Aqua Security Trivy Action Compromised: Threat Actor Force-Pushed Malware to 76 Version Tags

A critical supply chain attack has compromised the official GitHub Actions for Aqua Security's Trivy vulnerability scanner. On March 19, 2026, a threat actor used stolen credentials to publish a malicious Trivy v0.69.4 release and then force-pushed 76 out of 77 version tags in the `aquasecurity/trivy-action` repository to credential-stealing malware. Simultaneously, the attacker replaced all 7 tags in the related `aquasecurity/setup-trivy` repository with malicious commits. This action effectively poisoned the official update channels for a core security tool used by thousands of development teams to scan their code and containers.

The attack window for the initial compromise opened on March 19, 2026, at 18:22 UTC. The scale is significant: nearly every version tag for the primary `trivy-action` was altered, meaning any workflow that pinned its action to a specific version—a common security practice—could have automatically pulled and executed the malicious code. The attack was not isolated to GitHub; on March 22, the same or a related actor used compromised credentials to publish malicious Trivy v0.69.5 and v0.69.6 images to DockerHub, extending the attack surface to container deployments.

This incident represents a severe breach of trust in a foundational security tool's supply chain. The `trivy-action` is integrated into CI/CD pipelines globally to detect vulnerabilities, making its compromise a potent vector for credential theft and further lateral movement. The advisory, tagged as CVE-2026-33634, underscores the ongoing risk to organizations that may have run workflows or built containers during the exposure window. Immediate action to update to the patched `v0.35.0` or later is critical, but the event signals deep vulnerabilities in the maintenance and credential security of open-source security infrastructure itself.