https://winbuzzer.com/2026/03/23/trivy-breach-pushed-infostealer-via-github-actions-xcxwbn/
Trivy Breached Twice in a Month via GitHub Actions
#GitHub #GitHubActions #Cybersecurity #Malware #Cybercrime #SecurityBreach #OpenSource #Hackers #npm #Javascript #SoftwareDevelopment #CloudComputing #DataBreaches #Trivy #AquaSecurity #TeamPCP #CanisterWorm
#trivy supply chain attack spreads to #dockerhub. Compromised Docker Hub images and a self-propagating npm worm have been discovered, escalating the Trivy breach into a multi-platform threat. Stolen npm tokens from infected CI/CD pipelines fueled a self-propagating worm dubbed #CanisterWorm, compromising nearly 50 npm packages across multiple scopes.
https://thehackernews.com/2026/03/trivy-security-scanner-github-actions.html?m=1
#Trivy vulnerability scanner breach pushed infostealer via GitHub Actions
You need to check your installation ASAP
#Trivy got compromised on thursday and released a backdoored new version, which was rolled back. We spent the entire friday in incident response mode. Now they got compromised again over the weekend.
I have a lot of sympathy for people under pressure during an incident, but for fucks sake, having a security tool get compromised three times within two months is just completely bonkers. We spent more time remediating security issues caused by our security tooling than any other cause. And the fact that there wasn't any official communication on friday means that we had to rely on third-party writeups, which were missing critical information like exact docker container digests and time ranges of the compromise. This made incident response completely miserable.
Anyway. Trivy 0.69.4, 0.69.5, 0.69.6 were all compromised with infostealer malware. Do what you have to do. There are several decent writeups:
- https://www.stepsecurity.io/blog/trivy-compromised-a-second-time---malicious-v0-69-4-release
- https://www.wiz.io/blog/trivy-compromised-teampcp-supply-chain-attack
- https://labs.boostsecurity.io/articles/20-days-later-trivy-compromise-act-ii/
And Trivy has an advisory on their GitHub that covers last thursday, but not the second compromise over the weekend: https://github.com/aquasecurity/trivy/security/advisories/GHSA-69fq-xp46-6x23
On March 19, 2026, trivy — a widely used open source vulnerability scanner maintained by Aqua Security — experienced a second security incident. Three weeks after the hackerbot-claw incident on February 28 that resulted in a repository takeover, a new compromised release (v0.69.4) was published to the trivy repository. The original incident disclosure discussion (#10265) was also deleted during this period, and version tags on the aquasecurity/setup-trivy GitHub Action were removed. Trivy maintainers deleted the v0.69.4 tag and Homebrew downgraded to v0.69.3. The following is a factual account of what we observed through public GitHub data.
#Trivy #SupplyChain Attack Spreads, Triggers Self-Spreading #CanisterWorm Across 47 #npm Packages
#security
"We have removed all malicious artifacts from the affected registries and channels," Trivy maintainer Itay Shakury posted today, noting that all the latest Trivy releases "now point to a safe version." But "On March 19, we observed that a threat actor used a compromised credential..." And today T...
Trivy ecosystem supply chain briefly compromised
https://github.com/aquasecurity/trivy/security/advisories/GHSA-69fq-xp46-6x23
#HackerNews #Trivy #Ecosystem #Supply #Chain #Compromise #Cybersecurity #Vulnerability #SupplyChainSecurity #AquaSecurity
Trivy Security incident 2026-03-19
https://github.com/aquasecurity/trivy/discussions/10425
#HackerNews #Trivy #Security #incident #2026-03-19 #cybersecurity #Trivy #security #incident #news #security #vulnerabilities #GitHub #discussions
Winbuzzer
Will 
Christian M. Grube 🐧
Max Maass 
PrivacyDigest
Hacker News
GripNews
N-gated Hacker News