Full Report
Trivy, a popular open-source vulnerability scanner maintained by Aqua Security, was compromised a second time within the span of a month to deliver malware that stole sensitive CI/CD secrets. The latest incident impacted GitHub Actions "aquasecurity/trivy-action" and "aquasecurity/setup-trivy," which are used to scan Docker container images for vulnerabilities and set up GitHub Actions workflow
Analysis Summary
# Incident Report: Trivy GitHub Actions Supply Chain Compromise
## Executive Summary
Trivy, a widely used open-source vulnerability scanner, suffered a major supply chain compromise where attackers hijacked 75 version tags in official GitHub repositories to distribute an infostealer. The attack utilized compromised credentials—stemming from an incomplete containment of a previous incident—to force-push malicious code into trusted version references. The malware was designed to exfiltrate CI/CD secrets and establish persistence on developer machines.
## Incident Details
- **Discovery Date:** Approximately March 20, 2026 (Reported)
- **Incident Date:** Late February to March 20, 2026
- **Affected Organization:** Aqua Security (Maintainers of Trivy)
- **Sector:** Technology / Cybersecurity / Open Source
- **Geography:** Global (Impacts any user of the GitHub Actions)
## Timeline of Events
### Initial Access
- **Date/Time:** Late February 2026
- **Vector:** Exploitation of a "pull_request_target" workflow vulnerability by an autonomous bot ("hackerbot-claw").
- **Details:** The attacker stole a Personal Access Token (PAT) which provided the initial foothold into the GitHub environment.
### Lateral Movement
- **Details:** Using the stolen PAT, the attacker gained control of GitHub repositories. Despite a secret rotation attempt by Aqua Security, the process was not "atomic," allowing attackers to intercept or persist with refreshed tokens and compromised maintainer credentials.
### Data Exfiltration/Impact
- **Details:** Attackers force-pushed 75 version tags in `aquasecurity/trivy-action` and 7 tags in `aquasecurity/setup-trivy`. These hijacked tags served a Python-based infostealer that harvested SSH keys, cloud credentials, Kubernetes tokens, and environmental variables from GitHub Actions runners.
### Detection & Response
- **Detection:** Discovered by security researcher Paul McCarty and analyzed by Socket and Wiz researchers.
- **Response Actions:** Malicious releases (v0.69.4) were removed; Aqua Security initiated a more restrictive lockdown of all automated actions and tokens.
## Attack Methodology
- **Initial Access:** Valid credential compromise (carried over from a previous bot-led incident).
- **Persistence:** Implementation of a `systemd` service on developer machines running a polling script (`sysmon.py`).
- **Privilege Escalation:** Not explicitly detailed, but involved high-privilege PATs.
- **Defense Evasion:** Tag poisoning (force-pushing to existing trusted tags rather than creating new suspicious releases) and masquerading as legitimate `aquasecurity` traffic.
- **Credential Access:** Extraction of environment variables from runner memory and file systems.
- **Discovery:** Scanning for cloud provider credentials, Git/Docker configs, and crypto wallets.
- **Lateral Movement:** Utilizing compromised automation tokens to move between repositories.
- **Collection:** Harvesting sensitive data through the Python infostealer.
- **Exfiltration:** Data encrypted and sent via HTTP POST to `scan.aquasecurtiy[.]org` (typosquatting domain).
- **Impact:** Compromise of the CI/CD pipeline integrity and mass theft of developer secrets.
## Impact Assessment
- **Financial:** Risk of unauthorized access to cloud billing and cryptocurrency wallets.
- **Data Breach:** High-volume theft of CI/CD secrets (SSH, AWS/GCP/Azure keys, K8s tokens).
- **Operational:** Significant disruption to DevOps workflows relying on Trivy for security gating.
- **Reputational:** Significant impact as this is the second major compromise within a month.
## Indicators of Compromise
- **Network Indicators:** `scan.aquasecurtiy[.]org` (Note the "tiy" vs "ty" typosquat)
- **File Indicators:** `sysmon.py`, Malicious Trivy version `0.69.4`
- **Behavioral Indicators:** Unexpected `systemd` service creation; `force-push` events on Git tags for historical versions.
## Response Actions
- **Containment:** Removal of the malicious 0.69.4 release and poisoned tags.
- **Eradication:** Revocation and comprehensive rotation of all GitHub PATs and automation tokens.
- **Recovery:** Transitioning to a highly restrictive "locked-down" approach for all automated GitHub actions.
## Lessons Learned
- **Non-Atomic Secret Rotation:** Rotating secrets is ineffective if the rotation process itself is visible to or intercepted by the attacker holding the current session.
- **Trust in Tags:** Using mutable Git tags (e.g., `@v2`) is a major security risk; attackers can redirect these tags to malicious commits.
- **Incomplete Containment:** Treating an incident as closed before verifying the total eviction of an adversary leads to immediate re-compromise.
## Recommendations
- **Pin Actions to SHA:** Always use full commit hashes (SHAs) for GitHub Actions instead of tags to prevent tag-poisoning attacks.
- **Environment Isolation:** Use OpenID Connect (OIDC) for CI/CD authentication to cloud providers to avoid long-lived static secrets.
- **Monitor Tag Changes:** Implement alerting for force-push events on version tags in sensitive repositories.
- **Audit Token Usage:** Regularly audit the scopes of Personal Access Tokens and enforce the Principle of Least Privilege.