Kevin Beaumont
Aqua Security Trivy had another supply chain compromise, I don’t know if they’ve disclosed yet. https://github.com/aquasecurity/trivy/discussions/10420
Why did this discussion about the Trivy incident get removed/closed · aquasecurity trivy · Discussion #10420

https://github.com/aquasecurity/trivy/discussions/10265 Why did this get removed when active discussion on a new (maybe related) incident was happening?

GitHub
Mar 20 at 9:23pmWeb
Show threadthepwnicorn3d ago
@GossiTheDog https://github.com/aquasecurity/trivy/discussions/10425
Trivy Security incident 2026-03-19 · aquasecurity trivy · Discussion #10425

On March 19, a threat actor used a compromised credential to publish malicious trivy (v0.69.4), trivy-action, and setup-trivy releases. This was a follow up from the recent incident (2026-03-01) wh...

GitHub
Show threadoddbjorn3d ago
@GossiTheDog Reported here 23 hours ago: https://opensourcemalware.com/repository/https%3A%2F%2Fgithub.com%2Faquasecurity%2Ftrivy%2F
OpenSourceMalware.com - Community Threat Intelligence

Security professionals sharing intelligence on malicious packages, repositories, and CDNs to protect the open source ecosystem.

Show threadw1ntermute3d ago
@GossiTheDog so many slop comments