A major security breach has hit the popular open-source vulnerability scanner Trivy, marking its second supply chain compromise in a very short period. This latest attack targeted the official GitHub Actions associated with the tool, specifically impacting aquasecurity/trivy-action and aquasecurity/setup-trivy. By gaining unauthorized access, the attackers were able to force-push 75 out of 76 version tags in the primary action repository, turning trusted historical version references into delivery vehicles for a malicious infostealer payload.

The primary objective of this malicious payload is the extraction of high-value secrets from CI/CD environments. When these GitHub Actions are triggered, the malware scans the runner environment for sensitive data such as SSH keys, cloud provider credentials, database logins, and Kubernetes tokens. It also looks for Docker configurations and cryptocurrency wallets, aiming to provide the attackers with deep access to the victim's broader infrastructure and development pipeline.

This incident follows a similar attack that occurred in late February and early March 2026 involving an autonomous bot. In that previous case, the bot exploited a specific workflow vulnerability to steal a personal access token, which was then used to hijack the GitHub repository and distribute malicious versions of Trivy's Visual Studio Code extension. The recurring nature of these breaches suggests a persistent and targeted effort to undermine the security of the Trivy ecosystem.

Security researchers first noticed the current compromise when a rogue version was published to the main repository. Technical analysis revealed that the malicious code runs alongside the legitimate Trivy service to avoid detection. Once active, it gathers environmental variables and credentials, encrypts the stolen information, and exfiltrates it to a deceptive domain. Furthermore, the malware attempts to establish long-term persistence on developer machines by installing a hidden system service that communicates with a remote server for further instructions.

Aqua Security confirmed that the attackers utilized compromised credentials to bypass standard release practices. Instead of creating new branches or official releases, the adversary manipulated existing version tags to point to malicious commits containing a Python-based infostealer. While the rogue versions have since been removed, the event highlights a critical vulnerability in how developers trust version tags within automated workflows and the significant impact of credential theft in the software supply chain.

Source: https://socket.dev/blog/trivy-under-attack-again-github-actions-compromise