Sophisticated Supply Chain Attack Targets Trivy Vulnerability Scanner, Exposing CI/CD Risks Aqua Security uncovered a sophisticated supply chain attack targeting its open-source Trivy vulnerability scanner, demonstrating how threat actors can exploit trusted development workflows to steal sensitive data without detection. The incident, which did not impact Aqua’s commercial products, highlights critical vulnerabilities in CI/CD pipelines. ### Attack Overview Rather than distributing a malicious binary, attackers hijacked existing GitHub repositories aquasecurity/trivy-action and setup-trivy using stolen credentials. By force-pushing malicious commits to version tags (e.g., v0.x), they ensured automated pipelines pulled compromised code. Since many organizations rely on mutable tags instead of immutable commit hashes, the altered code executed undetected. The injected payload ran before Trivy’s legitimate scanning process, allowing workflows to complete normally while exfiltrating high-value secrets, including: - Cloud credentials (AWS, GCP, Azure) - API tokens and access keys - SSH private keys - Kubernetes service account tokens - Docker configuration files Given CI/CD pipelines’ broad infrastructure access, this could enable lateral movement, privilege escalation, and full environment compromise. ### Timeline & Persistence - Late February 2026: Initial compromise occurred. - March 1: Incomplete credential rotation allowed attackers to retain access. - March 22: Additional suspicious activity suggested attempts to reestablish persistence, indicating a multi-stage operation. Aqua revoked compromised credentials, removed malicious artifacts, and transitioned away from long-lived tokens. Incident response firm Sygnia assisted in forensic investigation and containment. The company confirmed its commercial platform remained unaffected due to strict architectural separation, including isolated infrastructure and gated security reviews. ### Mitigation & Indicators of Compromise Organizations using Trivy in automated workflows should: - Upgrade to Trivy v0.69.2 or v0.69.3 - Use safe GitHub Action versions: trivy-action v0.35.0 or setup-trivy v0.2.6 - Rotate all secrets if v0.69.4 was executed in any pipeline Security teams should monitor and block the following indicators: - Domain: scan.aquasecurtiy[.]org - IP Address: 45.148.10.212 - Secondary C2: plug-tab-protective-relay.trycloudflare.com - GitHub repo: Unauthorized tpcp-docs - ICP-based C2: tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io ### Key Takeaway The attack exploited over-reliance on mutable version tags in CI/CD pipelines. A simple defensive measure pinning dependencies to immutable commit SHA hashes could have prevented the compromise. As CI/CD pipelines become prime targets, organizations must enforce strict access controls, monitoring, and dependency integrity validation to mitigate supply chain risks.