<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Aptos;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:12.0pt;
font-family:"Aptos",sans-serif;
mso-ligatures:standardcontextual;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#467886;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:12.0pt;
font-family:"Aptos",sans-serif;
mso-ligatures:standardcontextual;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Aptos",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:656349305;
mso-list-type:hybrid;
mso-list-template-ids:1064310838 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:46.5pt;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:82.5pt;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:118.5pt;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:154.5pt;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:190.5pt;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:226.5pt;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:262.5pt;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:298.5pt;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:334.5pt;
text-indent:-.25in;
font-family:Wingdings;}
@list l1
{mso-list-id:891119275;
mso-list-type:hybrid;
mso-list-template-ids:-428328150 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:46.5pt;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:82.5pt;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:118.5pt;
text-indent:-.25in;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:154.5pt;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:190.5pt;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:226.5pt;
text-indent:-.25in;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:262.5pt;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:298.5pt;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:334.5pt;
text-indent:-.25in;
font-family:Wingdings;}
@list l2
{mso-list-id:897281582;
mso-list-type:hybrid;
mso-list-template-ids:1683791206 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l2:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:46.5pt;
text-indent:-.25in;
font-family:Symbol;}
@list l2:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:82.5pt;
text-indent:-.25in;
font-family:"Courier New";}
@list l2:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:118.5pt;
text-indent:-.25in;
font-family:Wingdings;}
@list l2:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:154.5pt;
text-indent:-.25in;
font-family:Symbol;}
@list l2:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:190.5pt;
text-indent:-.25in;
font-family:"Courier New";}
@list l2:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:226.5pt;
text-indent:-.25in;
font-family:Wingdings;}
@list l2:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:262.5pt;
text-indent:-.25in;
font-family:Symbol;}
@list l2:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:298.5pt;
text-indent:-.25in;
font-family:"Courier New";}
@list l2:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:334.5pt;
text-indent:-.25in;
font-family:Wingdings;}
@list l3
{mso-list-id:1927877868;
mso-list-type:hybrid;
mso-list-template-ids:-847713730 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l3:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l3:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l3:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l3:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l3:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l3:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l3:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l3:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l3:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#467886" vlink="#96607D" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif">Good morning,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif">The SOC Services team is reporting on a critical supply chain vulnerability, CVE-2026-33634, affecting Aqua Security Trivy and its associated GitHub Actions. Because of evidence of active exploitation
by a threat actor known as "TeamPCP," we are providing this in-depth information.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><u><span style="font-family:"Calibri",sans-serif">History:</span></u></b><span style="font-family:"Calibri",sans-serif"> On March 19, 2026, it was reported that a threat actor used compromised credentials to inject credential-stealing
malware into official Trivy releases. This incident is a continuation of a supply chain attack that began in late February 2026. The CVSS v4.0 base score is 9.4 (Critical) by GitHub. As of March 26, 2026, A CVSSv3 score has not currently been assessed or assigned<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif">Affected Versions:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph" style="margin-left:10.5pt;mso-list:l1 level1 lfo1"><span style="font-family:"Calibri",sans-serif">aquasecurity/trivy (Go / Container image): Version 0.69.4, 0.69.5, and 0.69.6.<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:10.5pt;mso-list:l1 level1 lfo1"><span style="font-family:"Calibri",sans-serif">aquasecurity/trivy-action (GitHub Action): Versions 0.0.1 through 0.34.2 (specifically 76 out of 77 version tags were hijacked).<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:10.5pt;mso-list:l1 level1 lfo1"><span style="font-family:"Calibri",sans-serif">aquasecurity/setup-trivy (GitHub Action): Versions 0.2.0 through 0.2.6 (all 7 tags were replaced with malicious commits).<o:p></o:p></span></li></ul>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif">Fixed Versions:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph" style="margin-left:10.5pt;mso-list:l2 level1 lfo2"><span style="font-family:"Calibri",sans-serif">trivy binary: Versions 0.69.2 and 0.69.3 are known safe; ensure you are not on the compromised 0.69.4–0.69.6 branch.<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:10.5pt;mso-list:l2 level1 lfo2"><span style="font-family:"Calibri",sans-serif">trivy-action: Version 0.35.0.<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:10.5pt;mso-list:l2 level1 lfo2"><span style="font-family:"Calibri",sans-serif">setup-trivy: Version 0.2.6 (recreated with a safe commit).<o:p></o:p></span></li></ul>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif">A threat actor force-pushed malicious commits to trusted version tags, allowing for the execution of a credential harvester during legitimate security scans.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-family:"Calibri",sans-serif">Vendor Advisory:</span></b><span style="font-family:"Calibri",sans-serif">
</span><a href="https://github.com/aquasecurity/trivy/security/advisories/GHSA-69fq-xp46-6x23" target="_blank"><span style="font-family:"Calibri",sans-serif;color:blue">GitHub Advisory GHSA-69fq-xp46-6x23</span></a><span style="font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><u><span style="font-family:"Calibri",sans-serif">Intelligence:
</span></u></b><span style="font-family:"Calibri",sans-serif">On March 26, 2026, CISA confirmed and added this vulnerability to the Known Exploited Vulnerabilities (KEV) Catalog.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif"> <b>Exploitability Level:</b> Low Complexity, Network Exploitability<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif"> <b>Complexity:</b> Low<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif"> <b>User Interaction:</b> None (triggered by automated CI/CD workflows)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif"> <b>Remotely Exploitable:</b> Yes<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif"> <b>Proof of Concept:</b> Published/Active<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif"> <b>Zero Day:</b> No (discovered during active exploitation)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><u><span style="font-family:"Calibri",sans-serif">Workarounds:</span></u></b><span style="font-family:"Calibri",sans-serif"> Pin GitHub Actions to full, immutable commit SHA hashes rather than using mutable version tags.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><u><span style="font-family:"Calibri",sans-serif">How it Works:</span></u></b><span style="font-family:"Calibri",sans-serif"> The attacker leveraged compromised credentials to reassign mutable Git tags to malicious commits. When a CI/CD
pipeline pulls the "latest" or a specific version tag (e.g., @v0.34.0), it executes a malicious entrypoint.sh that steals environment secrets (like GitHub PATs) and exfiltrates them to a typosquatted domain (scan[.]aquasecurtiy[.]org) before running the actual
scan.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><u><span style="font-family:"Calibri",sans-serif">Post-Exploit Impact:<o:p></o:p></span></u></b></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l3 level1 lfo3"><span style="font-family:"Calibri",sans-serif">Credential Theft: Exfiltration of all secrets accessible to the CI/CD pipeline.<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l3 level1 lfo3"><span style="font-family:"Calibri",sans-serif">Supply Chain Poisoning: Use of stolen credentials to further compromise downstream repositories.
<o:p></o:p></span></li></ul>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><u><span style="font-family:"Calibri",sans-serif">Indicators of Compromise (IoCs):<o:p></o:p></span></u></b></p>
<p class="MsoNormal"><b><u><span style="font-family:"Calibri",sans-serif"><o:p><span style="text-decoration:none"> </span></o:p></span></u></b></p>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" style="border-collapse:collapse">
<tbody>
<tr>
<td width="208" valign="top" style="width:155.8pt;border:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal" align="center" style="text-align:center"><b><u><span style="font-family:"Calibri",sans-serif">Type<o:p></o:p></span></u></b></p>
</td>
<td width="208" valign="top" style="width:155.85pt;border:solid windowtext 1.0pt;border-left:none;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal" align="center" style="text-align:center"><b><u><span style="font-family:"Calibri",sans-serif">Value<o:p></o:p></span></u></b></p>
</td>
<td width="256" valign="top" style="width:191.95pt;border:solid windowtext 1.0pt;border-left:none;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal" align="center" style="text-align:center"><b><u><span style="font-family:"Calibri",sans-serif">Description/Notes<o:p></o:p></span></u></b></p>
</td>
</tr>
<tr>
<td width="208" valign="top" style="width:155.8pt;border:solid windowtext 1.0pt;border-top:none;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif">Domain<o:p></o:p></span></p>
</td>
<td width="208" valign="top" style="width:155.85pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif">scan[.]aquasecurtiy[.]org<o:p></o:p></span></p>
</td>
<td width="256" valign="top" style="width:191.95pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif">Typosquatted exfiltration endpoint<o:p></o:p></span></p>
</td>
</tr>
<tr>
<td width="208" valign="top" style="width:155.8pt;border:solid windowtext 1.0pt;border-top:none;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif">IP Address<o:p></o:p></span></p>
</td>
<td width="208" valign="top" style="width:155.85pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif">45.148.10.212<o:p></o:p></span></p>
</td>
<td width="256" valign="top" style="width:191.95pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif">C2 server located in Amsterdam<o:p></o:p></span></p>
</td>
</tr>
<tr>
<td width="208" valign="top" style="width:155.8pt;border:solid windowtext 1.0pt;border-top:none;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif">Repository<o:p></o:p></span></p>
</td>
<td width="208" valign="top" style="width:155.85pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif">tpcp-docs<o:p></o:p></span></p>
</td>
<td width="256" valign="top" style="width:191.95pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif">Public repo created in victim orgs as a fallback exfiltration channel<o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><b><u><span style="font-family:"Calibri",sans-serif"><o:p><span style="text-decoration:none"> </span></o:p></span></u></b></p>
<p class="MsoNormal"><b><u><span style="font-family:"Calibri",sans-serif">Tenable Plugins:</span></u></b><span style="font-family:"Calibri",sans-serif"> As of March 26, 2026, there has not been any release of Tenable plugins or plugins currently in their pipeline.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><u><span style="font-family:"Calibri",sans-serif">Recommended Actions:<o:p></o:p></span></u></b></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-family:"Calibri",sans-serif">Date Added to KEV Catalog:</span></b><span style="font-family:"Calibri",sans-serif"> March 26, 2026<o:p></o:p></span></p>
<p class="MsoNormal"><b><span style="font-family:"Calibri",sans-serif">Due Date for Remediation<u>:</u></span></b><span style="font-family:"Calibri",sans-serif"> April 16, 2026 (standard 3-week KEV window)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph" style="margin-left:10.5pt;mso-list:l0 level1 lfo4"><span style="font-family:"Calibri",sans-serif">Rotate all secrets (tokens, passwords, keys) that were accessible to any pipeline that ran a compromised Trivy version between March
19–22, 2026.<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:10.5pt;mso-list:l0 level1 lfo4"><span style="font-family:"Calibri",sans-serif">Audit GitHub Organizations for the presence of a repository named tpcp-docs, which indicates successful data exfiltration.<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:10.5pt;mso-list:l0 level1 lfo4"><span style="font-family:"Calibri",sans-serif">Verify host has not been compromised before applying patches.<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:10.5pt;mso-list:l0 level1 lfo4"><span style="font-family:"Calibri",sans-serif">Apply appropriate updates provided by the vendor to vulnerable systems after testing.<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:10.5pt;mso-list:l0 level1 lfo4"><span style="font-family:"Calibri",sans-serif">Run all software as a non-privileged user to reduce the impact of a successful attack.<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:10.5pt;mso-list:l0 level1 lfo4"><span style="font-family:"Calibri",sans-serif">Apply the Principle of Least Privilege to all systems and services.<o:p></o:p></span></li></ul>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt">Steve Ketchum, CISSP</span></b><span style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Security Analyst II<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Enterprise Information Services<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Cyber Security Services | CSS<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">PH: (971) 707-1693 |SOC Hotline: (503) 378-5930<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-ligatures:none"><img border="0" width="54" height="54" style="width:.5625in;height:.5625in" id="Picture_x0020_2" src="cid:image001.png@01DCBD1E.A5447D70"></span><span style="font-size:11.0pt;mso-ligatures:none"> <img border="0" width="205" height="53" style="width:2.1354in;height:.552in" id="Picture_x0020_1" src="cid:image002.png@01DCBD1E.A5447D70"> <o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>