Trivy Supply Chain Attack: What Happened and What You Need to Know

Open Source Security Advisory

What Happened

On March 19, 2026, a threat actor used compromised credentials to publish malicious releases of Trivy version 0.69.4, along with trivy-action and setup-trivy. While this activity initially appeared to be an isolated event, it was the result of a broader, multi-stage supply chain attack that began weeks earlier.

Attack Timeline

• Late February 2026: Attackers exploited a misconfiguration in Trivy’s GitHub Actions environment, extracting a privileged access token and establishing a foothold into repository automation and release processes.
• March 1, 2026: The Trivy team disclosed the earlier incident and executed credential rotation. Subsequent investigation revealed the rotation was not fully comprehensive, allowing the threat actor to retain residual access via still-valid credentials.
• March 19, 2026 (~17:43 UTC): The attacker force-pushed 76 of 77 version tags in the aquasecurity/trivy-action repository and all 7 tags in aquasecurity/setup-trivy, redirecting trusted references to malicious commits. Simultaneously, the compromised aqua-bot service account triggered release automation to publish a malicious Trivy binary designated v0.69.4.
• March 19, 2026 (~20:38 UTC): The Trivy team identified and contained the attack, removing malicious artifacts from distribution channels.
• March 20, 2026: Safe versions, user guidance, and indicators of compromise were published for defenders.

Rather than introducing a new, clearly malicious version, the attackers used a more sophisticated approach. By modifying existing version tags associated with trivy-action, they injected malicious code into workflows that organizations were already running. Because many CI/CD pipelines rely on version tags rather than pinned commits, these pipelines continued to execute without any indication that the underlying code had changed.

In affected environments, the payload was designed to collect sensitive information, including API tokens, cloud credentials (AWS, GCP, Azure), SSH keys, Kubernetes tokens, Docker configuration files, Git credentials, and other secrets available within CI/CD systems. Critically, the malware executed prior to legitimate Trivy scanning logic, so compromised workflows appeared to complete normally while silently exfiltrating data to attacker-controlled infrastructure via two pathways (see IOCs below).

This combination of credential compromise, abuse of trusted release channels, and silent execution within CI/CD pipelines is a clear example of a modern software supply chain attack. Rather than targeting a single organization, the attackers leveraged widely trusted tooling to reach downstream users at scale.

What Was Affected

The following open source components were affected:

• Trivy binary release: v0.69.4
• GitHub Action aquasecurity/trivy-action: 76 of 77 version tags force-pushed to malicious commits (only v0.35.0 was unaffected, protected by GitHub’s immutable releases feature)
• GitHub Action aquasecurity/setup-trivy: multiple version tags compromised

Any CI/CD workflow that referenced these actions via a mutable version tag, or that downloaded:

• trivy v0.69.4, between approximately 18:22 UTC and 21:42 UTC on March 19, 2026,
• trivy-action v0.69.4, between approximately 17:43UTC UTC on March 19, 2026 and 05:40 UTC on March 20, 2026,
• setup-trivy, between approximately 17:43 UTC and 21:44 UTC on March 19, 2026,

should be treated as potentially compromised. All secrets accessible to those runner environments must be considered exposed.

What Was Not Affected

There is no indication that Aqua Security’s commercial products were impacted by this incident, including Trivy as delivered within the Aqua Platform.

This statement does not apply to independent use of open source Trivy components outside the Aqua Platform. Users consuming open source Trivy directly, or through GitHub Actions integrations, should follow the remediation guidance below.

What Actions We Are Taking

Our corporate security and engineering teams are actively working in close coordination with the Trivy maintainers and the broader security community to investigate the incident and ensure full containment. Steps taken include:

• Artifact removal: All malicious releases, including v0.69.4 binaries across GitHub Releases, Docker Hub, GHCR, and ECR, have been deleted from all distribution channels.
• Tag restoration: All compromised version tags have been deleted or repointed to known-safe, verified commits.
• Credential revocation: A comprehensive lockdown of all automated actions, service accounts, and tokens across the Aqua Security open source organization has been executed to definitively sever the threat actor’s access.
• Access control hardening: Stricter safeguards have been implemented around automation and token usage, including tightened permissions, reduced reliance on long-lived credentials, and strengthened controls around release processes.
• Immutable release enforcement: We are implementing immutable release verification and provenance attestations for all future deployments.
• Ongoing monitoring: We continue to analyze the full scope of the incident and monitor for signs of downstream impact.

You can view the GitHub Security Advisory at https://github.com/advisories/GHSA-cxm3-wv7p-598c.

The latest information and ongoing updates can be found in the GitHub discussion: https://github.com/aquasecurity/trivy/discussions/10425

Required Actions for the Community

For users of open source Trivy, immediate action is required. The following steps should be taken by all security teams.

Step 1: Update to Known-Safe Versions

Ensure all workflows and systems are running the following verified safe versions immediately:

Step 2: Rotate All Potentially Exposed Secrets

If there is any possibility that a compromised version ran in your environment, all secrets accessible to affected pipelines must be treated as exposed and rotated immediately. This includes:

• Credentials for cloud providers (AWS, GCP, Azure)
• Source control and Git credentials
• Container registry credentials
• SSH keys and Kubernetes tokens
• Environment variables and other automation secrets
• NPM publish tokens: treat as actively compromised; stolen tokens are being weaponized to propagate malware across the NPM ecosystem.

Step 3: Audit Trivy Versions

Check whether your organization pulled or executed Trivy v0.69.4 from any source (GitHub Releases, container registries, artifact caches, etc.). Remove any affected artifacts immediately.

Step 4: Audit GitHub Action References

Review all workflows using aquasecurity/trivy-action or aquasecurity/setup-trivy. If you referenced a version tag rather than a full commit SHA, check workflow run logs from March 19–20, 2026 for signs of compromise. Specifically, review:

• The Run Trivy step in trivy-action
• The Setup environment step in setup-trivy

Step 5: Search for Exfiltration Artifacts

Look for repositories named tpcp-docs in your GitHub organization. The presence of such a repository may indicate that the fallback exfiltration mechanism was triggered and secrets were successfully stolen. Also hunt based on all IOCs provided below.

Step 6: Long-Term Hardening: Pin GitHub Actions to Full SHA Hashes

Pin GitHub Actions to full, immutable commit SHA hashes — not mutable version tags. Version tags can be moved to point at malicious commits, as demonstrated in this attack. For example:

# UNSAFE — mutable tag, can be silently redirected to malicious code
uses: aquasecurity/[email protected]
# SAFE — pinned to an immutable commit SHA
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1

Indicators of Compromise (IOCs)

Review your network firewalls, SIEM, and GitHub audit logs for the following indicators. Immediate blocking and hunting on these IOCs is strongly recommended.

A Note to the Broader Ecosystem

We would also like to recognize and thank our industry partners and the broader security community for their role in helping contain this situation. As an open source project, Trivy does not maintain a comprehensive record of its user base. While it is widely adopted across organizations of all sizes, there is no centralized way to directly notify every user. In this context, the rapid response from researchers, partners, and community members has been invaluable.

By identifying suspicious behavior, publishing analyses, and sharing guidance across channels, the community has helped ensure that critical information reached users quickly. We particularly thank the research teams at Aikido Security and CrowdStrike for their rapid technical publications, which materially accelerated response and community awareness. This collective effort has played an important role in reducing the overall impact of the incident, and we are grateful for the collaboration.

What’s Next

This remains an active investigation, and we are committed to continuing to share updates as more information becomes available. As confirmed by community researchers at Aikido Security and CrowdStrike, the threat actor has pivoted beyond the initial CI/CD compromise and is actively weaponizing stolen credentials across the broader ecosystem. Organizations should treat this as an ongoing campaign, not a contained incident.

Incidents like this underscore a broader reality in today’s threat landscape. Even widely trusted security tools can become targets. As attackers increasingly focus on software supply chains, transparency, rapid response, and community collaboration are essential to minimizing impact.

We will continue to keep the community informed as the situation evolves. All updates will be published to:
https://github.com/aquasecurity/trivy/discussions/10425

This advisory is provided for informational purposes. For the latest updates, refer to the linked GitHub discussion.