Aqua Security Trivy Action Compromised: Threat Actor Force-Pushes Malware to 76 Version Tags

A threat actor has executed a sophisticated supply chain attack against Aqua Security's critical open-source security tools. Using compromised credentials, the attacker published a malicious version of the Trivy vulnerability scanner (v0.69.4) and then force-pushed 76 out of 77 version tags in the `aquasecurity/trivy-action` GitHub repository to point to credential-stealing malware. Simultaneously, all 7 tags in the related `aquasecurity/setup-trivy` repository were replaced with malicious commits. This attack directly compromises the integrity of a tool millions of developers rely on to scan their own code for security flaws.

The attack unfolded in two distinct phases. The initial compromise occurred on March 19, 2026, targeting the GitHub repositories. Three days later, on March 22, the threat actor leveraged the same credential access to publish malicious Trivy v0.69.5 and v0.69.6 images to DockerHub, expanding the attack surface. The exposure window for the initial malicious release, v0.69.4, lasted from March 19, 18:22 UTC until it was contained. This multi-vector approach—compromising GitHub tags and Docker images—demonstrates a calculated effort to maximize infection rates across the software development lifecycle.

The implications are severe for the global software supply chain. Any project that automatically updated its dependencies or CI/CD pipelines to pull the latest Trivy action or Docker image during the exposure window may have inadvertently executed malware designed to steal credentials. This incident erodes trust in a foundational security tool and highlights the extreme vulnerability of automated dependency management systems to credential-based repository takeovers. Organizations must now audit their build logs and assume their pipelines were compromised if they used the affected versions.