Sam Stepanyan  🐘3h ago

#Trivy, a popular open-source vulnerability scanner, was compromised - attackers hijacked 75 version tags in #GitHub Actions to deliver an infostealer.

It ran in CI pipelines, stealing creds and tokens, exfiltrating data:
#SoftwareSupplyChainSecurity
👇
https://thehackernews.com/2026/03/trivy-security-scanner-github-actions.html

Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets

Trivy attack force-pushed 75 tags via GitHub Actions, exposing CI/CD secrets, enabling data theft and persistence across developer systems.

The Hacker News
Alltagsessen4h ago

Gestern vor lauter #Trivy den Post vergessen: Sandwichtoast

#Alltagsessen

PrivacyDigest12h ago

Widely used #Trivy #scanner compromised in ongoing supply-chain #attack

#Hackers have compromised virtually all versions of #AquaSecurity ’s widely used Trivy #vulnerability scanner in an ongoing #supplychain attack that could have wide-ranging consequences for #developers and the organizations that use them.

Trivy maintainer Itay Shakury confirmed the compromise on Friday,
#security #privacy

https://arstechnica.com/security/2026/03/widely-used-trivy-scanner-compromised-in-ongoing-supply-chain-attack/

Widely used Trivy scanner compromised in ongoing supply-chain attack

Admins: Sorry to say, but it's likely a rotate-your-secrets kind of weekend.

Ars Technica
Dentaku (Thomas Renger)19h ago

Ein Security Incident war genau das, was mir am Freitagabend noch gefehlt hat.

#Trivy #Aquasecurtiy

Frederic21h ago

Trivy Compromised a Second Time - Malicious v0.69.4 Release, aquasecurity/setup-trivy, aquasecurity/trivy-action GitHub Actions Compromised

https://www.stepsecurity.io/blog/trivy-compromised-a-second-time---malicious-v0-69-4-release

#security #github #vulnerability #trivy

Trivy Compromised a Second Time - Malicious v0.69.4 Release, aquasecurity/setup-trivy, aquasecurity/trivy-action GitHub Actions Compromised - StepSecurity

On March 19, 2026, trivy — a widely used open source vulnerability scanner maintained by Aqua Security — experienced a second security incident. Three weeks after the hackerbot-claw incident on February 28 that resulted in a repository takeover, a new compromised release (v0.69.4) was published to the trivy repository. The original incident disclosure discussion (#10265) was also deleted during this period, and version tags on the aquasecurity/setup-trivy GitHub Action were removed. Trivy maintainers deleted the v0.69.4 tag and Homebrew downgraded to v0.69.3. The following is a factual account of what we observed through public GitHub data.

Leszek Ciesielski22h ago
Effectively all versions of #Trivy on #GitHub compromised. I guess it's a "rotate your secrets weekend" then. Glad I'm not on call.
Chris Adams23h ago

If anyone you know uses #Trivy, it's time to rotate all of the credentials it had access to if you ran the 0.69.4 container or GitHub release (Homebrew users avoided this thanks to building from source). Probably a good idea to think about other defense-in-depth measures, too…

https://socket.dev/blog/trivy-under-attack-again-github-actions-compromise
https://www.stepsecurity.io/blog/trivy-compromised-a-second-time---malicious-v0-69-4-release

Trivy Under Attack Again: Widespread GitHub Actions Tag Comp...

Attackers compromised Trivy GitHub Actions by force-updating tags to deliver malware, exposing CI/CD secrets across affected pipelines.

Socket
Ketumbra1d ago
If anyone else was worried, #GitLab never included the compromised #Trivy version 0.69.4 😌
https://gitlab.com/gitlab-org/security-products/analyzers/container-scanning/-/commits/master/version/TRIVY_VERSION?ref_type=heads
Commits · master · GitLab.org / security-products / analyzers / Container Scanning · GitLab

Container scanning analyzer for container images based on third-party scanners

GitLab
maschmi1d ago

From "our pipeline is not working anymore", over "why did they retag all their releases at trivy" to security incident after lunch break.

In a team which is still quite fresh, not yet in production and not having processes for this. And no senior infra people were present. It did go surprisingly well and we are quite confident to have rotated all the relevant secrets.

https://socket.dev/blog/trivy-under-attack-again-github-actions-compromise

#trivy #supplychain #security

Trivy Under Attack Again: Widespread GitHub Actions Tag Comp...

Attackers compromised Trivy GitHub Actions by force-updating tags to deliver malware, exposing CI/CD secrets across affected pipelines.

Socket
fthy1d ago

https://github.com/aquasecurity/trivy/discussions/10420

Aquasec Trivy breached again? (Last incident from 2 weeks ago: https://github.com/aquasecurity/trivy/discussions/10265 )

#infosec #cicd #trivy #aquasec

Why did this discussion about the Trivy incident get removed/closed · aquasecurity trivy · Discussion #10420

https://github.com/aquasecurity/trivy/discussions/10265 Why did this get removed when active discussion on a new (maybe related) incident was happening?

GitHub