Felix Dreissig

Trivy has been compromised again and this time, the impact is far more wide-reaching.

After the GitHub token stealing a few weeks back, (presumably the same) actors yesterday published malicious binaries and CI actions.
If you‘re using Trivy without version pinning (especially in pipelines), assume you‘re affected.

https://www.stepsecurity.io/blog/trivy-compromised-a-second-time---malicious-v0-69-4-release

Trivy Compromised a Second Time - Malicious v0.69.4 Release, aquasecurity/setup-trivy, aquasecurity/trivy-action GitHub Actions Compromised - StepSecurity

On March 19, 2026, trivy — a widely used open source vulnerability scanner maintained by Aqua Security — experienced a second security incident. Three weeks after the hackerbot-claw incident on February 28 that resulted in a repository takeover, a new compromised release (v0.69.4) was published to the trivy repository. The original incident disclosure discussion (#10265) was also deleted during this period, and version tags on the aquasecurity/setup-trivy GitHub Action were removed. Trivy maintainers deleted the v0.69.4 tag and Homebrew downgraded to v0.69.3. The following is a factual account of what we observed through public GitHub data.

Mar 20 at 10:59amWeb
Show threadFelix DreissigMar 20
Apparently, not even DevSecOps vendors manage to secure their build and deployment automation. 🤷‍♂️
Show threadFelix DreissigMar 20
Since people at my workplace were (rightfully) wondering: GitLab container scanning uses Trivy with version pinning and does not appear to be affected by the compromise: https://gitlab.com/gitlab-org/security-products/analyzers/container-scanning/-/blob/master/version/TRIVY_VERSION
version/TRIVY_VERSION · master · GitLab.org / security-products / analyzers / Container Scanning · GitLab

Container scanning analyzer for container images based on third-party scanners

GitLab