Back Original

Trivy ecosystem supply chain briefly compromised

Summary

On March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release, force-push 76 of 77 version tags in aquasecurity/trivy-action to credential-stealing malware, and replace all 7 tags in aquasecurity/setup-trivy with malicious commits.

Root Cause

This incident is a continuation of the supply chain attack that began in late February 2026. Following the initial disclosure on March 1, credential rotation was performed but was not atomic (not all credentials were revoked simultaneously). The attacker could have use a valid token to exfiltrate newly rotated secrets during the rotation window (which lasted a few days). This could have allowed the attacker to retain access and execute the March 19 attack.

Affected Components

Component Type Affected versions Fixed versions
aquasecurity/trivy Go / Container image 0.69.4 (latest tag also affected) 0.69.3
aquasecurity/trivy-action GitHub Actions All tags 0.0.1 – 0.34.2 (76/77) 0.35.0 (unaffected)
aquasecurity/setup-trivy GitHub Actions All 7 tags (v0.2.0 – v0.2.6) v0.2.6 (re-created with safe commit)

Exposure Window

Component Start (UTC) End (UTC) Duration
trivy v0.69.4 2026-03-19 18:22 1 2026-03-19 ~21:42 ~3 hours
trivy-action 2026-03-19 ~17:43 2 2026-03-20 ~05:40 ~12 hours
setup-trivy 2026-03-19 ~17:43 2 2026-03-19 ~21:44 ~4 hours

Attack Details

Trivy v0.69.4 binary and container images

The attacker created a malicious release by:

  1. Pushing a commit (1885610c) that swapped the actions/checkout reference to an imposter commit (70379aad) containing a composite action that downloaded malicious Go source files from a typosquatted domain
  2. Adding --skip=validate to goreleaser to bypass binary validation
  3. Tagging this commit as v0.69.4, triggering the release pipeline

The compromised release was distributed across different channels: GHCR, ECR Public, Docker Hub (both 0.69.4 and latest tags), deb/rpm packages, and get.trivy.dev.

trivy-action tag hijacking

The attacker force-pushed 76 of 77 version tags to malicious commits that injected an infostealer into entrypoint.sh. The malicious code executes before the legitimate Trivy scan and does the following:

  1. Dumps Runner.Worker process memory via /proc/<pid>/mem to extract secrets. Sweeps 50+ filesystem paths for SSH keys, AWS/GCP/Azure credentials, Kubernetes tokens, Docker configs, .env files, database credentials, and cryptocurrency wallets.
  2. Encrypts collected data using AES-256-CBC with RSA-4096 hybrid encryption.
  3. Transmits to attacker-controlled infrastructure. If exfiltration fails and INPUT_GITHUB_PAT is set, creates a public tpcp-docs repository on the victim's GitHub account and uploads stolen data as a release asset.

setup-trivy release replacement

All 7 existing tags (v0.2.0 – v0.2.6) were force-pushed to malicious commits. The malicious action.yaml contained the same infostealer as trivy-action, injected as a "Setup environment" step that executes before the legitimate Trivy installation.

Who is NOT Affected

  • Users who pinned trivy to v0.69.3 or earlier
    • v0.69.3 is protected by GitHub's immutable releases feature (enabled March 3, before v0.69.3 was published)
    • v0.69.2 predates this setting but their integrity can be verified via sigstore signatures (see "How to Verify" section below)
  • Users who pulled container images by digest
  • Users who referenced trivy-action@0.35.0
    • 0.35.0 is protected by GitHub's immutable releases feature (enabled March 4, before 0.35.0 was published) and was not affected by the tag hijacking attack
  • Users who pinned trivy-action or setup-trivy to a safe commit SHA

Recommended Actions

Update to Known-Safe Versions

Component Safe Version
Trivy binary v0.69.2, v0.69.3
trivy-action v0.35.0
setup-trivy v0.2.6

Rotate All Potentially Exposed Secrets

Based on information shared above, if there is any possibility that a compromised version ran in your environment, all secrets accessible to affected pipelines must be treated as exposed and rotated immediately.

Audit Trivy Versions

Check whether your organization pulled or executed Trivy v0.69.4 from any source. Remove any affected artifacts immediately.

Audit GitHub Action References

Review all workflows using aquasecurity/trivy-action or aquasecurity/setup-trivy. If you referenced a version tag rather than a full commit SHA, check workflow run logs from March 19–20, 2026 for signs of compromise.

Search for Exfiltration Artifacts

Look for repositories named tpcp-docs in your GitHub organization. The presence of such a repository may indicate that the fallback exfiltration mechanism was triggered and secrets were successfully stolen.

Pin GitHub Actions to Full SHA Hashes

Pin GitHub Actions to full, immutable commit SHA hashes, don't use mutable version tags. As described here: https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions

Regarding trivy-action: The original tags (0.0.10.34.2) were deleted during remediation. Because the attacker's force-push caused these tags to be treated as immutable releases by GitHub, they cannot be re-created with the same names. New tags have been published with a v prefix (v0.0.1v0.34.2) pointing to the original legitimate commits. Three tags: v0.0.10, v0.34.1, and v0.34.2 have not yet been restored. If you need to reference a version older than 0.35.0, use the v-prefixed tag (e.g., aquasecurity/trivy-action@v0.34.0 instead of @0.34.0).

How to Verify Existing Installations

Binary verification

# Download binary and sigstore bundle
curl -sLO "https://github.com/aquasecurity/trivy/releases/download/v0.69.2/trivy_0.69.2_Linux-64bit.tar.gz"
curl -sLO "https://github.com/aquasecurity/trivy/releases/download/v0.69.2/trivy_0.69.2_Linux-64bit.tar.gz.sigstore.json"

# Verify signature
$ cosign verify-blob \
  --certificate-identity-regexp 'https://github\.com/aquasecurity/' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --bundle trivy_0.69.2_Linux-64bit.tar.gz.sigstore.json \
  trivy_0.69.2_Linux-64bit.tar.gz
Verified OK

# Check signing timestamp
$ date -u -d @$(jq -r '.verificationMaterial.tlogEntries[].integratedTime' trivy_0.69.2_Linux-64bit.tar.gz.sigstore.json)
Sat Mar  1 19:11:02 UTC 2026
# ✅ Signed on Mar 1, before the attack on Mar 19

Container image verification

# Verify signature and get image digest
$ cosign verify \
  --certificate-identity-regexp 'https://github\.com/aquasecurity/' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --new-bundle-format \
  ghcr.io/aquasecurity/trivy:0.69.2
Verification for ghcr.io/aquasecurity/trivy:0.69.2 --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The code-signing certificate was verified using trusted certificate authority certificates

# Get digest and check all signing timestamps via Rekor
$ DIGEST=$(cosign verify \
  --certificate-identity-regexp 'https://github\.com/aquasecurity/' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --new-bundle-format -o json ghcr.io/aquasecurity/trivy:0.69.2 2>/dev/null | \
  jq -r '.[0].critical.image."docker-manifest-digest"')

$ rekor-cli search --sha "$DIGEST" | grep -v 'Found' | while read uuid; do
    rekor-cli get --uuid "$uuid" | grep IntegratedTime
  done
IntegratedTime: 2026-03-01T19:13:52Z
IntegratedTime: 2026-03-01T19:13:47Z
IntegratedTime: 2026-03-01T19:13:57Z
IntegratedTime: 2026-03-01T19:13:54Z
IntegratedTime: 2026-03-01T19:13:46Z
IntegratedTime: 2026-03-01T19:13:37Z
# ✅ All signed on Mar 1, before the attack on Mar 19

References