When Your Security Scanner Becomes the Weapon: Lessons from the Trivy Supply Chain Attack

The TeamPCP group hijacked 75 tags of trivy-action on GitHub, turning every CI/CD pipeline that called Trivy into a silent credentials exfiltration machine. Here is what happened, why it worked, and how to harden your scanner setup before the next campaign.