{"id":15988,"date":"2026-03-21T05:36:10","date_gmt":"2026-03-21T05:36:10","guid":{"rendered":"https:\/\/newestek.com\/?p=15988"},"modified":"2026-03-21T05:36:10","modified_gmt":"2026-03-21T05:36:10","slug":"trivy-vulnerability-scanner-backdoored-with-credential-stealer-in-supply-chain-attack","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15988","title":{"rendered":"Trivy vulnerability scanner backdoored with credential stealer in supply chain attack"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

Attackers have compromised the widely used open-source Trivy vulnerability scanner, injecting credential-stealing malware into official releases and GitHub Actions used by thousands of CI\/CD workflows. The breach could trigger a cascade of additional supply-chain compromises if impacted projects and organizations don\u2019t rotate their secrets immediately.<\/p>\n

The attack, disclosed by Trivy maintainers today, results from an earlier compromise announced late last month<\/a> that also leveraged insecure GitHub Actions and impacted multiple projects. Security firms Socket <\/a>and Wiz<\/a> traced the root cause to an incomplete credential rotation after the first breach, allowing the attackers to return to Trivy\u2019s environment and introduce malicious commits.<\/p>\n

\u201cIf you suspect you were running a compromised version, treat all pipeline secrets as compromised and rotate immediately,\u201d Trivy maintainer Itay Shakury wrote on GitHub<\/a>.<\/p>\n

Multiple components backdoored<\/h2>\n

Trivy, developed by Aqua Security, is one of the most widely used open-source vulnerability scanners, with over 32,000 GitHub stars and more than 100 million Docker Hub downloads. Developers use it to detect vulnerabilities and exposed secrets in their CI\/CD pipelines and container images.<\/p>\n

The attackers compromised three components of the Trivy project: trivy-action, the official GitHub Action for running Trivy scans in CI\/CD workflows; setup-trivy, a helper action for installing the scanner; and the Trivy binary itself. Backdoored artifacts were published to GitHub releases, Docker Hub, the GitHub Container Registry, and the Amazon Elastic Container Registry.<\/p>\n

According to Socket, 75 of 76 version tags in trivy-action were overwritten with malicious code, along with seven tags in setup-trivy. The only unaffected trivy-action tag was version 0.35.0. The compromised tags include widely used versions such as 0.34.2, 0.33.0, and 0.18.0.<\/p>\n

\u201cWhen the malicious binary is executed it starts both the legitimate trivy service and the malicious code in parallel,\u201d Wiz researchers wrote in their analysis of the attack.<\/p>\n

Attackers look for development secrets<\/h2>\n

On GitHub Actions runners, the credential stealer reads the process memory to extract secrets and searches the filesystem for SSH keys, cloud provider credentials, Kubernetes tokens, Docker registry configurations, and cryptocurrency wallets.<\/p>\n

The stolen data is encrypted and sent to a typosquatted domain that mimics Aqua Security\u2019s legitimate site. If this fails, the malware falls back to creating a public repository called \u201ctpcp-docs\u201d on the victim\u2019s own GitHub account and uploading the encrypted data there.<\/p>\n

According to Wiz, the attack also installs a persistent Python dropper on developer machines that connects to an attacker-controlled server every five minutes in search for additional payloads to execute.<\/p>\n

Stealthy tag manipulation technique bypasses detection<\/h2>\n

Instead of creating new releases, which would trigger notifications, the attackers force-pushed existing version tags to point to new malicious commits. Git tags are pointers that reference a specific commit by its fingerprint. By overwriting where those pointers lead, any workflow referencing the tag begins pulling the attacker\u2019s code.<\/p>\n

To further avoid detection, the attackers cloned the original commit metadata such as author names, email addresses, timestamps, and messages, making the malicious commits appear identical to the legitimate ones they replaced. The forgery left subtle traces such as missing cryptographic signatures and inconsistent timestamp relationships.<\/p>\n

The same tag manipulation technique was used in the compromise of the tj-actions\/changed-files GitHub Action<\/a> a year ago which affected 23,000 repositories.<\/p>\n

A lesson for victims<\/h2>\n

The initial Trivy compromise happened in late February when attackers exploited a misconfigured GitHub Actions workflow that had been present in the repository since October 2025. The workflow, triggered by external pull requests, ran with access to repository secrets, a dangerous pattern in GitHub Actions that has been documented before<\/a>.<\/p>\n

The attackers stole a personal access token (PAT) with write permissions and used it to delete releases, rename the repository, and publish a malicious Visual Studio Code extension. The Trivy maintainers rotated their credentials, but it seems the process missed some of them.<\/p>\n

This failure, especially by a company that is specialized in CI\/CD security, should serve as a warning to organizations affected by this new attack, especially because the malware is designed to steal the same type of credentials that could enable supply chain compromises in their own pipelines.<\/p>\n

A recurring pattern<\/h2>\n

The Trivy compromise is the latest in a growing pattern of attacks targeting GitHub Actions<\/a> and developers in general<\/a>. The tj-actions\/changed-files compromise last year used the same tag manipulation approach and was later traced to an upstream compromise of the reviewdog\/action-setup action. Other incidents in 2025 included the GhostAction campaign, which stole over 3,000 secrets from 327 GitHub users, and an attack on the nx npm package that exploited a vulnerable pull_request_target workflow.<\/p>\n

GitHub changed the default behavior of pull_request_target workflows in December 2025<\/a> to reduce the risk of exploitation, but the vulnerable workflow in the Trivy repository predated that change.<\/p>\n

Organizations using Trivy should pin GitHub Actions to the full commit SHA hashes rather than version tags to prevent tag manipulation attacks. The safe versions are Trivy v0.69.3, trivy-action tag 0.35.0, and setup-trivy 0.2.6. Security teams should also search their GitHub accounts for repositories named tpcp-docs, which would indicate successful fallback exfiltration, and block the command-and-control domain and its IP address at the network perimeter.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Attackers have compromised the widely used open-source Trivy vulnerability scanner, injecting credential-stealing malware into official releases and GitHub Actions used by thousands of CI\/CD workflows. The breach could trigger a cascade of additional supply-chain compromises if impacted projects and organizations don\u2019t rotate their secrets immediately. The attack, disclosed by Trivy maintainers today, results from an earlier compromise announced late last month that also leveraged insecure… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15988","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15988","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15988"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15988\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15988"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15988"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15988"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}