Aqua Security Trivy GitHub Action Compromised: Malicious Tags Force-Pushed in Supply Chain Attack

A critical supply chain attack has compromised the official GitHub Actions for Aqua Security's Trivy vulnerability scanner. On March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release and then force-pushed 76 out of 77 version tags in the `aquasecurity/trivy-action` repository to point to credential-stealing malware. Simultaneously, all 7 tags in the related `aquasecurity/setup-trivy` repository were replaced with malicious commits. This action effectively poisoned the official update channels for a core security tool used by thousands of development teams for container and code scanning.

The attack window opened on March 19, 2026, at 18:22 UTC for the initial malicious release. The compromise was not isolated to GitHub; three days later, on March 22, the same or a related actor used compromised credentials to publish malicious Trivy v0.69.5 and v0.69.6 images directly to DockerHub. This multi-platform attack vector significantly widened the exposure, potentially ensnaring users who pull the scanner directly as a container image in addition to those using the GitHub Action workflow.

The incident represents a severe breach of trust in a foundational security tool's own supply chain. The forced updates to historical version tags mean that any automated workflow configured to use a version like `v0.23.0`—as referenced in the security advisory's update PR—could have silently pulled malicious code if it ran during the exposure window. This attack underscores the systemic risk when CI/CD pipeline credentials are compromised, allowing an attacker to weaponize the very mechanisms designed to ensure security and integrity across the software development lifecycle.