The AI-Hijacked Security Scanner That Stole from 10,000 Workflows
Everyone assumes security scanners are the good guys. They're the digital antibodies protecting our code from the bad stuff. So when Trivy—the darling of DevSecOps with 31,000 GitHub stars—got compromised not once but twice in March 2026, it felt like watching your antivirus download a virus.
But here's what everyone's missing: this wasn't your typical supply-chain attack. The attackers didn't just slip in some backdoor code and hope for the best. They innovated.
The first wave hit Aqua Security's VS Code extension on February 27-28. Versions 1.8.12 and 1.8.13 contained something genuinely novel—malicious code that hijacked local AI coding assistants like Claude, GitHub Copilot, and Gemini. Instead of traditional malware, they used AI prompts to perform system reconnaissance and steal credentials.
<> "This represents a new form of attack that bypasses traditional safety checks by exploiting AI tools without deploying direct malware," Socket's researchers noted./>
Think about that for a second. Your helpful AI assistant, the one suggesting code completions, suddenly becomes a data exfiltration tool. It's elegant. Terrifying. And completely under the radar.
But that was just the warmup.
The Real Massacre
The second attack, disclosed March 20 by Paul McCarty, makes the VS Code incident look quaint. Attackers force-pushed 75 out of 76 version tags in the official aquasecurity/trivy-action GitHub Actions repository. Every tag became a malware distributor.
The math is brutal:
- Over 10,000 GitHub workflows reference trivy-action
- Each infected workflow harvests CI/CD secrets from runner memory
- AES-256-CBC and RSA-4096 encryption protects the stolen data
- Everything gets exfiltrated to attacker endpoints
Philipp Burckhardt from Socket.dev captured the scope: workflows across the ecosystem suddenly became infostealers, silently bleeding secrets every time they ran.
The Elephant in the Room
Here's what nobody wants to say out loud: Aqua Security's response was pathetic.
They temporarily took down their GitHub repository. That's it. As of March 20, compromised tags were still active. Imagine if your house was on fire and you decided to water the lawn instead.
The community noticed. Chris Childerhose, an Enterprise Architect, summed up the frustration: "sad lately how these things are." The irony wasn't lost on anyone—a vulnerability scanner that can't secure itself.
What This Really Means
This attack reveals three uncomfortable truths:
1. Tags are security theater - Pin to SHA commits, not tags. Tags can be rewritten. Commits can't.
2. AI tools are the new attack surface - We're training our assistants to help us code. Attackers are training them to rob us.
3. Open source's trust model is broken - 31,000 stars don't mean secure code. They just mean popular code.
The blast radius extends beyond GitHub. Kubernetes users scanning clusters, enterprises generating SBOMs for compliance, CI/CD pipelines across the industry—all potentially compromised.
The Hidden Winner
While everyone panics about Trivy, companies like Socket are quietly becoming the new security sheriffs. They detected both attacks, provide dashboards to check workflow exposure, and offer the kind of supply-chain intelligence that prevents these disasters.
The market is already shifting. Paid tools with supply-chain guarantees suddenly look attractive when the free alternative is stealing your secrets.
What You Do Now
- Audit immediately: Check if your workflows use trivy-action
- Pin to SHAs: Never trust tags again
- Rotate everything: Assume your CI/CD secrets are compromised
- Watch your AI: Monitor what your coding assistants are really doing
The attackers behind this campaign understood something most security teams miss: the best place to hide malware isn't in obviously dangerous software. It's in the tools we trust to keep us safe.
That's not just ironic. It's brilliant.
