In a significant repeat supply chain attack, the popular open-source vulnerability scanner Trivy, maintained by Aqua Security, has been compromised for the second time in a month. The breach targeted the official GitHub Actions repositories, specifically "aquasecurity/trivy-action" and "aquasecurity/setup-trivy," which are used to integrate Trivy into CI/CD pipelines for container image scanning and workflow setup. According to Socket security researcher Philipp Burckhardt, an attacker force-pushed 75 out of 76 version tags in the `aquasecurity/trivy-action` repository. This malicious action transformed trusted version references into a distribution mechanism for an infostealer payload designed to execute within GitHub Actions runners.
The primary objective of the malicious payload was the systematic exfiltration of sensitive developer secrets from CI/CD environments. The targeted data includes highly valuable assets such as SSH private keys, credentials for major cloud service providers (AWS, Azure, GCP), database connection strings, Git tokens, Docker configuration files, Kubernetes cluster access tokens, and even cryptocurrency wallet keys. This breach represents a critical escalation in software supply chain attacks, as it directly compromises the integrity of automated development pipelines, a core component of modern DevOps practices.
This incident marks the second major security event for Trivy in a short timeframe. The previous attack occurred in late February and early March 2026, where an autonomous bot dubbed `hackerbot-claw` exploited a misconfigured `pull_request_target` workflow. The bot successfully stole a Personal Access Token (PAT), which was then used to hijack the GitHub repository. The attacker deleted several legitimate release versions and published two malicious versions of the Trivy Visual Studio Code extension to the Open VSX registry. The current compromise was initially flagged by security researcher Paul McCarty after observing a new, suspicious release (version 0.69.4) in the main "aquasecurity/trivy" GitHub repository. Analysis by Wiz revealed that this version executed both the legitimate Trivy service and malicious code in parallel.
The repeated targeting of a critical security tool like Trivy underscores a dangerous trend where attackers are focusing on the very infrastructure used to ensure software safety. By compromising a vulnerability scanner, threat actors can infiltrate the development lifecycle of countless downstream projects that depend on it. Aqua Security has removed the rogue version 0.69.4 and is conducting a thorough investigation. In a statement, Itay Shakury, Vice President of Open Source at Aqua Security, emphasized the company's commitment to hardening its release processes and reviewing all access controls to prevent future incidents. This breach serves as a stark reminder for organizations to implement strict integrity checks, such as verifying commit signatures and using pinned, immutable release artifacts, rather than relying on mutable tags in their CI/CD workflows.
