Trivy Action Compromise: Threat Actor Force-Pushes Malware to 76 Version Tags

A sophisticated supply chain attack has compromised the widely used `aquasecurity/trivy-action` GitHub Action, with a threat actor using stolen credentials to force-push malware to 76 out of 77 version tags. The attack, detailed in a GitHub security advisory, began on March 19, 2026, when the actor published a malicious Trivy v0.69.4 release and simultaneously replaced all 7 tags in the related `aquasecurity/setup-trivy` repository with malicious commits. The exposure window for the primary action component opened at that time and remained active until mitigation efforts began.

The scope of the compromise is extensive, directly impacting a core security scanning tool used by thousands of development workflows to detect vulnerabilities. The threat actor's access allowed them to systematically replace legitimate release tags with credential-stealing malware, creating a high-risk scenario where automated CI/CD pipelines pulling the latest or specific versions of the action would unknowingly execute malicious code. The attack escalated on March 22, 2026, when the same actor used compromised credentials to publish malicious Trivy v0.69.5 and v0.69.6 images to DockerHub, expanding the attack surface beyond GitHub.

This incident represents a critical breach in the software supply chain, putting any project that integrated the affected Trivy Action versions at immediate risk of credential theft and further compromise. The forced updates to nearly all version tags suggest an intent to maximize infection rates, as most dependency update strategies would be caught. The event triggers urgent scrutiny of credential management for maintainers of critical open-source infrastructure and exposes the cascading risks when a single security tool's release process is compromised.