Hackers have compromised nearly every version of Aqua Security‘s Trivy vulnerability scanner in an ongoing supply-chain attack, stealing developer credentials, cloud keys, and authentication secrets from any pipeline that ran a scan.
Trivy maintainer Itay Shakury confirmed the breach on Friday. The attack began in the early hours of Thursday, when a threat actor used stolen credentials to force-push all but one of the trivy-action tags and seven setup-trivy tags to point to malicious dependencies. Spoofed version tags include the widely used @0.34.2, @0.33, and @0.18.0. Version @0.35.0 appears to be the only one unaffected.
Security firms Socket and Wiz identified malware embedded across 75 compromised trivy-action tags. Once a Trivy scan runs, the malicious binary executes alongside the legitimate scanner, silently sweeping developer machines and CI/CD pipelines for GitHub tokens, cloud credentials, SSH keys, and Kubernetes tokens. It then compresses and encrypts the stolen data before sending it to an attacker-controlled server at https://scan.aquasecurtiy[.]org — a domain spoofing Aqua Security‘s own infrastructure. If that request fails, the malware attempts to use a stolen GITHUB_TOKEN to create a repository named tpcp-docs and post the data there.
“When the malicious binary is executed it starts both the legitimate trivy service and the malicious code in parallel,” Wiz researchers wrote. “If it detects it is on a developer machine it additionally writes a base64 encoded python dropper for persistence.”
The root cause traces to a separate incident last month in which attackers compromised a credential with write access to the Trivy GitHub account through the Aqua Trivy VS Code extension. Maintainers rotated tokens in response, but the process was not fully atomic — meaning credential artifacts including API keys, certificates, and passwords were not completely eliminated. According to the announcement, that residual access is what enabled Thursday’s attack, allowing the threat actor to perform authenticated operations without exploiting GitHub itself.
A technique built to evade detection
Rather than pushing a new commit or creating a new release — actions that would appear in commit history and trigger notifications — the attacker force-pushed 75 existing version tags to point to new malicious commits. A forced push overrides a default git safety mechanism that normally prevents overwriting existing commits. Because many security monitoring tools watch for new commits rather than tag reassignments, the method sidestepped common defenses. Trivy carries 33,200 stars on GitHub, a signal of widespread adoption that amplifies the potential reach of the compromise across developer organizations globally.
What affected users should do now
“If you suspect you were running a compromised version, treat all pipeline secrets as compromised and rotate immediately,” Shakury wrote.
Any CI/CD pipeline referencing a compromised tag executes malicious code the moment a Trivy scan is triggered, according to Socket. Organizations that cannot confirm they ran only version @0.35.0 should assume credentials have been exfiltrated and act accordingly.
Photo by Berat Bozkurt on Unsplash
This article is a curated summary based on third-party sources. Source: Read the original article
