Catalin Cimpanu

A popular open-source vulnerability scanner (Trivy) was compromised last week in a supply chain attack

https://www.aquasec.com/blog/autonomous-runtime-security-turning-runtime-intelligence-into-agentic-response-2/

https://www.aikido.dev/blog/teampcp-deploys-worm-npm-trivy-compromise

https://github.com/aquasecurity/trivy/discussions/10425

https://socket.dev/blog/trivy-under-attack-again-github-actions-compromise

https://www.stepsecurity.io/blog/trivy-compromised-a-second-time---malicious-v0-69-4-release

https://www.wiz.io/blog/trivy-compromised-teampcp-supply-chain-attack

https://www.crowdstrike.com/en-us/blog/from-scanner-to-stealer-inside-the-trivy-action-supply-chain-compromise/

Trivy Supply Chain Attack: What Happened and What You Need to Know

Open Source Security Advisory What Happened On March 19, 2026, a threat actor used compromised credentials to publish malicious releases of Trivy version 0.69.4, along with trivy-action and setup-trivy. While this activity initially appeared to be an isolated event, it was the result of a broader, multi-stage supply chain attack that began weeks earlier. Attack …

Aqua
Mar 22 at 10:45amWeb
Show threadVessOnSecurity2d ago
@campuscodi The vulnerability scanner was vulnerable. 🤣 Doctor, heal thyself.