MARKET STRUCTURE · COMPETITIVE
Threat actor compromises Trivy vulnerability scanner
Change
A threat actor compromised virtually all versions of Aqua Security’s Trivy vulnerability scanner by force-pushing malicious dependencies into trivy-action and setup-trivy tags.
Why it matters
Attackers used stolen credentials to force-push changes to nearly all trivy-action tags and seven setup-trivy tags. The malicious changes caused compromised Trivy versions (including spoofed tags @0.34.2, @0.33, and @0.18.0) to reference malware; version @0.35.0 appears unaffected. Security firms observed the malware trigger in 75 compromised trivy-action tags and thoroughly scour development pipelines, including developer machines. Trivy has broad GitHub adoption, with 33,200 stars.
Implications
- · CI/CD pipelines and build processes that reference the compromised tags will execute attacker-controlled code when scans run.
- · Pipeline secrets and repository credentials exposed during scans are compromised across impacted environments.
- · Build and deployment integrity is invalidated for systems using affected Trivy versions.
- · Wide adoption of Trivy increases the operational reach of the compromise across development environments.
Who is affected
- · Developers
- · DevOps / CI-CD pipeline operators
- · Security teams
- · Software supply-chain managers
Source
Topics
Business & Markets Supply Chain & Logistics Technology & Innovation Cybersecurity