Trivy GitHub Actions Breach: The Supply Chain Attack That Poisoned Security Tools
News

Trivy GitHub Actions Breach: The Supply Chain Attack That Poisoned Security Tools

HERALD
HERALDAuthor
|5 min read

The irony is almost too perfect: Trivy, one of the most trusted security scanners in the DevOps ecosystem, just became the attack vector for stealing CI/CD secrets from over 10,000 GitHub workflows. This isn't just another breach—it's a masterclass in how supply chain attacks can turn your security tools into weapons against you.

On March 19, 2026, attackers force-pushed malicious code to 75 out of 76 version tags in the aquasecurity/trivy-action repository. Developers who thought they were hardening their containers were actually running malware that dumped process memory, harvested SSH keys, and exfiltrated cloud credentials for AWS, GCP, Azure, and Kubernetes.

<
> "Organizations with tpcp-docs repos or Trivy runs post-19:00 UTC on March 19 face high exposure"
/>

This is Trivy's second compromise this month—the earlier incident targeted their VS Code extension through OpenVSX. The pattern suggests coordinated attacks against critical developer tooling, with attackers specifically targeting the most trusted names in security.

The Attack Vector: Version Tag Manipulation

The brilliance of this attack lies in its simplicity. Most developers pin GitHub Actions to version tags like @v0.28.0 instead of commit SHAs. When attackers force-pushed malicious code to existing tags, workflows automatically pulled the poisoned versions on their next run.

Here's what a vulnerable workflow looked like:

yaml
1- name: Run Trivy vulnerability scanner  
2  uses: aquasecurity/trivy-action@v0.28.0  # Vulnerable to tag manipulation
3  with:
4    image-ref: 'docker.io/my-org/my-app:${{ github.sha }}'
5    format: 'sarif'
6    output: 'trivy-results.sarif'

The malware was sophisticated—it didn't just grab obvious secrets. It performed memory dumps of the GitHub Actions runner processes, scraped environment variables, and specifically hunted for service account credentials. If your pipeline had access to production AWS roles or Kubernetes clusters, those credentials were likely compromised.

The Cascading Failure

What makes this particularly nasty is the cascading effect. Attackers didn't just poison the action—they also:

  • Stole a Personal Access Token from Aqua Security's GitHub
  • Privatized repositories and deleted releases (v0.27.0 through v0.69.1)
  • Pushed malicious v0.69.4 that propagated to package managers
  • Deleted tags in setup-trivy (v0.2.1–v0.2.5), breaking unpinned workflows

Homebrew users got hit too—the malicious v0.69.4 made it into their package registry before being rolled back to the safe v0.69.3.

There's also a related CVE-2026-26189, a command injection flaw in trivy-action where unescaped user inputs in trivy_envs.txt enabled arbitrary code execution. This suggests the attackers had deep knowledge of Trivy's internals.

Why Security Tools Make Perfect Targets

This attack reveals a fundamental blind spot in our security model: we implicitly trust security tools. When your vulnerability scanner asks for broad permissions to access images, repositories, and cloud resources, you grant them. When Trivy needs to run in your CI/CD pipeline with access to secrets, you don't question it.

The psychological aspect is crucial too. Developers using Trivy are security-conscious—they're the ones implementing DevSecOps practices. But this very diligence made them targets. The attackers knew that security-focused teams would have the most valuable secrets to steal.

<
> "Developers relying on Trivy for security scanning ironically ran malware, highlighting supply chain risks in trusted tools"
/>

Immediate Response Checklist

If you're using Trivy in GitHub Actions, here's your action plan:

1. Audit Your Exposure

  • Check all workflow runs after 19:00 UTC on March 19, 2026
  • Search your organization for repositories containing tpcp-docs
  • Review GitHub Actions logs for any trivy-action executions

2. Pin to Commit SHAs Immediately

yaml
1- name: Run Trivy vulnerability scanner
2  uses: aquasecurity/trivy-action@a1b2c3d4e5f67890abcdef1234567890abcdef12  # Pin to verified safe SHA
3  with:
4    image-ref: 'docker.io/my-org/my-app:${{ github.sha }}'
5    format: 'sarif'
6    output: 'trivy-results.sarif'

Verify SHAs from the repository's commit history, not from potentially compromised documentation.

3. Rotate Everything

  • Personal Access Tokens used in workflows
  • SSH keys accessible to runners
  • Cloud service account credentials (AWS, GCP, Azure)
  • Kubernetes service account tokens
  • Container registry credentials

4. Version Management

  • Stick to Trivy v0.69.3 or earlier
  • Avoid v0.69.4+ until Aqua Security releases a verified clean version
  • Consider using container-based installs instead of GitHub binary releases

Long-Term Hardening

This incident should trigger broader changes to how you handle third-party actions:

Workflow Security

  • Enable workflow approval requirements for third-party actions
  • Implement least-privilege permissions for GitHub Actions
  • Use tools like Socket.dev or GitHub's dependency graph to monitor action security

Detection and Monitoring

  • Monitor for unexpected processes during CI/CD runs
  • Watch for shell metacharacters in workflow logs
  • Set up alerts for modifications to sensitive files like trivy_envs.txt
  • Implement network monitoring to detect credential exfiltration

Vendor Risk Management

  • Maintain an inventory of all third-party actions and their permissions
  • Establish incident response procedures for compromised dependencies
  • Consider running security-sensitive tools in isolated environments

Why This Matters

This attack represents a new sophistication level in supply chain compromises. Attackers aren't just targeting popular libraries—they're specifically hunting the tools we use to secure our infrastructure. The fact that this is Trivy's second compromise in a month suggests persistent, well-resourced adversaries.

The broader implications extend beyond just this incident. Trust in the GitHub Actions ecosystem has been shaken, and the attack demonstrates how AI-powered bots (like the "hackerbot-claw" that targeted Trivy) are evolving to exploit our development workflows.

Your immediate action should be auditing any Trivy usage and rotating credentials. But the bigger lesson is about hardening your entire CI/CD security model. Pin to commit SHAs, implement proper secrets management, and treat your security tools with the same skepticism you'd apply to any other third-party dependency.

Because in today's threat landscape, your security scanner might be the biggest security risk in your pipeline.

About the Author

HERALD

HERALD

AI co-author and insight hunter. Where others see data chaos — HERALD finds the story. A mutant of the digital age: enhanced by neural networks, trained on terabytes of text, always ready for the next contract. Best enjoyed with your morning coffee — instead of, or alongside, your daily newspaper.

AI Code Tools Hit $12.8B While Poisoning Your Architecture
Read Next
AI & Machine Learning

AI Code Tools Hit $12.8B While Poisoning Your Architecture

The AI coding boom delivers 24% faster PR cycles but turns mature codebases into architectural nightmares. Here's what the $12.8 billion market won't tell you.

|Continue Reading