Trivy release actions shipped malware
After incomplete containment of the February Trivy takeover, compromised credentials were used to publish malicious Trivy v0.69.4 artifacts, force-push most trivy-action version tags, and replace setup-trivy tags with credential-stealing commits.
Story
On March 19, 2026, attackers who still held credentials from the February takeover of Aqua Security's Trivy repository used them to publish a malicious Trivy v0.69.4 release and to rewrite the tags of two companion GitHub Actions, trivy-action and setup-trivy, that thousands of CI/CD pipelines already trusted by name. Docker Hub images for 0.69.4, 0.69.5, and 0.69.6 followed days later.
The delivery worked because most consumers pinned by mutable tag rather than full commit SHA. Force-pushed tags swapped the underlying code without changing the workflow files that referenced them. StepSecurity, which documented the second wave, said the compromised setup-trivy commit 8afa9b9 was itself benign but pointed workflows at the poisoned v0.69.4 binary.
The payload read GitHub Actions runner memory and per-process environments, collected developer and cloud secrets, encrypted the archive, and tried to exfiltrate it to scan.aquasecurtiy.org, a typosquat of Aqua's own domain, with public GitHub repositories as a fallback drop. Trivy was an unusually rich target because it already ran inside build and deployment pipelines, where secrets live in plaintext.
The Register, citing Mandiant, reported that more than 1,000 SaaS environments were affected, with researchers warning the number was likely to grow. Aqua removed the malicious tags, published clean releases, and issued advisory GHSA-69fq-xp46-6x23. Stolen CI/CD secrets later bled into adjacent projects, including LiteLLM, extending the blast radius beyond Trivy itself.
Affected Artifacts
- Aqua's disclosure window covered Trivy v0.69.4 release artifacts, including distribution paths such as GHCR, ECR Public, Docker Hub, deb, rpm, and get.trivy.dev; Docker Hub tags are also tracked as their own artifact group.
- The Register reported Mandiant's estimate of more than 1,000 impacted SaaS environments from the wider Trivy supply-chain attack; this is recorded as a lower-bound impact count rather than an exact user count.
- Observed
- 2026-03-22 to 2026-03-23
- Fixed
- 0.69.3
- Socket reported Docker image tags 0.69.4, 0.69.5, 0.69.6, and latest as compromised on March 22, with no corresponding GitHub releases for the later image tags.
- A mutable latest tag or release channel was reported affected; it is recorded as scope rather than a fixed version identifier.
- Observed
- 2026-03-19 to 2026-03-20
- Compromised Versions
- Fixed
- 0.35.0
- Aqua's exposure table listed all trivy-action tags except 0.35.0 as affected during the March 19-20 UTC window; SHA-pinned references were not affected.
- Observed
- 2026-03-19
- Compromised Versions
- Unknown
- Fixed
- 0.2.6
- The compromised setup-trivy tags installed the malicious Trivy binary; StepSecurity noted 8afa9b9 was a legitimate commit reference that led workflows to the compromised v0.69.4 binary.
- Affected setup-trivy scope was reported as all releases before 0.2.6; exact lower bound is not recorded.
Incident Context
- Motive
- Credential Theft
- Attribution
- Group
- Cause
- Compromised Account Credentials
- Transitive
- Yes
- Actor
- Advanced Persistent Threat
- User Impact
- 1000
Indicators
- Hashsha256:c5b16c42dbd2a1494141cd651a406ec9094d5031a421c0aa624c4d139ae81239
- Hashsha256:cff74e3e9ac0cda2078d31800d8fcad832d7b52c9920b085054d1e96dacff8a3
- Hashsha256:55047c55a5ceab6d80b13884b4a4e8cd27a0bab7a218a952a00aae9e05f16f80
- Hashsha256:ba04ba6a0c028cde17599c8ddaefdb854055c5a23c595e06630732002ea59a76
- Hashsha256:90d61cf37355b89fae9ff84867100e1721c1876007ef1771e465ce5a721141ad
- Hashsha256:1dc871b02cd7a1fd80babb1b8762a2fd9cc2b735d4d3759d012626de3ccc7a5b
- Hashsha256:0376b98064636c30f5fbe60fb3b1225516e23e88dd7e909937f81d9265292e7d
- Hashsha256:822dd269ec10459572dfaaefe163dae693c344249a0161953f0d5cdd110bd2a0
- Hashsha256:e64e152afe2c722d750f10259626f357cdea40420c5eedae37969fbf13abbecf
- Hashsha256:d5edd791021b966fb6af0ace09319ace7b97d6642363ef27b3d5056ca654a94c
- Hashsha256:ecce7ae5ffc9f57bb70efd3ea136a2923f701334a8cd47d4fbf01a97fd22859c
- Hashsha256:27f446230c60bbf0b70e008db798bd4f33b7826f9f76f756606f5417100beef3
- Hashsha256:12c702212dee1cbec9471e9261501a3335963321fe76e60e5a715b5acd3c40a2
- Hashsha256:2d7cee41048988eec27615412e7c6e2e21046f2b5faa888c24e11ca6764058ed
- Hashsha256:ae3494bd6ae860d7727116681bd09fc7b20dc994ec7a8105738f0a623ea93427
- Hashsha256:43f46547efd488e56dcf862ed4d7cc342730a803f8d5bec5cac443028fefabef
- Hashsha256:cc464a3961e1dbe145c75343b55c2f446e08b821782ec993728c4222b0d85589
- Hashsha256:5aaa1d7cfa9ca4649d6ffad165435c519dc836fa6e21b729a2174ad10b057d2b
- Hashsha256:95ff680103570179feb0c6667a9b9b2d98c53fa5a9a451265036810390bbe70a
- Hashsha256:4f7a06bb51714713ab308d2f8125f3b09ee1c3ffbba1a5ffd0cc80da95fbb6cc
- Hashsha256:edef8e5816eced552a909b878ff262c0c47776d3297bcc23796ad4cce1e85414
- Hashsha256:425cd3e1a2846ac73944e891250377d2b03653e6f028833e30fc00c1abbc6d33
- Hashsha256:dd8beb3b40df080b3fd7f9a0f5a1b02f3692f65c68980f46da8328ce8bb788ef
- Hashsha256:4b22cedea58780ff76735c3e08b9ee8cb5d06c908ffa868152f11d45349eb696
- Hashsha256:5e5fb53cf4ce5555171ff5206302ba2f4f66f5381bbf673c354c87a925473f07
- Commit8afa9b9
- Commitddb9da4
- Commit3fb12ec
External References
- Trivy Compromised a Second Time - Malicious v0.69.4 Releasestepsecurity.io
- CanisterWorm - How a Self-Propagating npm Worm Is Spreading Backdoors Across the Ecosystemstepsecurity.io
- GitHub Advisory: Trivy supply chain compromisegithub.com
- Trivy v0.69.4 supply chain compromise discussiongithub.com
- Trivy Docker Images Compromised in Supply Chain Attacksocket.dev
- 1K+ cloud environments infected following Trivy supply chain attacktheregister.com
- Five Supply Chain Attacks in Twelve Daysblog.dreamfactory.com
Source record: oss/attacks/trivy/meta.yaml