GitHub Action Compromise: Malicious Trivy Releases & Tags Force-Pushed in Major Supply Chain Attack

A sophisticated supply chain attack has compromised the official GitHub Actions for Trivy, a critical open-source security scanner used by millions of repositories. Threat actors, using stolen credentials, successfully published malicious releases and force-pushed nearly all version tags for the `aquasecurity/trivy-action` repository to credential-stealing malware. This incident represents a direct attack on a foundational security tool, turning a mechanism for finding vulnerabilities into a vector for creating them.

The attack unfolded in two distinct phases. On March 19, 2026, the actor published a malicious `trivy v0.69.4` release. They then force-pushed 76 out of 77 version tags in the `aquasecurity/trivy-action` repository to malicious commits, effectively poisoning the project's historical release lineage. Simultaneously, all 7 tags in the related `aquasecurity/setup-trivy` repository were replaced. The campaign escalated on March 22, 2026, when the same compromised credentials were used to publish malicious `trivy v0.69.5` and `v0.69.6` images to DockerHub, expanding the attack surface from GitHub's ecosystem to container registries.

This breach creates a severe, cascading risk for the global software development and DevSecOps community. Any workflow that automatically updated to or pinned a compromised tag during the exposure window would have executed credential-stealing malware. The incident underscores the extreme fragility of software supply chains when maintainer credentials for key security tooling are compromised. It forces immediate scrutiny of dependency update automation and highlights how an attack on a single, trusted security project can propagate vulnerability at an ecosystem scale.