Aqua Security Trivy Supply Chain Attack: Malicious Releases & Credential-Stealing Tags Force-Pushed to GitHub Actions

A sophisticated supply chain attack has compromised the core security scanning tools of Aqua Security, directly targeting the widely used Trivy vulnerability scanner and its GitHub Actions. Threat actors, using compromised credentials, successfully published malicious releases and force-pushed nearly all version tags for the `aquasecurity/trivy-action` repository to credential-stealing malware. This incident represents a direct assault on the integrity of a foundational security tool used by countless development pipelines to vet their own code for vulnerabilities.

The attack unfolded in two distinct phases. On March 19, 2026, the actor published a malicious Trivy v0.69.4 release and force-pushed 76 out of 77 version tags in the `aquasecurity/trivy-action` repository to malicious commits. Simultaneously, all 7 tags in the related `aquasecurity/setup-trivy` repository were replaced. The campaign escalated on March 22, 2026, when the same or a related actor used compromised credentials to publish malicious Trivy v0.69.5 and v0.69.6 images to DockerHub. The exposure window for the initial v0.69.4 release began on March 19 at 18:22 UTC.

This breach creates immediate and severe risk for any organization that automatically pulls the latest Trivy action or Docker image. The malware, designed to steal credentials, could have exfiltrated secrets from CI/CD pipelines, cloud access keys, and internal repository tokens. The incident underscores the extreme vulnerability of open-source security infrastructure to credential compromise and the cascading damage when a tool trusted to find vulnerabilities becomes the vector for attack. It forces a critical re-evaluation of dependency pinning and immutable release practices across the software supply chain.