Trivy Vulnerability Scanner Compromised in Major Supply Chain Attack; Aqua Security Investigating Credential Theft
Key Takeaways
- ▸Trivy v0.69.4 and 75 out of 76 trivy-action releases were compromised with credential-stealing malware; organizations must audit systems immediately
- ▸The attack exploited incomplete remediation from a previous breach, highlighting the critical importance of thorough incident containment and access revocation
- ▸Malware employed advanced techniques including process memory scraping, multi-stage payloads, hybrid encryption, and multiple exfiltration channels to maximize credential theft success
Summary
Aqua Security's Trivy vulnerability scanner was compromised on March 19, 2026, in a sophisticated supply chain attack attributed to threat actors calling themselves TeamPCP. The attack injected credential-stealing malware into official Trivy releases, GitHub Actions (trivy-action and setup-trivy), and affected multiple distribution channels including Docker Hub, GitHub Container Registry (GHCR), and Amazon ECR. The malicious payloads were designed to harvest sensitive credentials including SSH keys, cloud provider credentials (AWS, GCP, Azure), Kubernetes tokens, and cryptocurrency wallets from affected systems.
The attackers gained access by exploiting incomplete containment from an earlier incident this month, using compromised credentials to spoof commits from legitimate maintainers and compromise the aqua-bot service account. The malware employed sophisticated techniques including memory scraping of GitHub Actions runners, AES-256 encryption with RSA-4096 hybrid encryption, and multiple exfiltration methods via typosquatted domains and GitHub repositories as fallback channels. Aqua Security has since removed the malicious artifacts, but organizations using Trivy are urged to conduct immediate environmental audits to detect any compromise.
- Supply chain compromise affected multiple distribution vectors (GitHub Releases, Docker Hub, GHCR, ECR) and GitHub Actions workflows, increasing the potential blast radius across development environments
Editorial Opinion
This incident underscores a troubling reality in open-source security: even well-maintained projects serving critical infrastructure security functions remain vulnerable to sophisticated supply chain attacks. The fact that the attack exploited incomplete containment from a previous breach raises serious questions about incident response maturity across the industry. Organizations need to recognize that tools designed to find vulnerabilities can themselves become vectors for compromise—emphasizing the need for cryptographic verification, sandboxed execution environments, and real-time anomaly detection in CI/CD pipelines.
