A major supply chain security incident has impacted Trivy, the widely used open-source vulnerability scanner maintained by Aqua Security. The breach targeted its GitHub Actions integrations, enabling attackers to distribute malicious code designed to steal sensitive CI/CD secrets.
The compromise affected the GitHub Actions repositories “aquasecurity/trivy-action” and “aquasecurity/setup-trivy,” both commonly used in CI/CD pipelines for scanning container images and configuring the Trivy tool. Attackers force-pushed 75 out of 76 version tags in the trivy-action repository, redirecting them to malicious code without following standard release processes.
According to Philipp Burckhardt, the manipulated tags effectively turned trusted version references into a delivery mechanism for an infostealer payload. This payload executes within GitHub Actions runners and is designed to extract sensitive data such as SSH keys, cloud provider credentials, database access details, Git and Docker configurations, Kubernetes tokens, and even cryptocurrency wallets.
This marks the second recent supply chain attack involving Trivy. In a prior incident earlier in 2026, an automated entity known as “hackerbot-claw” exploited a GitHub workflow vulnerability to obtain a Personal Access Token (PAT). The compromised token was then used to take control of the repository, remove legitimate releases, and publish malicious versions of a related Visual Studio Code extension.
The latest breach was initially identified by security researcher Paul McCarty after a compromised release (version 0.69.4) appeared in the Trivy repository. Analysis revealed that the malicious version executed both legitimate scanning functions and hidden code designed for data exfiltration.
The malware scanned systems for environment variables and credentials, encrypted the collected data, and transmitted it to an external server. It also attempted to establish persistence by creating a system-level service that continuously fetched and executed additional payloads from a remote source.
In a statement, Itay Shakury, Vice President of Open Source at Aqua Security, confirmed that the attack stemmed from compromised credentials. These credentials were used to publish malicious versions across Trivy repositories, including trivy-action and setup-trivy, with multiple tags being forcefully redirected to malicious commits.
The incident highlights the growing risks associated with software supply chain attacks, particularly in widely used open-source tools embedded in automated development pipelines. It underscores the need for stronger security controls, version verification practices, and continuous monitoring within CI/CD environments to prevent unauthorized code execution and data exfiltration.
