Trivy Supply Chain Attack Targets CI/CD Secrets

APPLICATION SECURITY THREAT INTELLIGENCE VULNERABILITIES & THREATS CYBERATTACKS & DATA BREACHES NEWS Trivy Supply Chain Attack Targets CI/CD Secrets A threat actor used the open source security tool to deploy an infostealer into CI/CD workflows and steal cloud credentials, SSH keys, tokens, and other sensitive secrets. Jai Vijayan,Contributing Writer March 23, 2026 4 Min Read SOURCE: IMAGEFLOW VIA SHUTTERSTOCK A threat actor is systematically targeting cloud credentials, SSH keys, authentication tokens, and other sensitive secrets stored in automated enterprise software build and deployment pipelines after compromising Trivy, the widely used cloud security scanning tool. Trivy is an open source scanner that organizations use to identify vulnerabilities in container images, code repositories, and infrastructure configurations. Many organizations have embedded Trivy deep into their automated CI/CD software development pipelines, making it a high-value target for attackers. Aqua Security, the primary maintainer of the scanner, sells a separate commercial version of Trivy, which, according to the company, does not appear to have been impacted by the supply chain attack. Multistage Supply Chain Attack The compromise began in February, when the attacker exploited a misconfiguration in Trivy’s GitHub Action component to steal a privileged access token. The attacker subsequently used the token to infiltrate Trivy's repository automation and release environment.  Related:CISOs Debate Human Role in AI-Powered Security The Trivy team discovered and disclosed that initial intrusion on March 1. They executed a credential rotation at the time, but it was not as comprehensive as they thought it might have been, because the attacker managed to retain access to the environment and also capture newly rotated secrets. On March 19, the attacker used those credentials to force-push malicious code to 76 of the 77 previously released versions of trivy-action, the GitHub Actions that organizations use to run Trivy scans inside their automated CI/CD pipelines. A CI/CD pipeline that referenced any of those versions would have pulled down and unknowingly executed the malicious code instead of the legitimate original.  The attacker similarly poisoned all seven versions in the setup-trivy repository for setting up the scanner. In addition, the threat actor exploited a compromised automated service account called aqua-bot to publish a malicious version of Trivy, v0.69.4, and manipulate its GitHub Action tags. "Rather than introducing a new, clearly malicious version, the attackers used a more sophisticated approach," Aqua Security said in a blog post on March 22. "By modifying existing version tags associated with trivy-action, they injected malicious code into workflows that organizations were already running."  Because many automated CI/CD pipelines rely entirely on version labels without verifying that the code hasn't changed since they first started using it, they continued running as usual without detecting the tampering, Aqua said. Related:AI Conundrum: Why MCP Security Can't Be Patched Away In a March 23 update, Aqua disclosed that the threat actor had exploited the compromised automated service account (aqua-bot) to also publish two compromised Docker images, v0.69.5 and v0.69.6, effectively spreading malware through Trivy's trusted release pipeline. Credential Stealing Payload The Trivy security team and Aqua described the payload itself as a credential-harvesting infostealer that scans more than 50 filesystem locations for SSH keys, cloud provider credentials for AWS, Google Cloud, and Azure, Kubernetes authentication tokens, Docker configuration files, environment variable files, database credentials, and cryptocurrency wallets.   Their analysis showed the malware using AES-256-CBC with RSA-4096 hybrid encryption to encrypt and transmit stolen data to attacker-controlled infrastructure. In instances where such exfiltration is not possible, the malware creates a public GitHub repository on the victim's account (named public tpcp-docs) and uploads the data from there, Trivy and Aqua said. "This combination of credential compromise, abuse of trusted release channels, and silent execution within CI/CD pipelines is a clear example of a modern software supply chain attack," Aqua said. "Rather than targeting a single organization, the attackers leveraged widely trusted tooling to reach downstream users at scale." Related:GlassWorm Malware Evolves to Hide in Dependencies What makes the attack particular troubling is that it affects a security tool that many organizations rely on and implicitly trust to detect vulnerabilities and to protect them against attacks. This is the second recent incident involving either a security tool or a vendor. Earlier this month, Outpost24 reported an incident where someone attempted to steal credentials from a C-level executive at the company using a sophisticated seven-stage phishing chain. Though that particular attack failed, the incident and now the one involving Trivy are evidence of growing attacker interest in targeting vendors and products that most companies implicitly trust and to which they provide near unfettered access to their environments. Aqua and Trivy urged organizations that used any affected version of Trivy, trivy-action, or setup-trivy during the exposure windows to treat all secrets accessible to those pipelines as compromised and to rotate them immediately. Aqua recommended that affected organizations audit Trivy versions to see if they might have pulled or executed the weaponized Trivy v0.69.4 version from any source and to remove them immediately.  The company also urged a review of all workflows using aquasecurity/trivy-action or aquasecurity/setup-trivy for signs of compromise. Aqua's blog post specified other actions that organizations need to take to mitigate risk from the supply chain attack. About the Author Jai Vijayan Contributing Writer Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report The ROI of AI in Security Cybersecurity Forecast 2026 ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like APPLICATION SECURITY Self-Propagating GlassWorm Attacks VS Code Supply Chain by Elizabeth Montalbano, Contributing Writer OCT 20, 2025 APPLICATION SECURITY 'Lies-in-the-Loop' Attack Defeats AI Coding Agents by Elizabeth Montalbano, Contributing Writer SEP 15, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 APPLICATION SECURITY Microsoft Drops Another Massive Patch Update by Jai Vijayan, Contributing Writer APR 08, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ CYBER RISK What Orgs Can Learn From Olympics, World Cup IR Plans byTara Seals MAR 12, 2026 THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE