GitHub Action Compromise: Malicious Trivy v0.69.4 Release & Tag Hijack Exposes Supply Chain

A critical supply chain attack has compromised the official GitHub Actions for Trivy, a widely used open-source security scanner. On March 19, 2026, a threat actor used stolen credentials to publish a malicious version of Trivy (v0.69.4) and executed a sweeping hijack of the project's version history. The attacker force-pushed 76 out of 77 version tags in the `aquasecurity/trivy-action` repository to point to credential-stealing malware. Simultaneously, all 7 tags in the related `aquasecurity/setup-trivy` repository were replaced with malicious commits, effectively poisoning the entire tagged release lineage for these critical security tools.

The attack window for the initial GitHub-based compromise opened on March 19, 2026. The threat actor's access was not limited to source code; three days later, on March 22, they used compromised credentials again to publish malicious Trivy v0.69.5 and v0.69.6 container images to DockerHub. This multi-pronged attack targeted both the CI/CD pipeline integration points (GitHub Actions) and the container runtime environment, maximizing potential victim impact. The malicious artifacts were designed to steal credentials from any system that automatically pulled the updated or hijacked versions.

This incident represents a severe escalation in open-source software supply chain attacks, directly compromising a tool trusted by developers to find vulnerabilities. The scale of the tag manipulation—affecting nearly every historical release—creates a persistent threat, as systems configured to use older, presumably safe versions could now be pulling malware. The compromise of DockerHub images extends the risk beyond GitHub workflows to any deployment or development environment relying on the official Trivy containers. The event underscores the catastrophic consequences of credential compromise in maintainer accounts for foundational security infrastructure.