In brief - The CNCF project Antrea was compromised via a multi-stage supply chain attack involving malicious GitHub Actions (Trivy) and a crafted pull request targeting Jenkins. Threat actor TeamPCP exfiltrated AWS credentials and gained root access to Antrea’s CI/CD pipeline, exploiting mutable tags and insufficient PR validation.

Technically - The attack began with the March 2026 compromise of Trivy’s GitHub Actions (`aquasecurity/trivy-action`, `aquasecurity/setup-trivy`), enabling secret exfiltration from CI runners. Antrea’s use of mutable tags exposed its pipeline, leading to AWS credential theft. On May 2, 2026, the attacker (0xedgerunner) submitted PR #8027 with a Jenkins Job DSL payload, executing arbitrary code via slash-commands (`/test-*`). The payload used Python deserialization, bash injection, and exfiltrated data to `paste.rs`/`webhook.site`. IOCs include IP `35.164.122.165`, spoofed committer `tzgate <tzgate@local.lan>`, and branch patterns like `poc/pwn-*`.

Source: https://opensourcemalware.com/blog/antrea-compromise2

#Cybersecurity #ThreatIntel