A sophisticated supply chain attack targeting Aqua Security’s widely used open-source vulnerability scanner, Trivy. A threat actor leveraged compromised credentials to distribute malicious releases, turning a trusted security tool into a mechanism for large-scale credential theft across CI/CD pipelines.
The incident remains an ongoing and evolving investigation, with attackers actively weaponizing stolen credentials across the broader ecosystem.
The breach originated in late February 2026 when attackers exploited a misconfiguration in Trivy’s GitHub Actions environment to extract a privileged access token.
Although the Trivy team disclosed the incident and executed a credential rotation on March 1, the remediation was incomplete. This oversight allowed the adversary to retain residual access via still-valid credentials.
On March 19, the threat actor escalated the attack by force-pushing malicious commits to 76 of 77 version tags in the aquasecurity/trivy-action repository and all seven tags in aquasecurity/setup-trivy. Simultaneously, a compromised service account triggered automated release pipelines to publish a backdoored Trivy binary designated as version 0.69.4.
Rather than introducing a clearly malicious new version, the attackers altered existing version tags to silently inject malicious code into workflows organizations were already executing.
Trivy Scanner Compromised
The malicious payload was engineered to execute prior to legitimate Trivy scanning logic, allowing compromised workflows to appear as though they completed normally.
During this silent execution, the malware actively collected sensitive information from CI/CD environments. Targeted secrets included API tokens, cloud provider credentials for AWS, GCP, and Azure, SSH keys, Kubernetes tokens, and Docker configuration files. The malware then exfiltrated this data to the attacker-controlled infrastructure.
The attack explicitly targeted open-source users relying on mutable version tags rather than pinned commit hashes. Aqua Security has confirmed that its commercial products remain unaffected.
The commercial platform is architecturally isolated from the compromised open-source environment with dedicated pipelines, strict access controls, and a controlled integration process that lags open-source releases.
Aqua Security’s response efforts progressed rapidly from initial containment to active remediation in collaboration with global incident response firm Sygnia.
Over the weekend of March 21-22, the investigation uncovered additional suspicious activity consistent with the threat actor attempting to reestablish access, indicating an ongoing campaign.
Remediation actions include the removal of all malicious releases from distribution channels such as GitHub Releases, Docker Hub, and Amazon ECR.
The security team has conducted comprehensive credential revocations across all environments, transitioned away from long-lived tokens, and is implementing immutable release verification to prevent future tampering. All compromised version tags have been deleted or repointed to known-safe, verified commits.
Aqua Security also highlighted the critical role of the broader security community in mitigating the fallout. Research teams at Aikido Security and CrowdStrike were explicitly thanked for their rapid technical publications, which accelerated community awareness and response efforts.
Because Trivy is an open-source project without a centralized record of its user base, this collaborative ecosystem response was essential in notifying downstream users of the active threat.
Vulnerability Details
Security teams are urged to immediately audit their environments for the compromised version and update to known-safe releases. Users must treat all secrets accessible to affected runner environments as exposed and execute immediate rotation.
| Component | Compromised Version | Safe Version | Impact Details |
|---|---|---|---|
| Trivy binary | v0.69.4 | v0.69.2-v0.69.3 | Malicious binary published via automated release |
| aquasecurity/trivy-action | Multiple tags | v0.35.0 | 76 of 77 version tags force-pushed to malicious commits |
| aquasecurity/setup-trivy | Multiple tags | v0.2.6 | All 7 version tags compromised and redirected |
Organizations should proactively hunt for the following network and host-based indicators within their firewalls, SIEMs, and GitHub audit logs to identify potential exfiltration or lateral movement.
| Indicator Type | IOC Value | Recommended Action |
|---|---|---|
| Network C2 Domain | scan.aquasecurtiy[.]org | Block at network perimeter; hunt DNS query logs |
| Network IP Address | 45.148.10[.]212 | Block at firewall; hunt outbound connections |
| Secondary C2 Tunnel | plug-tab-protective-relay.trycloudflare.com | Search DNS logs for potential lateral-movement |
| GitHub Exfiltration Repo | tpcp-docs | Search GitHub org for unauthorized repository creation |
| ICP Blockchain C2 | tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io | Block egress to icp0.io at network perimeter |
| Compromised Binary | trivy v0.69.4 | Search container registries and CI caches |
