Trivy Supply Chain Attack Was 16-Month Campaign: Timeline Reveals Escalating CI/CD Exploitation Pattern
Key Takeaways
- ▸The Trivy attack represents the culmination of a 16-month coordinated campaign exploiting GitHub Actions, beginning with a stolen PAT in November 2024 and escalating through multiple high-profile open-source projects
- ▸Over 23,000 repositories were affected by the tj-actions/changed-files compromise, demonstrating the cascading risk when popular CI/CD tools are weaponized
- ▸Current security measures like SHA pinning are necessary but insufficient; comprehensive hardening requires at least 12 distinct mitigation steps including proper credential management and workflow security configurations
Summary
A comprehensive security analysis reveals that the March 2026 Trivy supply chain attack was not an isolated incident but rather the culmination of a 16-month coordinated campaign targeting GitHub Actions and CI/CD pipelines. The attack chain began in November 2024 when a Personal Access Token (PAT) was stolen from a SpotBugs maintainer's workflow, which attackers then leveraged to compromise multiple popular open-source projects including tj-actions/changed-files (used by 23,000 repositories), Nx build system (affecting 5,500+ repositories), and ultimately Trivy itself in March 2026. The Trivy attack specifically compromised 75 of 76 version tags across aquasecurity/trivy-action and aquasecurity/setup-trivy, force-pushing malicious commits that stole AWS credentials, GCP tokens, and SSH keys from affected workflows, with the attack later spreading to Docker Hub, VS Code extensions, and PyPI as CVE-2026-33634 (CVSS 9.4).
The analysis identifies a critical security gap in GitHub Actions security practices: SHA pinning, while essential, represents only the first of 12 necessary hardening steps. Previous attacks in the campaign, including the August 2025 Nx/s1ngularity compromise which used AI-augmented reconnaissance tools and the September 2025 GhostAction attack that stole 3,325 secrets, demonstrate an escalating sophistication in supply chain attacks. Security researchers at Endor Labs and StepSecurity estimate that hundreds of repositories exposed sensitive credentials in publicly visible workflow logs, with some victims' private repositories being renamed and made public by attackers.
- The attacks have evolved to include AI-augmented reconnaissance tools and cross-platform exploitation (GitHub Actions, Docker Hub, PyPI), indicating sophisticated threat actor capabilities
- Hundreds of repositories exposed credentials in publicly visible workflow logs, with AWS access keys actively exploited post-discovery in some cases
Editorial Opinion
This analysis underscores a fundamental vulnerability in the open-source software supply chain: the trust placed in GitHub Actions and automated CI/CD workflows creates a single point of failure that, once compromised, amplifies across thousands of dependent projects. The 16-month timeline is particularly alarming as it demonstrates that sophisticated attackers are conducting patient, multi-stage campaigns rather than opportunistic exploits. Organizations must move beyond single-point defenses like SHA pinning and implement comprehensive hardening strategies; the fact that comprehensive protection requires 12+ steps suggests the current GitHub Actions security model places too much burden on individual developers and maintainers.
