Trivy ecosystem supply chain briefly compromised

On March 19, 2026, the Trivy ecosystem suffered a supply chain attack involving malicious releases and GitHub Action tag hijacking. Attackers deployed credential-stealing malware, necessitating immediate secret rotation and version updates for affected users.

Summary

On March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release, force-push 76 of 77 version tags in aquasecurity/trivy-action to credential-stealing malware, and replace all 7 tags in aquasecurity/setup-trivy with malicious commits.

Root Cause

This incident is a continuation of the supply chain attack that began in late February 2026. Following the initial disclosure on March 1, credential rotation was performed but was not atomic (not all credentials were revoked simultaneously). The attacker could have use a valid token to exfiltrate newly rotated secrets during the rotation window (which lasted a few days). This could have allowed the attacker to retain access and execute the March 19 attack.

Affected Components

Exposure Window

| Component | Start (UTC) | End (UTC) | Duration | | :--- | :--- | :--- | :--- | | trivy v0.69.4 | 2026-03-19 18:22 | 2026-03-19 ~21:42 | ~3 hours | | trivy-action | 2026-03-19 ~17:43 | 2026-03-20 ~05:40 | ~12 hours | | setup-trivy | 2026-03-19 ~17:43 | 2026-03-19 ~21:44 | ~4 hours |

Attack Details

Trivy v0.69.4 binary and container images

The attacker created a malicious release by:

Pushing a commit (1885610c) that swapped the actions/checkout reference to an imposter commit (70379aad) containing a composite action that downloaded malicious Go source files from a typosquatted domain
Adding --skip=validate to goreleaser to bypass binary validation
Tagging this commit as v0.69.4, triggering the release pipeline

The compromised release was distributed across different channels: GHCR, ECR Public, Docker Hub (both 0.69.4 and latest tags), deb/rpm packages, and get.trivy.dev.

trivy-action tag hijacking

The attacker force-pushed 76 of 77 version tags to malicious commits that injected an infostealer into entrypoint.sh. The malicious code executes before the legitimate Trivy scan and does the following:

Dumps Runner.Worker process memory via /proc/<pid>/mem to extract secrets. Sweeps 50+ filesystem paths for SSH keys, AWS/GCP/Azure credentials, Kubernetes tokens, Docker configs, .env files, database credentials, and cryptocurrency wallets.
Encrypts collected data using AES-256-CBC with RSA-4096 hybrid encryption.
Transmits to attacker-controlled infrastructure. If exfiltration fails and INPUT_GITHUB_PAT is set, creates a public tpcp-docs repository on the victim's GitHub account and uploads stolen data as a release asset.

setup-trivy release replacement

All 7 existing tags (v0.2.0 – v0.2.6) were force-pushed to malicious commits. The malicious action.yaml contained the same infostealer as trivy-action, injected as a "Setup environment" step that executes before the legitimate Trivy installation.

Who is NOT Affected

Users who pinned trivy to v0.69.3 or earlier.
Users who pulled container images by digest.
Users who referenced [email protected].
Users who pinned trivy-action or setup-trivy to a safe commit SHA.

Recommended Actions

Update to Known-Safe Versions

Trivy binary: v0.69.2, v0.69.3
trivy-action: v0.35.0
setup-trivy: v0.2.6

Rotate All Potentially Exposed Secrets

If there is any possibility that a compromised version ran in your environment, all secrets accessible to affected pipelines must be treated as exposed and rotated immediately.

Audit and Pinning

Audit Trivy versions and GitHub Action references used in your organization.
Search for exfiltration artifacts like repositories named tpcp-docs.
Pin GitHub Actions to full, immutable commit SHA hashes instead of mutable version tags.

Source: Hacker News