-github-actions.html":"Confirmed: TeamPCP group, 75 of 76 version tags hijacked, 'TeamPCP Cloud stealer' payload, credential theft targets (SSH keys, cloud tokens, K8s tokens, crypto wallets), AES-256/RSA-4096 encryption, typosquatted domain scan.aquasecurtiy[.]org, tj-actions/changed-files precedent.","https://www.bleepingcomputer.com/news/security/trivy-vulnerability-scanner-breach-pushed-infostealer-via-github-actions/":"Returned 403 (bot blocked). However, CSO Online and The Hacker News independently confirm the same details: v0.69.4 malicious binary distributed via GitHub Releases, Docker Hub, GHCR, ECR; aqua-bot service account exploited; setup-trivy 7 tags compromised.","https://www.csoonline.com/article/4148317/trivy-vulnerability-scanner-backdoored-with-credential-stealer-in-supply-chain-attack.html":"Confirmed: Late February misconfiguration, incomplete credential rotation on March 1, over 10,000 GitHub workflow files referencing trivy-action (article says 10,000+), blast radius details. Note: CSO Online says 32,000+ GitHub stars and 100M+ Docker Hub downloads.","https://thehackernews.com/2026/03/trivy-supply-chain-attack-triggers-self.html":"Confirmed: CanisterWorm self-propagating npm worm, ICP blockchain C2 with three canister methods (get_latest_link, http_request, update_link), systemd persistence as 'pgmon', .npmrc token theft, 47 initially infected packages expanding to 141 artifacts across 66+ unique packages. Socket security firm attributed. Python backdoor queries ICP canister every 50 minutes.","https://github.com/aquasecurity/trivy/security/advisories/GHSA-69fq-xp46-6x23":"Confirmed: Remediation guidance, safe versions (v0.69.2/v0.69.3, trivy-action v0.35.0, setup-trivy v0.2.6), SHA pinning recommendation, tpcp-docs exfiltration fallback. Note: advisory says 76 of 77 tags hijacked (article says 75 of 76) and ~17 hours exposure (article says ~12 hours). The '767 repositories' statistic attributed to this advisory was not found in the fetched version."}

Core narrative is accurate and well-sourced. Two minor discrepancies noted: (1) the article says '75 of 76 version tags' while the Aqua advisory says '76 of 77' — the article may have been written when one fewer tag was counted; (2) the article says '12-hour exposure window' but the advisory indicates ~17 hours. The statistic about '45 of 767 repositories' attributed to the Aqua advisory was not found in the current version of that advisory. These are minor discrepancies that do not materially affect the article's accuracy.

High-quality cybersecurity news article covering a significant supply chain attack. Despite minor numeric discrepancies that likely reflect the evolving nature of incident reporting, the core narrative is accurate and well-attributed. The article effectively explains the technical novelty of blockchain-based C2 infrastructure. Approved with notes on minor discrepancies.